Bug 196579 - Nullptr crash in InlineTextBox::selectionState via TextIndicator::createWithRange
Summary: Nullptr crash in InlineTextBox::selectionState via TextIndicator::createWithR...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-04-03 16:56 PDT by Ryosuke Niwa
Modified: 2019-04-04 09:26 PDT (History)
5 users (show)

See Also:


Attachments
Avoids the crash (2.09 KB, patch)
2019-04-03 17:45 PDT, Ryosuke Niwa
simon.fraser: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2019-04-03 16:56:52 PDT
e.g.

Thread 0 Crashed ↩:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00007fff4a6790ed WebCore::InlineTextBox::selectionState() + 509
1   com.apple.WebCore             	0x00007fff4a677329 WebCore::InlineTextBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 425
2   com.apple.WebCore             	0x00007fff4a6768f0 WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1040
3   com.apple.WebCore             	0x00007fff4a676472 WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 34
4   com.apple.WebCore             	0x00007fff4a653e65 WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 853
5   com.apple.WebCore             	0x00007fff4a650725 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 549
6   com.apple.WebCore             	0x00007fff4a652985 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 245
7   com.apple.WebCore             	0x00007fff4ba09b72 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) + 642
8   com.apple.WebCore             	0x00007fff4a6510ff WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 95
9   com.apple.WebCore             	0x00007fff4a650748 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 584
10  com.apple.WebCore             	0x00007fff4a652985 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 245
11  com.apple.WebCore             	0x00007fff4ba655c9 WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 185
12  com.apple.WebCore             	0x00007fff4b9fa515 WebCore::InlineElementBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 117
13  com.apple.WebCore             	0x00007fff4a6768f0 WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1040
14  com.apple.WebCore             	0x00007fff4a676472 WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 34
15  com.apple.WebCore             	0x00007fff4a653e65 WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const + 853
16  com.apple.WebCore             	0x00007fff4a650725 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 549
17  com.apple.WebCore             	0x00007fff4a652985 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 245
18  com.apple.WebCore             	0x00007fff4ba09b72 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) + 642
19  com.apple.WebCore             	0x00007fff4a6510ff WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 95
20  com.apple.WebCore             	0x00007fff4a650748 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 584
21  com.apple.WebCore             	0x00007fff4a652985 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 245
22  com.apple.WebCore             	0x00007fff4ba09b72 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) + 642
23  com.apple.WebCore             	0x00007fff4a6510ff WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 95
24  com.apple.WebCore             	0x00007fff4a650748 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 584
25  com.apple.WebCore             	0x00007fff4a652985 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 245
26  com.apple.WebCore             	0x00007fff4ba09b72 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) + 642
27  com.apple.WebCore             	0x00007fff4a6510ff WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 95
28  com.apple.WebCore             	0x00007fff4a650748 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 584
29  com.apple.WebCore             	0x00007fff4a652985 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 245
30  com.apple.WebCore             	0x00007fff4baa8804 WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) + 404
31  com.apple.WebCore             	0x00007fff4baa65d4 WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) + 420
32  com.apple.WebCore             	0x00007fff4baa3634 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3268
33  com.apple.WebCore             	0x00007fff4baa36e3 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3443
34  com.apple.WebCore             	0x00007fff4baa0e10 WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::RenderLayer::SecurityOriginPaintPolicy) + 272
35  com.apple.WebCore             	0x00007fff4b7ecd88 WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy) + 616
36  com.apple.WebCore             	0x00007fff4b7e3a94 WebCore::FrameView::paintContentsForSnapshot(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::FrameView::SelectionInSnapshot, WebCore::FrameView::CoordinateSpaceForSnapshot) + 244
37  com.apple.WebCore             	0x00007fff4b7e38e3 WebCore::snapshotFrameRectWithClip(WebCore::Frame&, WebCore::IntRect const&, WTF::Vector<WebCore::FloatRect, 0ul, WTF::CrashOnOverflow, 16ul> const&, unsigned int) + 467
38  com.apple.WebCore             	0x00007fff4b82c9df WebCore::takeSnapshot(WebCore::Frame&, WebCore::IntRect, unsigned int, float&, WTF::Vector<WebCore::FloatRect, 0ul, WTF::CrashOnOverflow, 16ul> const&) + 47
39  com.apple.WebCore             	0x00007fff4b828663 WebCore::initializeIndicator(WebCore::TextIndicatorData&, WebCore::Frame&, WebCore::Range const&, WebCore::FloatSize, bool) + 4147
40  com.apple.WebCore             	0x00007fff4b827435 WebCore::TextIndicator::createWithRange(WebCore::Range const&, unsigned short, WebCore::TextIndicatorPresentationTransition, WebCore::FloatSize) + 1093
41  com.apple.WebKit              	0x00007fff4c4e16c4 WebKit::WebPage::performImmediateActionHitTestAtLocation(WebCore::FloatPoint) + 734
42  com.apple.WebKit              	0x00007fff4c5ac01d WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) + 20599
43  com.apple.WebKit              	0x00007fff4c225a14 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 126
44  com.apple.WebKit              	0x00007fff4c4f1540 WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 28

<rdar://problem/49575527>
Comment 1 Ryosuke Niwa 2019-04-03 16:59:00 PDT
Zalan and I thought this is because TextIndicator::createWithRange isn't updating the the layout but initializeIndicator DOES update the layout.
Comment 2 Ryosuke Niwa 2019-04-03 17:45:31 PDT
Created attachment 366680 [details]
Avoids the crash
Comment 3 Ryosuke Niwa 2019-04-03 19:01:09 PDT
Committed r243844: <https://trac.webkit.org/changeset/243844>