Bug 138023

Summary: WebContent crash in WebKit::WebPage::expandedRangeFromHandle
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: WebKit2Assignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, darin, ddkilzer, enrica, sam
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Fixes the crash
enrica: review+
Additional fix rniwa: review+

Description Ryosuke Niwa 2014-10-23 14:38:08 PDT 
Continuing the bug 136969. There are more nullptr checks to be added here:

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   WebKit                        	0x0000000187596328 WebKit::WebPage::expandedRangeFromHandle(WebCore::Range*, WebKit::SelectionHandlePosition) + 576 (Ref.h:60)
1   WebKit                        	0x0000000187596318 WebKit::WebPage::expandedRangeFromHandle(WebCore::Range*, WebKit::SelectionHandlePosition) + 560 (WebPageIOS.mm:1140)
2   WebKit                        	0x0000000187597084 WebKit::WebPage::computeExpandAndShrinkThresholdsForHandle(WebCore::IntPoint const&, WebKit::SelectionHandlePosition, float&, float&) + 132 (WebPageIOS.mm:1330)
3   WebKit                        	0x000000018759750c WebKit::WebPage::updateBlockSelectionWithTouch(WebCore::IntPoint const&, unsigned int, unsigned int) + 160 (WebPageIOS.mm:1430)
4   WebKit                        	0x0000000187693ca0 void IPC::handleMessage<Messages::WebPage::UpdateBlockSelectionWithTouch, WebKit::WebPage, void (WebKit::WebPage::*)(WebCore::IntPoint const&, unsigned int, unsigned int)>(IPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebCore::IntPoint const&, unsigned int, unsigned int)) + 72 (HandleMessage.h:16)
5   WebKit                        	0x0000000187690f6c WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) + 2556 (WebPageMessageReceiver.cpp:267)
6   WebKit                        	0x00000001875c4b74 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection*, IPC::MessageDecoder&) + 116 (MessageReceiverMap.cpp:87)
7   WebKit                        	0x00000001876ce954 WebKit::WebProcess::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&) + 36 (WebProcess.cpp:595)
8   WebKit                        	0x0000000187551590 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 124 (Connection.cpp:809)
9   WebKit                        	0x000000018755353c IPC::Connection::dispatchOneMessage() + 116 (Connection.cpp:856)
10  JavaScriptCore                	0x0000000183c9a088 WTF::RunLoop::performWork() + 800
11  JavaScriptCore                	0x0000000183c9a558 WTF::RunLoop::performWork(void*) + 36
12  CoreFoundation                	0x00000001823b57c4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 20 (CFRunLoop.c:1763)
13  CoreFoundation                	0x00000001823b4a68 __CFRunLoopDoSources0 + 260 (CFRunLoop.c:1809)
14  CoreFoundation                	0x00000001823b2b18 __CFRunLoopRun + 708 (CFRunLoop.c:2526)
15  CoreFoundation                	0x00000001822e13e0 CFRunLoopRunSpecific + 392 (CFRunLoop.c:2795)
16  Foundation                    	0x00000001831e6100 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 312 (NSRunLoop.m:366)
17  Foundation                    	0x00000001832407d4 -[NSRunLoop(NSRunLoop) run] + 92 (NSRunLoop.m:388)
18  libxpc.dylib                  	0x00000001937fc34c _xpc_objc_main + 704 (main.m:172)
19  libxpc.dylib                  	0x00000001937fe070 xpc_main + 196 (init.c:1434)
20  com.apple.WebKit.WebContent   	0x0000000100077a7c main + 16 (XPCServiceMain.mm:77)
21  libdyld.dylib                 	0x0000000193616a04 start + 0 (start_glue.s:78)
Comment 1 Ryosuke Niwa 2014-10-23 14:46:19 PDT 
Created attachment 240368 [details]
Fixes the crash
Comment 2 Ryosuke Niwa 2014-10-23 14:51:03 PDT 
Committed r175143: <http://trac.webkit.org/changeset/175143>
Comment 3 Enrica Casucci 2014-10-27 17:00:49 PDT 
There is still one case that needs to be covered.
Comment 4 Enrica Casucci 2014-10-27 17:06:27 PDT 
Created attachment 240512 [details]
Additional fix
Comment 5 Chris Dumez 2014-10-27 17:19:05 PDT 
Comment on attachment 240512 [details]
Additional fix

View in context: https://bugs.webkit.org/attachment.cgi?id=240512&action=review

> Source/WebKit2/ChangeLog:9
> +        We must change that we have a valid currentRange before trying

nit: s/change/check
Comment 6 Enrica Casucci 2014-10-27 17:39:06 PDT 
Committed revision 175235.
Comment 7 Simon Fraser (smfr) 2014-10-27 19:22:20 PDT 
Comment on attachment 240512 [details]
Additional fix

Do we know how all these nulls can happen? It's pretty easy to reproduce.
Comment 8 David Kilzer (:ddkilzer) 2014-12-17 09:45:21 PST 
<rdar://problem/18692335>