Bug 221786 - Nullopt crash in DOMSelection::getRangeAt
Summary: Nullopt crash in DOMSelection::getRangeAt
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-02-11 17:01 PST by Ryosuke Niwa
Modified: 2021-02-15 18:02 PST (History)
3 users (show)

See Also:

Attachments
Adds a nullptr check (1.70 KB, patch)
2021-02-11 17:05 PST, Ryosuke Niwa 		no flags Details | Formatted Diff | Diff
Patch (1.67 KB, patch)
2021-02-11 19:36 PST, Ryosuke Niwa 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2021-02-11 17:01:47 PST 
We're somehow hitting nullptr crash in DOMSelection::getRangeAt:

0   WebCore                       	0x0000000192226334 WebCore::DOMSelection::getRangeAt(unsigned int) + 1332 (DOMSelection.cpp:0)
1   WebCore                       	0x0000000192225fa4 WebCore::DOMSelection::getRangeAt(unsigned int) + 420 (DOMSelection.cpp:370)
2   WebCore                       	0x0000000190d6d624 WebCore::jsDOMSelectionPrototypeFunction_getRangeAt(JSC::JSGlobalObject*, JSC::CallFrame*) + 288 (JSDOMSelection.cpp:406)
3   ???                           	0x0000000e324fcb84 0 + 60973632388

<rdar://problem/73611927>
Comment 1 Ryosuke Niwa 2021-02-11 17:02:45 PST 
This is probably a regression from https://trac.webkit.org/changeset/266295/webkit/trunk/Source/WebCore/page/DOMSelection.cpp
Comment 2 Ryosuke Niwa 2021-02-11 17:05:27 PST 
Created attachment 420069 [details]
Adds a nullptr check
Comment 3 Alexey Proskuryakov 2021-02-11 18:04:16 PST 
Comment on attachment 420069 [details]
Adds a nullptr check

View in context: https://bugs.webkit.org/attachment.cgi?id=420069&action=review

> Source/WebCore/ChangeLog:3
> +        Nullptr crash in DOMSelection::getRangeAt

I think that the crash log that I saw showed a break, not nullptr?
Comment 4 Ryosuke Niwa 2021-02-11 19:27:17 PST 
(In reply to Alexey Proskuryakov from comment #3)
> Comment on attachment 420069 [details]
> Adds a nullptr check
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=420069&action=review
> 
> > Source/WebCore/ChangeLog:3
> > +        Nullptr crash in DOMSelection::getRangeAt
> 
> I think that the crash log that I saw showed a break, not nullptr?

Ugh... typo. It's nullopt* crash, not nullptr.
Comment 5 Ryosuke Niwa 2021-02-11 19:36:30 PST 
Created attachment 420081 [details]
Patch
Comment 6 Ryosuke Niwa 2021-02-12 01:38:20 PST 
Comment on attachment 420081 [details]
Patch

Clearing flags on attachment: 420081

Committed r272777: <https://trac.webkit.org/changeset/272777>
Comment 7 Ryosuke Niwa 2021-02-12 01:38:22 PST 
All reviewed patches have been landed.  Closing bug.
Comment 8 Radar WebKit Bug Importer 2021-02-12 01:39:13 PST 
<rdar://problem/74268861>
Comment 9 Ryosuke Niwa 2021-02-15 17:57:43 PST 
Now I know the root cause of this bug. Fixing it in https://bugs.webkit.org/show_bug.cgi?id=221942 with a test.