[GTK] UI process crash when the screensaver DBus proxy is being created while the...
authorcarlosgc@webkit.org <carlosgc@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 30 Nov 2015 09:39:49 +0000 (09:39 +0000)
committercarlosgc@webkit.org <carlosgc@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 30 Nov 2015 09:39:49 +0000 (09:39 +0000)
https://bugs.webkit.org/show_bug.cgi?id=151653

Reviewed by Martin Robinson.

We correctly cancel the proxy creation, but when the async ready
callback is called, the view could be destroyed already. In that
case g_dbus_proxy_new_for_bus_finish() will return nullptr and
fail with cancelled error, but we are using the passed web view
without checking first if the creation failed or not.

* UIProcess/API/gtk/WebKitWebViewBase.cpp:
(screenSaverProxyCreatedCallback):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@192792 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/UIProcess/API/gtk/WebKitWebViewBase.cpp

index 28e773d..45c071e 100644 (file)
@@ -1,3 +1,19 @@
+2015-11-30  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        [GTK] UI process crash when the screensaver DBus proxy is being created while the web view is destroyed
+        https://bugs.webkit.org/show_bug.cgi?id=151653
+
+        Reviewed by Martin Robinson.
+
+        We correctly cancel the proxy creation, but when the async ready
+        callback is called, the view could be destroyed already. In that
+        case g_dbus_proxy_new_for_bus_finish() will return nullptr and
+        fail with cancelled error, but we are using the passed web view
+        without checking first if the creation failed or not.
+
+        * UIProcess/API/gtk/WebKitWebViewBase.cpp:
+        (screenSaverProxyCreatedCallback):
+
 2015-11-28  Tim Horton  <timothy_horton@apple.com>
 
         Stop unnecessarily copying WKWebViewConfiguration in a few places
index 939879e..dadb1f6 100644 (file)
@@ -1170,11 +1170,15 @@ static void webkitWebViewBaseSendInhibitMessageToScreenSaver(WebKitWebViewBase*
 
 static void screenSaverProxyCreatedCallback(GObject*, GAsyncResult* result, WebKitWebViewBase* webViewBase)
 {
-    WebKitWebViewBasePrivate* priv = webViewBase->priv;
-    priv->screenSaverProxy = adoptGRef(g_dbus_proxy_new_for_bus_finish(result, nullptr));
-    if (!priv->screenSaverProxy)
+    // WebKitWebViewBase cancels the proxy creation on dispose, which means this could be called
+    // after the web view has been destroyed and g_dbus_proxy_new_for_bus_finish will return nullptr.
+    // So, make sure we don't use the web view unless we have a valid proxy.
+    // See https://bugs.webkit.org/show_bug.cgi?id=151653.
+    GRefPtr<GDBusProxy> proxy = adoptGRef(g_dbus_proxy_new_for_bus_finish(result, nullptr));
+    if (!proxy)
         return;
 
+    webViewBase->priv->screenSaverProxy = proxy;
     webkitWebViewBaseSendInhibitMessageToScreenSaver(webViewBase);
 }