Bug 165839

Summary: Deleting a character converted from pinyin after an image causes a Safari crash
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: HTML EditingAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca, ap, bdakin, commit-queue, dbates, enrica, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Fixes the crash
none
Updated per review comments
none
Added a API test
none
Added a API test
none
Patch for landing none

Ryosuke Niwa
Reported 2016-12-13 22:04:51 PST
Deleting a Chinese character typed using pinyin on Mac on the same line as an image causes Safari to crash.
Attachments
Fixes the crash (4.54 KB, patch)
2016-12-13 22:13 PST, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Updated per review comments (3.49 KB, patch)
2016-12-14 19:46 PST, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Added a API test (12.49 KB, patch)
2016-12-16 19:01 PST, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Added a API test (7.64 KB, patch)
2016-12-16 19:03 PST, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Patch for landing (12.51 KB, patch)
2016-12-16 19:40 PST, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2016-12-13 22:05:53 PST
<rdar://problem/27951933>
Ryosuke Niwa
Comment 2 2016-12-13 22:13:28 PST
Created attachment 297066 [details] Fixes the crash
Wenson Hsieh
Comment 3 2016-12-14 08:39:34 PST
Comment on attachment 297066 [details] Fixes the crash View in context: https://bugs.webkit.org/attachment.cgi?id=297066&action=review > Source/WebKit2/ChangeLog:11 > + Fixed it buy omitting the image as done in r176412 since encoding NSFileWrapper, etc... would require Nit - buy => by
Alexey Proskuryakov
Comment 4 2016-12-14 13:05:00 PST
Comment on attachment 297066 [details] Fixes the crash View in context: https://bugs.webkit.org/attachment.cgi?id=297066&action=review > ChangeLog:8 > + Added a manual test. I tried but I couldn't make textInputController to trigger the crash. Very surprising! textInputController can do everything that an input method does. > Source/WebKit2/ChangeLog:12 > + quite a bit of work, and IME doesn't really need to see the image in its attributed string. Is the change in string length and character offsets observable?
Ryosuke Niwa
Comment 5 2016-12-14 13:50:46 PST
(In reply to comment #4) > Comment on attachment 297066 [details] > Fixes the crash > > View in context: > https://bugs.webkit.org/attachment.cgi?id=297066&action=review > > > ChangeLog:8 > > + Added a manual test. I tried but I couldn't make textInputController to trigger the crash. > > Very surprising! textInputController can do everything that an input method > does. I think Chinese IME somehow calls into WKWebView via one of the standard AppKit NSView selectors. > > Source/WebKit2/ChangeLog:12 > > + quite a bit of work, and IME doesn't really need to see the image in its attributed string. > > Is the change in string length and character offsets observable? I can’t think of a way.
Tim Horton
Comment 6 2016-12-14 17:14:26 PST
Comment on attachment 297066 [details] Fixes the crash View in context: https://bugs.webkit.org/attachment.cgi?id=297066&action=review > Source/WebKit2/ChangeLog:15 > + Also converted assertions in typeFromObject and encode inside ArgumentCodersMac to release assertions > + to crash early inside a WebProcess instead of killing the entire UIProcess for a similar bug in the future. I don't think this is the right fix for this part of the problem: the UI process should guard against this crash (and kill the offending Web process), not the Web process (otherwise, a compromised Web process could still cause this).
Ryosuke Niwa
Comment 7 2016-12-14 19:34:01 PST
(In reply to comment #6) > Comment on attachment 297066 [details] > Fixes the crash > > View in context: > https://bugs.webkit.org/attachment.cgi?id=297066&action=review > > > Source/WebKit2/ChangeLog:15 > > + Also converted assertions in typeFromObject and encode inside ArgumentCodersMac to release assertions > > + to crash early inside a WebProcess instead of killing the entire UIProcess for a similar bug in the future. > > I don't think this is the right fix for this part of the problem: the UI > process should guard against this crash (and kill the offending Web > process), not the Web process (otherwise, a compromised Web process could > still cause this). Okay, I’d just revert this part of the change then since I’m not familiar with IPC / WebKit2 enough to make that change.
Ryosuke Niwa
Comment 8 2016-12-14 19:46:32 PST
Created attachment 297160 [details] Updated per review comments
Alexey Proskuryakov
Comment 9 2016-12-15 09:47:28 PST
> I think Chinese IME somehow calls into WKWebView via one of the standard AppKit NSView selectors. An input method can't do that, they are out of process and limited by API provided to them. AppKit itself can, of course. If it's something it does, the right thing to do it to make that testable. Additionally, commands can be sent via -doCommandBySelector: - this is not quite the same as calling WebHTMLView methods directly, but could be close enough to trigger the crash.
Ryosuke Niwa
Comment 10 2016-12-15 17:42:26 PST
(In reply to comment #9) > > I think Chinese IME somehow calls into WKWebView via one of the standard AppKit NSView selectors. > > An input method can't do that, they are out of process and limited by API > provided to them. AppKit itself can, of course. If it's something it does, > the right thing to do it to make that testable. > > Additionally, commands can be sent via -doCommandBySelector: - this is not > quite the same as calling WebHTMLView methods directly, but could be close > enough to trigger the crash. In that case, I think it's probably better if someone who knows about AppKit worked on this bug. I really don't know how to do that.
Ryosuke Niwa
Comment 11 2016-12-16 18:57:20 PST
It turns out that we can just call attributedSubstringForProposedRange on WKWebView and it’d reproduce the crash since the code doesn’t depend on any states related to input methods. After a whole day of fiddling with the exact condition, I’ve successfully made a WebKit API test.
Ryosuke Niwa
Comment 12 2016-12-16 19:01:14 PST
Created attachment 297380 [details] Added a API test
Ryosuke Niwa
Comment 13 2016-12-16 19:03:56 PST
Created attachment 297381 [details] Added a API test
Wenson Hsieh
Comment 14 2016-12-16 19:12:58 PST
Comment on attachment 297381 [details] Added a API test Test looks good to me!
Ryosuke Niwa
Comment 15 2016-12-16 19:40:09 PST
Created attachment 297385 [details] Patch for landing
WebKit Commit Bot
Comment 16 2016-12-16 20:04:45 PST
Comment on attachment 297385 [details] Patch for landing Clearing flags on attachment: 297385 Committed r209957: <http://trac.webkit.org/changeset/209957>
WebKit Commit Bot
Comment 17 2016-12-16 20:04:52 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.