193996 – iOS: Nullptr crash in WebPage::getPositionInformation dereferencing an input element for data list

Bug 193996 - iOS: Nullptr crash in WebPage::getPositionInformation dereferencing an input element for data list

Summary: iOS: Nullptr crash in WebPage::getPositionInformation dereferencing an input ...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryosuke Niwa

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2019-01-29 16:37 PST by Ryosuke Niwa
Modified:	2019-01-29 18:55 PST (History)
CC List:	4 users (show)

See Also:

Attachments
Fixes the bug (1.49 KB, patch) 2019-01-29 16:38 PST, Ryosuke Niwa	no flags	Details \| Formatted Diff \| Diff
Patch for landing (1.47 KB, patch) 2019-01-29 16:39 PST, Ryosuke Niwa	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2019-01-29 16:37:09 PST

We're crashing in the middle in the following code because hitNode can be nullptr here.

#if ENABLE(DATALIST_ELEMENT)
    if (is<HTMLInputElement>(*hitNode)) {
        const HTMLInputElement& input = downcast<HTMLInputElement>(*hitNode);
        if (input.list()) {
            HitTestResult result = m_page->mainFrame().eventHandler().hitTestResultAtPoint(request.point, HitTestRequest::ReadOnly | HitTestRequest::Active);
            if (result.innerNode() == input.dataListButtonElement())
                info.preventTextInteraction = true;
        }
    }
#endif

<rdar://problem/31247273>

Comment 1 Ryosuke Niwa 2019-01-29 16:38:08 PST

Created attachment 360524 [details]
Fixes the bug

Comment 2 Wenson Hsieh 2019-01-29 16:39:07 PST

Comment on attachment 360524 [details]
Fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=360524&action=review

> Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm:2251
> +    if (hitNode && is<HTMLInputElement>(*hitNode)) {

Let's just check is<HTMLInputElement>(hitNode).

Comment 3 Ryosuke Niwa 2019-01-29 16:39:41 PST

Created attachment 360525 [details]
Patch for landing

Comment 4 Ryosuke Niwa 2019-01-29 16:40:00 PST

Comment on attachment 360525 [details]
Patch for landing

Wait for EWS.

Comment 5 Ryosuke Niwa 2019-01-29 18:55:05 PST

Committed r240702: <https://trac.webkit.org/changeset/240702>