[iOS] DOM nodes can be leaked when searching for text in Safari

pxlcoder · pxlcoder · commit c40691a5705e · 2025-01-06T21:57:48.000-08:00
https://bugs.webkit.org/show_bug.cgi?id=285450 rdar://133689631 Reviewed by Abrar Rahman Protyasha and Richard Robinson. The UIKit API for find-in-page on iOS expects clients to vend all found ranges to the system. The system then tells the client to highlight / scroll to the appropriate range. Since converting between the range representation for UIKit and `SimpleRange`s can be slow, a cache of found ranges is maintained. Under most API use (via the system search UI), the cache is populated when the user starts searching and is cleared when the user dismisses the find bar. However, when searches are performed using Safari's URL bar, the find APIs may be called directly, without the full system user flow that clears caches. Since the cache preserves `SimpleRange`s, it strongly holds on to DOM nodes. Fix by updating the cache to store `WeakSimpleRange`s. Additionally, clear the cache on memory pressure. * Source/WebKit/WebProcess/WebPage/WebFoundTextRangeController.cpp: (WebKit::WebFoundTextRangeController::findTextRangesForStringMatches): (WebKit::WebFoundTextRangeController::clearAllDecoratedFoundText): (WebKit::WebFoundTextRangeController::clearCachedRanges): (WebKit::WebFoundTextRangeController::simpleRangeFromFoundTextRange): * Source/WebKit/WebProcess/WebPage/WebFoundTextRangeController.h: * Source/WebKit/WebProcess/WebPage/WebPage.cpp: (WebKit::WebPage::releaseMemory): Canonical link: https://commits.webkit.org/288505@main
diff --git a/Source/WebKit/WebProcess/WebPage/WebFoundTextRangeController.cpp b/Source/WebKit/WebProcess/WebPage/WebFoundTextRangeController.cpp
@@ -90,7 +90,7 @@ void WebFoundTextRangeController::findTextRangesForStringMatches(const String& s
         auto domData = WebFoundTextRange::DOMData { range.location, range.length };
         auto foundTextRange = WebFoundTextRange { domData, frameName.length() ? frameName : emptyAtom(), order };
 
-        m_cachedFoundRanges.add(foundTextRange, simpleRange);
+        m_cachedFoundRanges.add(foundTextRange, simpleRange.makeWeakSimpleRange());
         foundTextRanges.append(foundTextRange);
     }
 
@@ -223,7 +223,7 @@ void WebFoundTextRangeController::scrollTextRangeToVisible(const WebFoundTextRan
 
 void WebFoundTextRangeController::clearAllDecoratedFoundText()
 {
-    m_cachedFoundRanges.clear();
+    clearCachedRanges();
     m_decoratedRanges.clear();
     m_webPage->corePage()->unmarkAllTextMatches();
 
@@ -300,6 +300,11 @@ void WebFoundTextRangeController::redraw()
     );
 }
 
+void WebFoundTextRangeController::clearCachedRanges()
+{
+    m_cachedFoundRanges.clear();
+}
+
 void WebFoundTextRangeController::willMoveToPage(WebCore::PageOverlay&, WebCore::Page* page)
 {
     if (page)
@@ -513,7 +518,7 @@ WebCore::Document* WebFoundTextRangeController::documentForFoundTextRange(const
 
 std::optional<WebCore::SimpleRange> WebFoundTextRangeController::simpleRangeFromFoundTextRange(WebFoundTextRange range)
 {
-    return m_cachedFoundRanges.ensure(range, [&] () -> std::optional<WebCore::SimpleRange> {
+    auto foundRange = m_cachedFoundRanges.ensure(range, [&] -> std::optional<WebCore::WeakSimpleRange> {
         if (!std::holds_alternative<WebFoundTextRange::DOMData>(range.data))
             return std::nullopt;
 
@@ -523,8 +528,14 @@ std::optional<WebCore::SimpleRange> WebFoundTextRangeController::simpleRangeFrom
 
         Ref documentElement = *document->documentElement();
         auto domData = std::get<WebFoundTextRange::DOMData>(range.data);
-        return resolveCharacterRange(makeRangeSelectingNodeContents(documentElement), { domData.location, domData.length }, WebCore::findIteratorOptions());
+        auto simpleRange = resolveCharacterRange(makeRangeSelectingNodeContents(documentElement), { domData.location, domData.length }, WebCore::findIteratorOptions());
+        return simpleRange.makeWeakSimpleRange();
     }).iterator->value;
+
+    if (!foundRange)
+        return std::nullopt;
+
+    return makeSimpleRange(*foundRange);
 }
 
 } // namespace WebKit
diff --git a/Source/WebKit/WebProcess/WebPage/WebFoundTextRangeController.h b/Source/WebKit/WebProcess/WebPage/WebFoundTextRangeController.h
@@ -73,6 +73,8 @@ class WebFoundTextRangeController : private WebCore::PageOverlayClient {
 
     void redraw();
 
+    void clearCachedRanges();
+
 private:
     // PageOverlayClient.
     void willMoveToPage(WebCore::PageOverlay&, WebCore::Page*) override;
@@ -99,7 +101,7 @@ class WebFoundTextRangeController : private WebCore::PageOverlayClient {
 
     WebFoundTextRange m_highlightedRange;
 
-    HashMap<WebFoundTextRange, std::optional<WebCore::SimpleRange>> m_cachedFoundRanges;
+    HashMap<WebFoundTextRange, std::optional<WebCore::WeakSimpleRange>> m_cachedFoundRanges;
     HashMap<WebFoundTextRange, FindDecorationStyle> m_decoratedRanges;
 
     RefPtr<WebCore::TextIndicator> m_textIndicator;
diff --git a/Source/WebKit/WebProcess/WebPage/WebPage.cpp b/Source/WebKit/WebProcess/WebPage/WebPage.cpp
@@ -5142,6 +5142,8 @@ void WebPage::releaseMemory(Critical)
     if (m_remoteRenderingBackendProxy)
         m_remoteRenderingBackendProxy->remoteResourceCacheProxy().releaseMemory();
 #endif
+
+    m_foundTextRangeController->clearCachedRanges();
 }
 
 void WebPage::willDestroyDecodedDataForAllImages()

Original file line number	Diff line number	Diff line change
`@@ -5142,6 +5142,8 @@ void WebPage::releaseMemory(Critical)`
`5142`	`5142`	`if (m_remoteRenderingBackendProxy)`
`5143`	`5143`	`m_remoteRenderingBackendProxy->remoteResourceCacheProxy().releaseMemory();`
`5144`	`5144`	`#endif`
	`5145`	`+`
	`5146`	`+ m_foundTextRangeController->clearCachedRanges();`
`5145`	`5147`	`}`
`5146`	`5148`
`5147`	`5149`	`void WebPage::willDestroyDecodedDataForAllImages()`