221565 2021-02-08 12:17:04 -0800 [iOS] Crash in ValidationBubble::show() 2021-02-25 07:05:17 -0800 1 1 1 Unclassified WebKit Layout and Rendering WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 ajuma wenson_hsieh bfulgham hi megan_gardner simon.fraser thorton webkit-bug-importer wenson_hsieh zalan oldest_to_newest 1726728 0 ajuma 2021-02-08 12:17:04 -0800 Chrome for iOS is getting large number of crash reports in ValidationBubble::show(), all in iOS 14. The crash stack is: Thread 0 (id: 0x00000407) CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x72657473 ] 0x00000001b173d468(libobjc.A.dylib + 0x00002468)objc_msgSend 0x00000001aa5886c0(WebCore + 0x00ba46c0)WebCore::ValidationBubble::show() 0x00000001a93f2798(WebKit + 0x003c1798)WebKit::WebPageProxy::showValidationMessage(WebCore::IntRect const&, WTF::String const&) 0x00000001a960cda4(WebKit + 0x005dbda4)WebKit::WebPageProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 0x00000001a907d668(WebKit + 0x0004c668)IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) 0x00000001a938b580(WebKit + 0x0035a580)WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 0x00000001a9061214(WebKit + 0x00030214)IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) 0x00000001a9060b58(WebKit + 0x0002fb58)IPC::Connection::dispatchIncomingMessages() 0x00000001a6ecfbc8(JavaScriptCore + 0x00dc6bc8)WTF::RunLoop::performWork() 0x00000001a6ed0714(JavaScriptCore + 0x00dc7714)WTF::RunLoop::performWork(void*) 0x000000019d33bbec(CoreFoundation + 0x0009abec)__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 0x000000019d33baec(CoreFoundation + 0x0009aaec)__CFRunLoopDoSource0 0x000000019d33ae34(CoreFoundation + 0x00099e34)__CFRunLoopDoSources0 0x000000019d3353dc(CoreFoundation + 0x000943dc)__CFRunLoopRun 0x000000019d334b9c(CoreFoundation + 0x00093b9c)CFRunLoopRunSpecific 0x00000001b409d594(GraphicsServices + 0x00003594)GSEventRunModal 0x000000019fc262f0(UIKitCore + 0x00b2e2f0)-[UIApplication _run] 0x000000019fc2b870(UIKitCore + 0x00b33870)UIApplicationMain 0x0000000104baa4ec(Chrome -chrome_exe_main.mm:71)main 0x000000019d013564(libdyld.dylib + 0x00001564)start The crash URLs seem to mostly be sign-in pages like: https://schoolzone.epsb.ca/cf/index.cfm https://myaccount.uscis.gov/ https://www.bigideasmath.com/BIM/login Looking through changes that might have caused this, https://bugs.webkit.org/show_bug.cgi?id=208472 is the only thing I could find in ValidationBubble-related code that's new in iOS 14. 1726738 1 wenson_hsieh 2021-02-08 12:30:32 -0800 Do you happen to have repro steps for this crash? I tried showing the form validation bubble on these sites in both Chrome and Safari on trunk WebKit, but did not see any crashes. 1726752 2 ajuma 2021-02-08 13:05:18 -0800 No repro steps unfortunately, just crash reports with URLs. The crashes are still present on iOS 14.4. 1729291 3 webkit-bug-importer 2021-02-15 12:18:14 -0800 <rdar://problem/74360282> 1733201 4 wenson_hsieh 2021-02-24 21:19:54 -0800 So from code inspection, there doesn't seem to be a guarantee that this member on ValidationBubble: UIViewController *m_presentingViewController; ...is guaranteed to be zero-initialized. This means we might actually end up calling `-presentViewController:animated:completion:` on some arbitrary pointer value in the case where we fall down this early return if `fallbackViewController` comes up `nil`: ``` void ValidationBubble::setAnchorRect(const IntRect& anchorRect, UIViewController *presentingViewController) { if (!presentingViewController) presentingViewController = fallbackViewController(m_view); if (!presentingViewController) return; ``` The fix should be simply initializing that member as `nil`, or wrapping it in a `WeakObjCPtr` so that it can be safely accessed. That said, I'm not sure why this just started in iOS 14... Maybe something prior to iOS 14 happened to ensure that that member always ended up being nil in this corner case. 1733203 5 wenson_hsieh 2021-02-24 21:31:28 -0800 > > Maybe something prior to iOS 14 happened to ensure that that member always > ended up being nil in this corner case. Aha — we never hit this prior to iOS 14 because we would've crashed at an earlier point, due to https://bugs.webkit.org/show_bug.cgi?id=214789 (which was first fixed in iOS 14). 1733204 6 421498 wenson_hsieh 2021-02-24 21:41:52 -0800 Created attachment 421498 Patch 1733312 7 ews-feeder 2021-02-25 07:05:15 -0800 Committed r273482: <https://commits.webkit.org/r273482> All reviewed patches have been landed. Closing bug and clearing flags on attachment 421498. 421498 2021-02-24 21:41:52 -0800 2021-02-25 07:05:16 -0800 Patch bug-221565-20210224214151.patch text/plain 2100 wenson_hsieh U3VidmVyc2lvbiBSZXZpc2lvbjogMjczMzY4CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZjFhZWE2NTNlMTk5ZGEx ZGFlZTE2ZDFkMDEzZWY3ZDQ3NmNiZWU1My4uZTMyZTU3MzY3MDMyZTZlNzNlY2M1YTQ4MmJmZjA2 Zjg4ODNmYjY2YiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDIyIEBACisyMDIxLTAyLTI0ICBXZW5z b24gSHNpZWggIDx3ZW5zb25faHNpZWhAYXBwbGUuY29tPgorCisgICAgICAgIFtpT1NdIENyYXNo IGluIFZhbGlkYXRpb25CdWJibGU6OnNob3coKQorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0 Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjIxNTY1CisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS83NDM2 MDI4Mj4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBG aXhlcyB0aGUgY3Jhc2ggYnkgdHVybmluZyB0aGUgcmF3IE9iakMgaWQgYG1fcHJlc2VudGluZ1Zp ZXdDb250cm9sbGVyYCBvbiBgVmFsaWRhdGlvbkJ1YmJsZWAgaW50byBhCisgICAgICAgIGBXZWFr T2JqQ1B0cmAgaW5zdGVhZCwgc3VjaCB0aGF0IGZhaWx1cmUgdG8gaW5pdGlhbGl6ZSB0aGUgbWVt YmVyIHVuZGVybmVhdGggYFZhbGlkYXRpb25CdWJibGU6OnNldEFuY2hvclJlY3RgCisgICAgICAg IHdvbid0IGNhdXNlIHVuZGVmaW5lZCBiZWhhdmlvci4KKworICAgICAgICBJbiB0aGVvcnksIHRo aXMgc2NlbmFyaW8gaXMgYWxyZWFkeSBleGVyY2lzZWQgYnkgdGhlIGV4aXN0aW5nIEFQSSB0ZXN0 CisgICAgICAgIGBGb3JtVmFsaWRhdGlvbi5QcmVzZW50aW5nRm9ybVZhbGlkYXRpb25VSVdpdGhv dXRWaWV3Q29udHJvbGxlckRvZXNOb3RDcmFzaGAsIHRob3VnaCBpdCBtYXkgbm90IGJlIGNyYXNo aW5nCisgICAgICAgIHdpdGggZW5vdWdoIGZyZXF1ZW5jeSB0byBoYXZlIHJlc3VsdGVkIGluIGEg ZG9jdW1lbnRlZCB0ZXN0IGZhaWx1cmUsIGR1ZSB0byB0aGUgdW5pbml0aWFsaXplZCBgaWRgIGZy ZXF1ZW50bHkKKyAgICAgICAgdHVybmluZyBvdXQgdG8gYmUgYG5pbGAgYW55d2F5cy4KKworICAg ICAgICAqIHBsYXRmb3JtL1ZhbGlkYXRpb25CdWJibGUuaDoKKwogMjAyMS0wMi0yMyAgRnJlZGVy aWMgV2FuZyAgPGZ3YW5nQGlnYWxpYS5jb20+CiAKICAgICAgICAgTnVsbHB0ciBjcmFzaCBpbiBS ZXBsYWNlU2VsZWN0aW9uQ29tbWFuZDo6cmVtb3ZlUmVkdW5kYW50U3R5bGVzQW5kS2VlcFN0eWxl U3BhbklubGluZQpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vVmFsaWRhdGlv bkJ1YmJsZS5oIGIvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vVmFsaWRhdGlvbkJ1YmJsZS5oCmlu ZGV4IDcxMDlkMjgzZTg1NTM4ZjRiYzYwNDNhNDlhYTE3Y2RkN2Q0OGNiYjEuLjkyNDhkODFkODgx MjE3ODc0ZjFmNGNkMWI2YWE0YzQ2MWIyZGRiMmYgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3Jl L3BsYXRmb3JtL1ZhbGlkYXRpb25CdWJibGUuaAorKysgYi9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9y bS9WYWxpZGF0aW9uQnViYmxlLmgKQEAgLTMxLDYgKzMxLDcgQEAKIAogI2lmIFBMQVRGT1JNKENP Q09BKQogI2luY2x1ZGUgPHd0Zi9SZXRhaW5QdHIuaD4KKyNpbmNsdWRlIDx3dGYvV2Vha09iakNQ dHIuaD4KICNlbmRpZgogCiAjaWYgUExBVEZPUk0oTUFDKQpAQCAtODksNyArOTAsNyBAQCBwcml2 YXRlOgogICAgIFJldGFpblB0cjxXZWJWYWxpZGF0aW9uQnViYmxlVmlld0NvbnRyb2xsZXI+IG1f cG9wb3ZlckNvbnRyb2xsZXI7CiAgICAgUmV0YWluUHRyPFdlYlZhbGlkYXRpb25CdWJibGVUYXBS ZWNvZ25pemVyPiBtX3RhcFJlY29nbml6ZXI7CiAgICAgUmV0YWluUHRyPFdlYlZhbGlkYXRpb25C dWJibGVEZWxlZ2F0ZT4gbV9wb3BvdmVyRGVsZWdhdGU7Ci0gICAgVUlWaWV3Q29udHJvbGxlciAq bV9wcmVzZW50aW5nVmlld0NvbnRyb2xsZXI7CisgICAgV2Vha09iakNQdHI8VUlWaWV3Q29udHJv bGxlcj4gbV9wcmVzZW50aW5nVmlld0NvbnRyb2xsZXI7CiAjZW5kaWYKIH07CiAK