159328 – [iOS] Possible null Range dereference under computeAutocorrectionContext()

Bug 159328 - [iOS] Possible null Range dereference under computeAutocorrectionContext()

Summary: [iOS] Possible null Range dereference under computeAutocorrectionContext()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	HTML Editing (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-06-30 20:57 PDT by Chris Dumez
Modified:	2016-07-01 13:59 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Patch (5.17 KB, patch) 2016-06-30 21:03 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2016-06-30 20:57:38 PDT

Possible null Range dereference under computeAutocorrectionContext():
Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000018
Triggered by Thread:  0

Filtered syslog:
None found

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   WebKit                        	0x000000018bf2130c WebCore::RangeBoundaryPoint::toPosition() const + 24 (RangeBoundaryPoint.h:93)
1   WebKit                        	0x000000018bf1ba5c WebKit::computeAutocorrectionContext(WebCore::Frame&, WTF::String&, WTF::String&, WTF::String&, WTF::String&, unsigned long long&, unsigned long long&) + 460 (Range.h:105)
2   WebKit                        	0x000000018bf1ba5c WebKit::computeAutocorrectionContext(WebCore::Frame&, WTF::String&, WTF::String&, WTF::String&, WTF::String&, unsigned long long&, unsigned long long&) + 460 (Range.h:105)
3   WebKit                        	0x000000018bf2a170 void IPC::handleMessage<Messages::WebPage::GetAutocorrectionContext, WebKit::WebPage, void (WebKit::WebPage::*)(WTF::String&, WTF::String&, WTF::String&, WTF::String&, unsigned long long&, unsigned long long&)>(IPC::MessageDecoder&, IPC::MessageEncoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WTF::String&, WTF::String&, WTF::String&, WTF::String&, unsigned long long&, unsigned long long&)) + 88 (HandleMessage.h:30)
4   WebKit                        	0x000000018be0f074 IPC::MessageReceiverMap::dispatchSyncMessage(IPC::Connection&, IPC::MessageDecoder&, std::__1::unique_ptr<IPC::MessageEncoder, std::__1::default_delete<IPC::MessageEncoder> >&) + 128 (MessageReceiverMap.cpp:119)
5   WebKit                        	0x000000018bf7c6d8 WebKit::WebProcess::didReceiveSyncMessage(IPC::Connection&, IPC::MessageDecoder&, std::__1::unique_ptr<IPC::MessageEncoder, std::__1::default_delete<IPC::MessageEncoder> >&) + 40 (WebProcess.cpp:616)
6   WebKit                        	0x000000018bdd94c0 IPC::Connection::dispatchSyncMessage(IPC::MessageDecoder&) + 196 (Connection.cpp:856)
7   WebKit                        	0x000000018bdd6ee8 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 136 (Connection.cpp:928)
8   WebKit                        	0x000000018bdd6d88 IPC::Connection::SyncMessageState::dispatchMessages(IPC::Connection*) + 240 (Connection.cpp:176)
9   JavaScriptCore                	0x0000000187091fcc WTF::RunLoop::performWork() + 172 (NoncopyableFunction.h:49)
10  JavaScriptCore                	0x00000001870921f8 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38)
11  CoreFoundation                	0x0000000182875cbc __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24 (CFRunLoop.c:1943)
12  CoreFoundation                	0x0000000182875604 __CFRunLoopDoSources0 + 524 (CFRunLoop.c:1989)
13  CoreFoundation                	0x0000000182873204 __CFRunLoopRun + 804 (CFRunLoop.c:2821)
14  CoreFoundation                	0x00000001827a45a4 CFRunLoopRunSpecific + 292 (CFRunLoop.c:3103)
15  Foundation                    	0x0000000183235bf8 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 304 (NSRunLoop.m:367)
16  Foundation                    	0x000000018328a244 -[NSRunLoop(NSRunLoop) run] + 88 (NSRunLoop.m:389)
17  libxpc.dylib                  	0x000000018255af08 _xpc_objc_main + 660 (main.m:186)
18  libxpc.dylib                  	0x000000018255cc00 xpc_main + 200 (init.c:1438)
19  com.apple.WebKit.WebContent   	0x00000001000975e4 main + 376 (XPCServiceMain.mm:114)
20  libdyld.dylib                 	0x0000000182344600 start + 4

Comment 1 Chris Dumez 2016-06-30 20:57:57 PDT

rdar://problem/26766720

Comment 2 Chris Dumez 2016-06-30 21:03:39 PDT

Created attachment 282510 [details]
Patch

Comment 3 Benjamin Poulain 2016-06-30 23:55:38 PDT

Comment on attachment 282510 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=282510&action=review

I am not sure to understand why this happens. I don't even know how you would test computeAutocorrectionContext() with the current infrastructure :(

> Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm:2194
> +    if (auto compositionRange = frame.editor().compositionRange()) {

For the love of FSM, use types, not auto.

Comment 4 Chris Dumez 2016-07-01 13:59:36 PDT

Comment on attachment 282510 [details]
Patch

Clearing flags on attachment: 282510

Committed r202757: <http://trac.webkit.org/changeset/202757>

Comment 5 Chris Dumez 2016-07-01 13:59:40 PDT

All reviewed patches have been landed.  Closing bug.