204353 – [iOS] Crash in InteractiveUpdateHandler set by ViewGestureController::beginSwipeGesture

NEW204353

[iOS] Crash in InteractiveUpdateHandler set by ViewGestureController::beginSwipeGesture

https://bugs.webkit.org/show_bug.cgi?id=204353

Summary [iOS] Crash in InteractiveUpdateHandler set by ViewGestureController::beginSw...

Ali Juma

Reported 2019-11-19 08:01:51 PST

In Chrome for iOS, we're seeing a large number of crashes in the InteractiveUpdateHandler set by ViewGestureController::beginSwipeGesture, with what seems to be a null m_webPageProxyForBackForwardListForCurrentSwipe. This is similar to bug 194083, but we're still seeing the crash in iOS 13.2 and in iOS 13.3 beta. As in the previous bug, it seems like something is calling removeSwipeSnapshot() before the InteractiveUpdateHandler is called by UIGestureRecognizer, since removeSwipeSnapshot() clears m_webPageProxyForBackForwardListForCurrentSwipe. Here's the full stack: CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000120 ] 0x000000019c276820 (WebKit + 0x002f2820 ) WebKit::ViewGestureController::beginSwipeGesture(_UINavigationInteractiveTransitionBase*, WebKit::ViewGestureController::SwipeDirection) 0x000000019c27681c (WebKit + 0x002f281c ) WebKit::ViewGestureController::beginSwipeGesture(_UINavigationInteractiveTransitionBase*, WebKit::ViewGestureController::SwipeDirection) 0x0000000198387c80 (UIKitCore + 0x00438c80 ) -[_UINavigationInteractiveTransitionBase startInteractiveTransition] 0x0000000198387de0 (UIKitCore + 0x00438de0 ) -[_UINavigationInteractiveTransitionBase handleNavigationTransition:] 0x0000000198563afc (UIKitCore + 0x00614afc ) -[UIGestureRecognizerTarget _sendActionWithGestureRecognizer:] 0x000000019856c29c (UIKitCore + 0x0061d29c ) _UIGestureRecognizerSendTargetActions 0x0000000198569a20 (UIKitCore + 0x0061aa20 ) _UIGestureRecognizerSendActions 0x0000000198568f20 (UIKitCore + 0x00619f20 ) -[UIGestureRecognizer _updateGestureForActiveEvents] 0x000000019855ce18 (UIKitCore + 0x0060de18 ) _UIGestureEnvironmentUpdate 0x000000019855c5d4 (UIKitCore + 0x0060d5d4 ) -[UIGestureEnvironment _deliverEvent:toGestureRecognizers:usingBlock:] 0x000000019855c388 (UIKitCore + 0x0060d388 ) -[UIGestureEnvironment _updateForEvent:window:] 0x00000001989cf1a4 (UIKitCore + 0x00a801a4 ) -[UIWindow sendEvent:] 0x00000001989aad50 (UIKitCore + 0x00a5bd50 ) -[UIApplication sendEvent:] 0x0000000198a2519c (UIKitCore + 0x00ad619c ) __dispatchPreprocessedEventFromEventQueue 0x0000000198a27754 (UIKitCore + 0x00ad8754 ) __handleEventQueueInternal 0x0000000198a208d8 (UIKitCore + 0x00ad18d8 ) __handleHIDEventFetcherDrain 0x0000000194820104 (CoreFoundation + 0x000ae104 ) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 0x0000000194820058 (CoreFoundation + 0x000ae058 ) __CFRunLoopDoSource0 0x000000019481f7c4 (CoreFoundation + 0x000ad7c4 ) __CFRunLoopDoSources0 0x000000019481a690 (CoreFoundation + 0x000a8690 ) __CFRunLoopRun 0x0000000194819f3c (CoreFoundation + 0x000a7f3c ) CFRunLoopRunSpecific 0x000000019ea95530 (GraphicsServices + 0x00003530 ) GSEventRunModal 0x0000000198991e04 (UIKitCore + 0x00a42e04 ) UIApplicationMain

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2019-11-19 10:53:38 PST

<rdar://problem/57327675>

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKit2

Assignee

Nobody

Reported

2019-11-19 08:01 PST

Modified

2019-11-19 10:53 PST History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks