[Webkit-unassigned] [Bug 199503] [iOS] Crash in WebKit::WebPage::positionInformation via Range::startPosition

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jul 4 13:16:04 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=199503

--- Comment #1 from Ryosuke Niwa <rniwa at webkit.org> ---
We’re crashing in startPosition of the composition range:

2517                RefPtr<Range> compositionRange = frame.editor().compositionRange();
2518                if (position < compositionRange->startPosition())
2519                    position = compositionRange->startPosition();
2520                else if (position > compositionRange->endPosition())
2521                    position = compositionRange->endPosition();

Range’s start Position:
const Position startPosition() const { return m_start.toPosition(); }

inline const Position RangeBoundaryPoint::toPosition() const
{
    ensureOffsetIsValid();
    return createLegacyEditingPosition(m_containerNode.get(), m_offsetInContainer.value());
}

inline void RangeBoundaryPoint::ensureOffsetIsValid() const
{
    if (m_offsetInContainer)
        return;

    ASSERT(m_childBeforeBoundary);
    m_offsetInContainer = m_childBeforeBoundary->computeNodeIndex() + 1;
}

     0x00000001bd8c52f4:      ldr x0, [x26, #0xc8]
     0x00000001bd8c52f8:      sub x8, x29, #0xb8       ; =0xb8 
     0x00000001bd8c52fc:       bl 0x53037c             ; symbol stub for: WebCore::Editor::compositionRange() const
     0x00000001bd8c5300:     ldur x26, [x29, #-0xb8]
 ->  0x00000001bd8c5304:     ldrb w8, [x26, #0x18]
     0x00000001bd8c5308:      cbz w8, 0x34f314         ; <+384> [inlined] WTF::DumbPtrTraits<WebCore::Node>::unwrap(WebCore::Node* const&) at RefPtr.h:79
     0x00000001bd8c530c:      ldr w2, [x26, #0x1c]
     0x00000001bd8c5310:        b 0x34f334             ; <+416> [inlined] WTF::DumbPtrTraits<WebCore::Node>::unwrap(WebCore::Node* const&) at RefPtr.h:71
     0x00000001bd8c5314:      ldr x0, [x26, #0x20]

0x18 is the location of m_offsetInContainer in Range (24 = 3 pointers down from the address in x26). cbz w8 is std::nullopt check for Optional<unsigned> m_offsetInContainer in RangeBoundaryPoint. This would mean that what’s null is the range object itself.

compositionRange() is only called when frame.editor().hasComposition() is true in WebPage::positionInformation. However, Editor::compositionRange() could return nullptr when start >= end:
RefPtr<Range> Editor::compositionRange() const
{
    if (!m_compositionNode)
        return nullptr;
    unsigned length = m_compositionNode->length();
    unsigned start = std::min(m_compositionStart, length);
    unsigned end = std::min(std::max(start, m_compositionEnd), length);
    if (start >= end)
        return nullptr;
    return Range::create(m_compositionNode->document(), m_compositionNode.get(), start, m_compositionNode.get(), end);
}

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190704/c78131c7/attachment.html>

More information about the webkit-unassigned mailing list