RESOLVED FIXED138023
WebContent crash in WebKit::WebPage::expandedRangeFromHandle 
https://bugs.webkit.org/show_bug.cgi?id=138023
Summary WebContent crash in WebKit::WebPage::expandedRangeFromHandle
Ryosuke Niwa
Reported 2014-10-23 14:38:08 PDT
Continuing the bug 136969. There are more nullptr checks to be added here: Thread 0 name: Dispatch queue: com.apple.main-thread Thread 0 Crashed: 0 WebKit 0x0000000187596328 WebKit::WebPage::expandedRangeFromHandle(WebCore::Range*, WebKit::SelectionHandlePosition) + 576 (Ref.h:60) 1 WebKit 0x0000000187596318 WebKit::WebPage::expandedRangeFromHandle(WebCore::Range*, WebKit::SelectionHandlePosition) + 560 (WebPageIOS.mm:1140) 2 WebKit 0x0000000187597084 WebKit::WebPage::computeExpandAndShrinkThresholdsForHandle(WebCore::IntPoint const&, WebKit::SelectionHandlePosition, float&, float&) + 132 (WebPageIOS.mm:1330) 3 WebKit 0x000000018759750c WebKit::WebPage::updateBlockSelectionWithTouch(WebCore::IntPoint const&, unsigned int, unsigned int) + 160 (WebPageIOS.mm:1430) 4 WebKit 0x0000000187693ca0 void IPC::handleMessage<Messages::WebPage::UpdateBlockSelectionWithTouch, WebKit::WebPage, void (WebKit::WebPage::*)(WebCore::IntPoint const&, unsigned int, unsigned int)>(IPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebCore::IntPoint const&, unsigned int, unsigned int)) + 72 (HandleMessage.h:16) 5 WebKit 0x0000000187690f6c WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) + 2556 (WebPageMessageReceiver.cpp:267) 6 WebKit 0x00000001875c4b74 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection*, IPC::MessageDecoder&) + 116 (MessageReceiverMap.cpp:87) 7 WebKit 0x00000001876ce954 WebKit::WebProcess::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&) + 36 (WebProcess.cpp:595) 8 WebKit 0x0000000187551590 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 124 (Connection.cpp:809) 9 WebKit 0x000000018755353c IPC::Connection::dispatchOneMessage() + 116 (Connection.cpp:856) 10 JavaScriptCore 0x0000000183c9a088 WTF::RunLoop::performWork() + 800 11 JavaScriptCore 0x0000000183c9a558 WTF::RunLoop::performWork(void*) + 36 12 CoreFoundation 0x00000001823b57c4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 20 (CFRunLoop.c:1763) 13 CoreFoundation 0x00000001823b4a68 __CFRunLoopDoSources0 + 260 (CFRunLoop.c:1809) 14 CoreFoundation 0x00000001823b2b18 __CFRunLoopRun + 708 (CFRunLoop.c:2526) 15 CoreFoundation 0x00000001822e13e0 CFRunLoopRunSpecific + 392 (CFRunLoop.c:2795) 16 Foundation 0x00000001831e6100 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 312 (NSRunLoop.m:366) 17 Foundation 0x00000001832407d4 -[NSRunLoop(NSRunLoop) run] + 92 (NSRunLoop.m:388) 18 libxpc.dylib 0x00000001937fc34c _xpc_objc_main + 704 (main.m:172) 19 libxpc.dylib 0x00000001937fe070 xpc_main + 196 (init.c:1434) 20 com.apple.WebKit.WebContent 0x0000000100077a7c main + 16 (XPCServiceMain.mm:77) 21 libdyld.dylib 0x0000000193616a04 start + 0 (start_glue.s:78)
Attachments
Fixes the crash (2.79 KB, patch)
2014-10-23 14:46 PDT, Ryosuke Niwa 		enrica: review+
DetailsFormatted DiffDiff
Additional fix (1.62 KB, patch)
2014-10-27 17:06 PDT, Enrica Casucci 		rniwa: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2014-10-23 14:46:19 PDT
Created attachment 240368 [details] Fixes the crash
Ryosuke Niwa
Comment 2 2014-10-23 14:51:03 PDT
Committed r175143: <http://trac.webkit.org/changeset/175143>
Enrica Casucci
Comment 3 2014-10-27 17:00:49 PDT
There is still one case that needs to be covered.
Enrica Casucci
Comment 4 2014-10-27 17:06:27 PDT
Created attachment 240512 [details] Additional fix
Chris Dumez
Comment 5 2014-10-27 17:19:05 PDT
Comment on attachment 240512 [details] Additional fix View in context: https://bugs.webkit.org/attachment.cgi?id=240512&action=review > Source/WebKit2/ChangeLog:9 > + We must change that we have a valid currentRange before trying nit: s/change/check
Enrica Casucci
Comment 6 2014-10-27 17:39:06 PDT
Committed revision 175235.
Simon Fraser (smfr)
Comment 7 2014-10-27 19:22:20 PDT
Comment on attachment 240512 [details] Additional fix Do we know how all these nulls can happen? It's pretty easy to reproduce.
David Kilzer (:ddkilzer)
Comment 8 2014-12-17 09:45:21 PST
<rdar://problem/18692335>
Note You need to log in before you can comment on or make changes to this bug.