RESOLVED FIXED 159328
[iOS] Possible null Range dereference under computeAutocorrectionContext() 
https://bugs.webkit.org/show_bug.cgi?id=159328
Summary [iOS] Possible null Range dereference under computeAutocorrectionContext()
Chris Dumez
Reported 2016-06-30 20:57:38 PDT
Possible null Range dereference under computeAutocorrectionContext(): Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000018 Triggered by Thread: 0 Filtered syslog: None found Thread 0 name: Dispatch queue: com.apple.main-thread Thread 0 Crashed: 0 WebKit 0x000000018bf2130c WebCore::RangeBoundaryPoint::toPosition() const + 24 (RangeBoundaryPoint.h:93) 1 WebKit 0x000000018bf1ba5c WebKit::computeAutocorrectionContext(WebCore::Frame&, WTF::String&, WTF::String&, WTF::String&, WTF::String&, unsigned long long&, unsigned long long&) + 460 (Range.h:105) 2 WebKit 0x000000018bf1ba5c WebKit::computeAutocorrectionContext(WebCore::Frame&, WTF::String&, WTF::String&, WTF::String&, WTF::String&, unsigned long long&, unsigned long long&) + 460 (Range.h:105) 3 WebKit 0x000000018bf2a170 void IPC::handleMessage<Messages::WebPage::GetAutocorrectionContext, WebKit::WebPage, void (WebKit::WebPage::*)(WTF::String&, WTF::String&, WTF::String&, WTF::String&, unsigned long long&, unsigned long long&)>(IPC::MessageDecoder&, IPC::MessageEncoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WTF::String&, WTF::String&, WTF::String&, WTF::String&, unsigned long long&, unsigned long long&)) + 88 (HandleMessage.h:30) 4 WebKit 0x000000018be0f074 IPC::MessageReceiverMap::dispatchSyncMessage(IPC::Connection&, IPC::MessageDecoder&, std::__1::unique_ptr<IPC::MessageEncoder, std::__1::default_delete<IPC::MessageEncoder> >&) + 128 (MessageReceiverMap.cpp:119) 5 WebKit 0x000000018bf7c6d8 WebKit::WebProcess::didReceiveSyncMessage(IPC::Connection&, IPC::MessageDecoder&, std::__1::unique_ptr<IPC::MessageEncoder, std::__1::default_delete<IPC::MessageEncoder> >&) + 40 (WebProcess.cpp:616) 6 WebKit 0x000000018bdd94c0 IPC::Connection::dispatchSyncMessage(IPC::MessageDecoder&) + 196 (Connection.cpp:856) 7 WebKit 0x000000018bdd6ee8 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 136 (Connection.cpp:928) 8 WebKit 0x000000018bdd6d88 IPC::Connection::SyncMessageState::dispatchMessages(IPC::Connection*) + 240 (Connection.cpp:176) 9 JavaScriptCore 0x0000000187091fcc WTF::RunLoop::performWork() + 172 (NoncopyableFunction.h:49) 10 JavaScriptCore 0x00000001870921f8 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38) 11 CoreFoundation 0x0000000182875cbc __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24 (CFRunLoop.c:1943) 12 CoreFoundation 0x0000000182875604 __CFRunLoopDoSources0 + 524 (CFRunLoop.c:1989) 13 CoreFoundation 0x0000000182873204 __CFRunLoopRun + 804 (CFRunLoop.c:2821) 14 CoreFoundation 0x00000001827a45a4 CFRunLoopRunSpecific + 292 (CFRunLoop.c:3103) 15 Foundation 0x0000000183235bf8 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 304 (NSRunLoop.m:367) 16 Foundation 0x000000018328a244 -[NSRunLoop(NSRunLoop) run] + 88 (NSRunLoop.m:389) 17 libxpc.dylib 0x000000018255af08 _xpc_objc_main + 660 (main.m:186) 18 libxpc.dylib 0x000000018255cc00 xpc_main + 200 (init.c:1438) 19 com.apple.WebKit.WebContent 0x00000001000975e4 main + 376 (XPCServiceMain.mm:114) 20 libdyld.dylib 0x0000000182344600 start + 4
Attachments
Patch (5.17 KB, patch)
2016-06-30 21:03 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2016-06-30 20:57:57 PDT
rdar://problem/26766720
Chris Dumez
Comment 2 2016-06-30 21:03:39 PDT
Created attachment 282510 [details] Patch
Benjamin Poulain
Comment 3 2016-06-30 23:55:38 PDT
Comment on attachment 282510 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=282510&action=review I am not sure to understand why this happens. I don't even know how you would test computeAutocorrectionContext() with the current infrastructure :( > Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm:2194 > + if (auto compositionRange = frame.editor().compositionRange()) { For the love of FSM, use types, not auto.
Chris Dumez
Comment 4 2016-07-01 13:59:36 PDT
Comment on attachment 282510 [details] Patch Clearing flags on attachment: 282510 Committed r202757: <http://trac.webkit.org/changeset/202757>
Chris Dumez
Comment 5 2016-07-01 13:59:40 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.