The WebProcess crashes under certain circumstances when you attempt to copy and image in iOS. 1. Select an accessory like lightning cable. http://www.apple.com/shop/product/MD819/lightning-to-usb-cable-2-m?fnode=37 2. Tap and hold the image on the right > Copy 3. WebKit crashes. Image is not copied.
This is due to a null-pointer dereference in WebPage::performActionOnElement. In this test case, the HTMLImageElement's renderer does not have a valid cached image. We ask the nullptr for its URL, and the process crashes. This could be avoided by a nullptr check, but the method we pass the URL to doesn't even use it! So we can avoid the whole issue by simply passing a default URL that can be just as easily ignored as a fully-formed URL (at less cost!).
<rdar://problem/23507828>
Created attachment 282402 [details] Patch
Comment on attachment 282402 [details] Patch Test?
Note: This crash only reproduces if you LONG PRESS to display the Action Sheet, and then use the "Copy" action sheet option.
Created attachment 282556 [details] Manual test case I cannot create an API test or LayoutTest for this, because our iOS testing infrastructure does not support controlling action sheets or simulating touch events. Test: 1. Unzip the attached "Image_Copy_Crash.zip" someplace you can server from a web server. 2. Navigate to the "image_copy_crash.html" file in iOS. 3. Long-press on the colored region of the screen. 4. Select 'Copy'. If you do not crash, the test passes.
Neither WebKitTestRunner nor TestWebKitAPI support driving the UI interaction needed to trigger this bug.
I have filed Bug 159366 to expand our testing infrastructure to allow automated tests that exercise the UI interactions required to reproduce this crash.
Note that this crash revealed that specific markup can cause the cachedImage value to be null. I filled Bug 159367 to investigate this underlying bug.
Comment on attachment 282402 [details] Patch Clearing flags on attachment: 282402 Committed r202754: <http://trac.webkit.org/changeset/202754>
All reviewed patches have been landed. Closing bug.