fix(macos): prevent use-after-free in stop_task on macOS 11 during WKWebView dealloc#1734
Open
x93008 wants to merge 2 commits into
Open
fix(macos): prevent use-after-free in stop_task on macOS 11 during WKWebView dealloc#1734x93008 wants to merge 2 commits into
x93008 wants to merge 2 commits into
Conversation
macOS 11 WebKit bug: during WKWebView dealloc, stopAllTasksForPage calls stop_task with already-freed task pointers. Any access (including the implicit objc_release from objc2 reference types) causes SIGSEGV. Fix: - stop_task: use raw pointers (*mut AnyObject) instead of objc2 references to skip automatic retain/release. Body is no-op since task is invalid. - start_task response handler: explicit drop(webview) before drop(task) to ensure correct deallocation order.
x93008
force-pushed
the
fix/macos/macos_11_crash
branch
from
2c26a8b to
e8cf34d
Compare
Legend-Master
added
the
ai-slop
Author
Tested Platforms
All platforms pass without crash. |
x93008
force-pushed
the
fix/macos/macos_11_crash
branch
from
e8cf34d to
9be1a6b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
macOS 11 WebKit bug: during WKWebView dealloc,
stopAllTasksForPagecallsstop_taskwith already-freed task pointers. Any access (including the implicitobjc_releasefrom objc2 reference types) causes SIGSEGV.Fix:
stop_task: use raw pointers (*mut AnyObject) instead of objc2 references to skip automatic retain/release. Body is no-op since task is invalid.start_taskresponse handler: explicitdrop(webview)beforedrop(task)to ensure correct deallocation order.closes #1733
Details
On macOS 11, WebKit's internal
stopAllTasksForPage(triggered during[WKWebView dealloc]) passes already-freedWKURLSchemeTaskpointers to thewebView:stopURLSchemeTask:callback. Using objc2 reference types (&WryWebView,&ProtocolObject<dyn WKURLSchemeTask>) triggers implicitobjc_retainon entry, which crashes on the freed pointer.The explicit drop ordering (
drop(webview)beforedrop(task)) prevents a scenario where droppingRetained<WryWebView>on a worker thread triggers dealloc →stopAllTasksForPage→stop_task, while the task reference is still alive in the closure.This is the same class of race condition reported in tauri-apps/tauri#11516 (macOS 15) and #1730.