RESOLVED FIXED Bug 208244
[iOS] nullptr deref in FileInputType::iconLoaded when the input's type attribute is modified by a change event listener 
https://bugs.webkit.org/show_bug.cgi?id=208244
Summary [iOS] nullptr deref in FileInputType::iconLoaded when the input's type attrib...
Dave Jack
Reported 2020-02-26 08:41:13 PST
Created attachment 391747 [details] Crash Report This page occasionally crashes WebKit on my phone once a file is selected: <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>upload test</title> </head> <body> <input type="file" id="file-input" /> <script> const fileInput = document.querySelector('#file-input'); fileInput.addEventListener('change', (evt) => { // from bootstrap-vue's form-file.js fileInput.type = ''; }); </script> </body> </html> Crash report attached, top of the stack trace (for searchability): WebCore::FileInputType::filesChosen+ 17175144 (WTF::Vector<WebCore::FileChooserFileInfo, 0ul, WTF::CrashOnOverflow, 16ul> const&, WTF::String const&, WebCore::Icon*) + 744
Attachments
Crash Report (81.87 KB, text/plain)
2020-02-26 08:41 PST, Dave Jack 		no flags
Details
Patch (18.73 KB, patch)
2020-06-10 10:46 PDT, Andy Estes 		no flags
DetailsFormatted DiffDiff
Patch (23.84 KB, patch)
2020-06-10 11:56 PDT, Andy Estes 		no flags
DetailsFormatted DiffDiff
Patch (24.77 KB, patch)
2020-06-11 12:05 PDT, Andy Estes 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2020-02-26 12:36:09 PST
Thank you for the repro! rdar://problem/41855350
Andy Estes
Comment 2 2020-06-03 13:05:09 PDT
I can reproduce the crash on iOS 13.5.
Andy Estes
Comment 3 2020-06-09 19:02:15 PDT
Thread 1: EXC_BAD_ACCESS (code=1, address=0xbbadbeef) Thread 1 Queue : com.apple.main-thread (serial) #0 0x0000000114c55b54 in ::WTFCrash() at /Volumes/Data/Projects/OpenSource/Source/WTF/wtf/Assertions.cpp:303 #1 0x000000011be9f390 in WTFCrashWithInfo(int, char const*, char const*, int) at /Volumes/Data/Projects/OpenSource/WebKitBuild/Debug-iphoneos/usr/local/include/wtf/Assertions.h:671 #2 0x000000011e62646c in WebCore::FileInputType::iconLoaded(WTF::RefPtr<WebCore::Icon, WTF::DumbPtrTraits<WebCore::Icon> >&&) at /Volumes/Data/Projects/OpenSource/Source/WebCore/html/FileInputType.cpp:440 #3 0x000000011e624d70 in WebCore::FileInputType::filesChosen(WTF::Vector<WebCore::FileChooserFileInfo, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::String const&, WebCore::Icon*) at /Volumes/Data/Projects/OpenSource/Source/WebCore/html/FileInputType.cpp:426 #4 0x000000011f1acc54 in WebCore::FileChooser::chooseMediaFiles(WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::String const&, WebCore::Icon*) at /Volumes/Data/Projects/OpenSource/Source/WebCore/platform/FileChooser.cpp:92 #5 0x0000000105bd1628 in WebKit::WebOpenPanelResultListener::didChooseFilesWithDisplayStringAndIcon(WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::String const&, WebCore::Icon*) at /Volumes/Data/Projects/OpenSource/Source/WebKit/WebProcess/WebPage/WebOpenPanelResultListener.cpp:57 #6 0x0000000105dda924 in WebKit::WebPage::didChooseFilesForOpenPanelWithDisplayStringAndIcon(WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::String const&, IPC::DataReference const&, WebKit::SandboxExtension::Handle&&, WebKit::SandboxExtension::Handle&&) at /Volumes/Data/Projects/OpenSource/Source/WebKit/WebProcess/WebPage/WebPage.cpp:4267 #7 0x0000000105eed808 in void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::String const&, IPC::DataReference const&, WebKit::SandboxExtension::Handle&&, WebKit::SandboxExtension::Handle&&), std::__1::tuple<WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::String, IPC::DataReference, WebKit::SandboxExtension::Handle, WebKit::SandboxExtension::Handle>, 0ul, 1ul, 2ul, 3ul, 4ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::String const&, IPC::DataReference const&, WebKit::SandboxExtension::Handle&&, WebKit::SandboxExtension::Handle&&), std::__1::tuple<WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::String, IPC::DataReference, WebKit::SandboxExtension::Handle, WebKit::SandboxExtension::Handle>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul>) at /Volumes/Data/Projects/OpenSource/Source/WebKit/Platform/IPC/HandleMessage.h:41 #8 0x0000000105eea36c in void IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::String const&, IPC::DataReference const&, WebKit::SandboxExtension::Handle&&, WebKit::SandboxExtension::Handle&&), std::__1::tuple<WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::String, IPC::DataReference, WebKit::SandboxExtension::Handle, WebKit::SandboxExtension::Handle>, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul, 4ul> >(std::__1::tuple<WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::String, IPC::DataReference, WebKit::SandboxExtension::Handle, WebKit::SandboxExtension::Handle>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::String const&, IPC::DataReference const&, WebKit::SandboxExtension::Handle&&, WebKit::SandboxExtension::Handle&&)) at /Volumes/Data/Projects/OpenSource/Source/WebKit/Platform/IPC/HandleMessage.h:47 #9 0x0000000105e48378 in void IPC::handleMessage<Messages::WebPage::DidChooseFilesForOpenPanelWithDisplayStringAndIcon, WebKit::WebPage, void (WebKit::WebPage::*)(WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::String const&, IPC::DataReference const&, WebKit::SandboxExtension::Handle&&, WebKit::SandboxExtension::Handle&&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::String const&, IPC::DataReference const&, WebKit::SandboxExtension::Handle&&, WebKit::SandboxExtension::Handle&&)) at /Volumes/Data/Projects/OpenSource/Source/WebKit/Platform/IPC/HandleMessage.h:114 #10 0x0000000105e3bf90 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) at /Volumes/Data/Projects/OpenSource/WebKitBuild/Debug-iphoneos/DerivedSources/WebKit2/WebPageMessageReceiver.cpp:2066 #11 0x0000000105ddbf14 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) at /Volumes/Data/Projects/OpenSource/Source/WebKit/WebProcess/WebPage/WebPage.cpp:4606 #12 0x0000000104510318 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) at /Volumes/Data/Projects/OpenSource/Source/WebKit/Platform/IPC/MessageReceiverMap.cpp:123 #13 0x000000010589ac74 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) at /Volumes/Data/Projects/OpenSource/Source/WebKit/WebProcess/WebProcess.cpp:758 #14 0x000000010445c92c in IPC::Connection::dispatchMessage(IPC::Decoder&) at /Volumes/Data/Projects/OpenSource/Source/WebKit/Platform/IPC/Connection.cpp:1001 #15 0x000000010445d2c4 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) at /Volumes/Data/Projects/OpenSource/Source/WebKit/Platform/IPC/Connection.cpp:1070 #16 0x000000010445d95c in IPC::Connection::dispatchOneIncomingMessage() at /Volumes/Data/Projects/OpenSource/Source/WebKit/Platform/IPC/Connection.cpp:1139 #17 0x000000010447e238 in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_7::operator()() at /Volumes/Data/Projects/OpenSource/Source/WebKit/Platform/IPC/Connection.cpp:978 #18 0x000000010447e148 in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_7, void>::call() at /Volumes/Data/Projects/OpenSource/WebKitBuild/Debug-iphoneos/usr/local/include/wtf/Function.h:52 #19 0x0000000114c79b88 in WTF::Function<void ()>::operator()() const at /Volumes/Data/Projects/OpenSource/WebKitBuild/Debug-iphoneos/usr/local/include/wtf/Function.h:84 #20 0x0000000114ce2f48 in WTF::RunLoop::performWork() at /Volumes/Data/Projects/OpenSource/Source/WTF/wtf/RunLoop.cpp:119 #21 0x0000000114ce3a18 in WTF::RunLoop::performWork(void*) at /Volumes/Data/Projects/OpenSource/Source/WTF/wtf/cf/RunLoopCF.cpp:38
Andy Estes
Comment 4 2020-06-09 19:05:52 PDT
By the time FileChooser::chooseMediaFiles is called, its client (a FileInputType) has been detached from its element by HTMLInputElement::updateType(). When FileInputType::iconLoaded is called, we crash on the ASSERT(element()).
Andy Estes
Comment 5 2020-06-10 10:46:40 PDT
Comment hidden (obsolete)
Andy Estes
Comment 6 2020-06-10 11:56:02 PDT
Created attachment 401564 [details] Patch
Andy Estes
Comment 7 2020-06-11 12:05:11 PDT
Created attachment 401662 [details] Patch
EWS
Comment 8 2020-06-11 12:43:06 PDT
Committed r262918: <https://trac.webkit.org/changeset/262918> All reviewed patches have been landed. Closing bug and clearing flags on attachment 401662 [details].
Note You need to log in before you can comment on or make changes to this bug.