Summary: | [iOS] Crash in ValidationBubble::show() | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Ali Juma <ajuma> | ||||
Component: | Layout and Rendering | Assignee: | Wenson Hsieh <wenson_hsieh> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | bfulgham, hi, megan_gardner, simon.fraser, thorton, webkit-bug-importer, wenson_hsieh, zalan | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | WebKit Nightly Build | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
Description
Ali Juma
2021-02-08 12:17:04 PST
Do you happen to have repro steps for this crash? I tried showing the form validation bubble on these sites in both Chrome and Safari on trunk WebKit, but did not see any crashes. No repro steps unfortunately, just crash reports with URLs. The crashes are still present on iOS 14.4. So from code inspection, there doesn't seem to be a guarantee that this member on ValidationBubble: UIViewController *m_presentingViewController; ...is guaranteed to be zero-initialized. This means we might actually end up calling `-presentViewController:animated:completion:` on some arbitrary pointer value in the case where we fall down this early return if `fallbackViewController` comes up `nil`: ``` void ValidationBubble::setAnchorRect(const IntRect& anchorRect, UIViewController *presentingViewController) { if (!presentingViewController) presentingViewController = fallbackViewController(m_view); if (!presentingViewController) return; ``` The fix should be simply initializing that member as `nil`, or wrapping it in a `WeakObjCPtr` so that it can be safely accessed. That said, I'm not sure why this just started in iOS 14... Maybe something prior to iOS 14 happened to ensure that that member always ended up being nil in this corner case. > > Maybe something prior to iOS 14 happened to ensure that that member always > ended up being nil in this corner case. Aha — we never hit this prior to iOS 14 because we would've crashed at an earlier point, due to https://bugs.webkit.org/show_bug.cgi?id=214789 (which was first fixed in iOS 14). Created attachment 421498 [details]
Patch
Committed r273482: <https://commits.webkit.org/r273482> All reviewed patches have been landed. Closing bug and clearing flags on attachment 421498 [details]. |