We're somehow hitting nullptr crash in DOMSelection::getRangeAt: 0 WebCore 0x0000000192226334 WebCore::DOMSelection::getRangeAt(unsigned int) + 1332 (DOMSelection.cpp:0) 1 WebCore 0x0000000192225fa4 WebCore::DOMSelection::getRangeAt(unsigned int) + 420 (DOMSelection.cpp:370) 2 WebCore 0x0000000190d6d624 WebCore::jsDOMSelectionPrototypeFunction_getRangeAt(JSC::JSGlobalObject*, JSC::CallFrame*) + 288 (JSDOMSelection.cpp:406) 3 ??? 0x0000000e324fcb84 0 + 60973632388 <rdar://problem/73611927>
This is probably a regression from https://trac.webkit.org/changeset/266295/webkit/trunk/Source/WebCore/page/DOMSelection.cpp
Created attachment 420069 [details] Adds a nullptr check
Comment on attachment 420069 [details] Adds a nullptr check View in context: https://bugs.webkit.org/attachment.cgi?id=420069&action=review > Source/WebCore/ChangeLog:3 > + Nullptr crash in DOMSelection::getRangeAt I think that the crash log that I saw showed a break, not nullptr?
(In reply to Alexey Proskuryakov from comment #3) > Comment on attachment 420069 [details] > Adds a nullptr check > > View in context: > https://bugs.webkit.org/attachment.cgi?id=420069&action=review > > > Source/WebCore/ChangeLog:3 > > + Nullptr crash in DOMSelection::getRangeAt > > I think that the crash log that I saw showed a break, not nullptr? Ugh... typo. It's nullopt* crash, not nullptr.
Created attachment 420081 [details] Patch
Comment on attachment 420081 [details] Patch Clearing flags on attachment: 420081 Committed r272777: <https://trac.webkit.org/changeset/272777>
All reviewed patches have been landed. Closing bug.
<rdar://problem/74268861>
Now I know the root cause of this bug. Fixing it in https://bugs.webkit.org/show_bug.cgi?id=221942 with a test.