192357 – [iOS] Using file upload can trigger a crash under RenderThemeIOS::paintFileUploadIconDecorations()

RESOLVED FIXED 192357

[iOS] Using file upload can trigger a crash under RenderThemeIOS::paintFileUploadIconDecorations()

https://bugs.webkit.org/show_bug.cgi?id=192357

Summary [iOS] Using file upload can trigger a crash under RenderThemeIOS::paintFileUp...

michal

Reported 2018-12-04 01:48:41 PST

Created attachment 356477 [details] crash log from iphone, ios12 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000000 appear when trying to upload image

Attachments
crash log from iphone, ios12 (70.63 KB, text/plain) 2018-12-04 01:48 PST, michal	no flags	Details
Patch (1.51 KB, patch) 2018-12-21 15:01 PST, zalan	no flags	Details Formatted Diff Diff
Patch (1.61 KB, patch) 2018-12-21 15:33 PST, zalan	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Wenson Hsieh

Comment 1 2018-12-04 12:19:28 PST

Symbolicated: 0 WebCore::GraphicsContext::platformContext() const 1 WebCore::RenderThemeIOS::paintFileUploadIconDecorations(WebCore::RenderObject const&, WebCore::RenderObject const&, WebCore::PaintInfo const&, WebCore::IntRect const&, WebCore::Icon*, WebCore::RenderTheme::FileUploadDecorations) 2 WebCore::RenderFileUploadControl::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) 3 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) 4 WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) 5 WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) 6 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 7 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 8 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) 9 WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, unsigned int, WebCore::RenderObject*, unsigned int, WebCore::RenderLayer::SecurityOriginPaintPolicy) 10 WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy) 11 WebCore::ScrollView::paint(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy) 12 WebCore::FrameView::traverseForPaintInvalidation(WebCore::GraphicsContext::PaintInvalidationReasons) 13 WebKit::RemoteLayerTreeDrawingArea::flushLayers() 14 WebCore::ThreadTimers::sharedTimerFiredInternal() 15 WebCore::timerFired(__CFRunLoopTimer*, void*) Seems like <rdar://problem/42852260>

David Kilzer (:ddkilzer)

Comment 2 2018-12-04 17:55:35 PST

<rdar://problem/42852260>

Radar WebKit Bug Importer

Comment 3 2018-12-04 17:56:08 PST

<rdar://problem/46473200>

David Kilzer (:ddkilzer)

Comment 4 2018-12-04 17:57:18 PST

Which website were you using when the crash happened? Obviously this doesn't crash on every file upload form or we would have fixed it long ago. :)

David Kilzer (:ddkilzer)

Comment 5 2018-12-04 17:57:53 PST

<rdar://problem/42852260>

michal

Comment 6 2018-12-05 05:15:58 PST

hi tested link: https://legacy.custom-gateway.net/acp/app/?l=gifvt#p=1626496&r=2d-canvas&guid=99999 video of issue: https://share.vidyard.com/watch/mBgeg4qANt2HcSrVswCkbC

zalan

Comment 7 2018-12-21 15:01:06 PST

Created attachment 357985 [details] Patch

Simon Fraser (smfr)

Comment 8 2018-12-21 15:27:21 PST

Comment on attachment 357985 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=357985&action=review > Source/WebCore/ChangeLog:3 > + Do not try to paint the file picker when painting is disabled. Maybe use my bug title.

zalan

Comment 9 2018-12-21 15:33:55 PST

Created attachment 357989 [details] Patch

WebKit Commit Bot

Comment 10 2018-12-21 16:02:27 PST

Comment on attachment 357989 [details] Patch Clearing flags on attachment: 357989 Committed r239526: <https://trac.webkit.org/changeset/239526>

WebKit Commit Bot

Comment 11 2018-12-21 16:02:28 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Safari 12

Hardware iPhone / iPad

OS iOS 12

Product WebKit

Component JavaScriptCore

Assignee

zalan

Reported

2018-12-04 01:48 PST

Modified

2018-12-21 16:02 PST History

CC List

6 users Show

URL

Keywords InRadar

Depends on

Blocks