138023 – WebContent crash in WebKit::WebPage::expandedRangeFromHandle

Bug 138023 - WebContent crash in WebKit::WebPage::expandedRangeFromHandle

Summary: WebContent crash in WebKit::WebPage::expandedRangeFromHandle

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryosuke Niwa

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2014-10-23 14:38 PDT by Ryosuke Niwa
Modified:	2014-12-17 09:45 PST (History)
CC List:	5 users (show)

See Also:

Attachments
Fixes the crash (2.79 KB, patch) 2014-10-23 14:46 PDT, Ryosuke Niwa	enrica: review+	Details \| Formatted Diff \| Diff
Additional fix (1.62 KB, patch) 2014-10-27 17:06 PDT, Enrica Casucci	rniwa: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2014-10-23 14:38:08 PDT

Continuing the bug 136969. There are more nullptr checks to be added here:

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   WebKit                        	0x0000000187596328 WebKit::WebPage::expandedRangeFromHandle(WebCore::Range*, WebKit::SelectionHandlePosition) + 576 (Ref.h:60)
1   WebKit                        	0x0000000187596318 WebKit::WebPage::expandedRangeFromHandle(WebCore::Range*, WebKit::SelectionHandlePosition) + 560 (WebPageIOS.mm:1140)
2   WebKit                        	0x0000000187597084 WebKit::WebPage::computeExpandAndShrinkThresholdsForHandle(WebCore::IntPoint const&, WebKit::SelectionHandlePosition, float&, float&) + 132 (WebPageIOS.mm:1330)
3   WebKit                        	0x000000018759750c WebKit::WebPage::updateBlockSelectionWithTouch(WebCore::IntPoint const&, unsigned int, unsigned int) + 160 (WebPageIOS.mm:1430)
4   WebKit                        	0x0000000187693ca0 void IPC::handleMessage<Messages::WebPage::UpdateBlockSelectionWithTouch, WebKit::WebPage, void (WebKit::WebPage::*)(WebCore::IntPoint const&, unsigned int, unsigned int)>(IPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebCore::IntPoint const&, unsigned int, unsigned int)) + 72 (HandleMessage.h:16)
5   WebKit                        	0x0000000187690f6c WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection*, IPC::MessageDecoder&) + 2556 (WebPageMessageReceiver.cpp:267)
6   WebKit                        	0x00000001875c4b74 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection*, IPC::MessageDecoder&) + 116 (MessageReceiverMap.cpp:87)
7   WebKit                        	0x00000001876ce954 WebKit::WebProcess::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&) + 36 (WebProcess.cpp:595)
8   WebKit                        	0x0000000187551590 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 124 (Connection.cpp:809)
9   WebKit                        	0x000000018755353c IPC::Connection::dispatchOneMessage() + 116 (Connection.cpp:856)
10  JavaScriptCore                	0x0000000183c9a088 WTF::RunLoop::performWork() + 800
11  JavaScriptCore                	0x0000000183c9a558 WTF::RunLoop::performWork(void*) + 36
12  CoreFoundation                	0x00000001823b57c4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 20 (CFRunLoop.c:1763)
13  CoreFoundation                	0x00000001823b4a68 __CFRunLoopDoSources0 + 260 (CFRunLoop.c:1809)
14  CoreFoundation                	0x00000001823b2b18 __CFRunLoopRun + 708 (CFRunLoop.c:2526)
15  CoreFoundation                	0x00000001822e13e0 CFRunLoopRunSpecific + 392 (CFRunLoop.c:2795)
16  Foundation                    	0x00000001831e6100 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 312 (NSRunLoop.m:366)
17  Foundation                    	0x00000001832407d4 -[NSRunLoop(NSRunLoop) run] + 92 (NSRunLoop.m:388)
18  libxpc.dylib                  	0x00000001937fc34c _xpc_objc_main + 704 (main.m:172)
19  libxpc.dylib                  	0x00000001937fe070 xpc_main + 196 (init.c:1434)
20  com.apple.WebKit.WebContent   	0x0000000100077a7c main + 16 (XPCServiceMain.mm:77)
21  libdyld.dylib                 	0x0000000193616a04 start + 0 (start_glue.s:78)

Comment 1 Ryosuke Niwa 2014-10-23 14:46:19 PDT

Created attachment 240368 [details]
Fixes the crash

Comment 2 Ryosuke Niwa 2014-10-23 14:51:03 PDT

Committed r175143: <http://trac.webkit.org/changeset/175143>

Comment 3 Enrica Casucci 2014-10-27 17:00:49 PDT

There is still one case that needs to be covered.

Comment 4 Enrica Casucci 2014-10-27 17:06:27 PDT

Created attachment 240512 [details]
Additional fix

Comment 5 Chris Dumez 2014-10-27 17:19:05 PDT

Comment on attachment 240512 [details]
Additional fix

View in context: https://bugs.webkit.org/attachment.cgi?id=240512&action=review

> Source/WebKit2/ChangeLog:9
> +        We must change that we have a valid currentRange before trying

nit: s/change/check

Comment 6 Enrica Casucci 2014-10-27 17:39:06 PDT

Committed revision 175235.

Comment 7 Simon Fraser (smfr) 2014-10-27 19:22:20 PDT

Comment on attachment 240512 [details]
Additional fix

Do we know how all these nulls can happen? It's pretty easy to reproduce.

Comment 8 David Kilzer (:ddkilzer) 2014-12-17 09:45:21 PST

<rdar://problem/18692335>