[Webkit-unassigned] [Bug 204353] New: [iOS] Crash in InteractiveUpdateHandler set by ViewGestureController::beginSwipeGesture
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 19 08:01:51 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=204353
Bug ID: 204353
Summary: [iOS] Crash in InteractiveUpdateHandler set by
ViewGestureController::beginSwipeGesture
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit2
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ajuma at chromium.org
CC: cdumez at apple.com, rniwa at webkit.org,
simon.fraser at apple.com, thorton at apple.com,
wenson_hsieh at apple.com
In Chrome for iOS, we're seeing a large number of crashes in the InteractiveUpdateHandler set by ViewGestureController::beginSwipeGesture, with what seems to be a null m_webPageProxyForBackForwardListForCurrentSwipe.
This is similar to bug 194083, but we're still seeing the crash in iOS 13.2 and in iOS 13.3 beta.
As in the previous bug, it seems like something is calling removeSwipeSnapshot() before the InteractiveUpdateHandler is called by UIGestureRecognizer, since removeSwipeSnapshot() clears m_webPageProxyForBackForwardListForCurrentSwipe.
Here's the full stack:
CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000120 ]
0x000000019c276820 (WebKit + 0x002f2820 ) WebKit::ViewGestureController::beginSwipeGesture(_UINavigationInteractiveTransitionBase*, WebKit::ViewGestureController::SwipeDirection)
0x000000019c27681c (WebKit + 0x002f281c ) WebKit::ViewGestureController::beginSwipeGesture(_UINavigationInteractiveTransitionBase*, WebKit::ViewGestureController::SwipeDirection)
0x0000000198387c80 (UIKitCore + 0x00438c80 ) -[_UINavigationInteractiveTransitionBase startInteractiveTransition]
0x0000000198387de0 (UIKitCore + 0x00438de0 ) -[_UINavigationInteractiveTransitionBase handleNavigationTransition:]
0x0000000198563afc (UIKitCore + 0x00614afc ) -[UIGestureRecognizerTarget _sendActionWithGestureRecognizer:]
0x000000019856c29c (UIKitCore + 0x0061d29c ) _UIGestureRecognizerSendTargetActions
0x0000000198569a20 (UIKitCore + 0x0061aa20 ) _UIGestureRecognizerSendActions
0x0000000198568f20 (UIKitCore + 0x00619f20 ) -[UIGestureRecognizer _updateGestureForActiveEvents]
0x000000019855ce18 (UIKitCore + 0x0060de18 ) _UIGestureEnvironmentUpdate
0x000000019855c5d4 (UIKitCore + 0x0060d5d4 ) -[UIGestureEnvironment _deliverEvent:toGestureRecognizers:usingBlock:]
0x000000019855c388 (UIKitCore + 0x0060d388 ) -[UIGestureEnvironment _updateForEvent:window:]
0x00000001989cf1a4 (UIKitCore + 0x00a801a4 ) -[UIWindow sendEvent:]
0x00000001989aad50 (UIKitCore + 0x00a5bd50 ) -[UIApplication sendEvent:]
0x0000000198a2519c (UIKitCore + 0x00ad619c ) __dispatchPreprocessedEventFromEventQueue
0x0000000198a27754 (UIKitCore + 0x00ad8754 ) __handleEventQueueInternal
0x0000000198a208d8 (UIKitCore + 0x00ad18d8 ) __handleHIDEventFetcherDrain
0x0000000194820104 (CoreFoundation + 0x000ae104 ) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
0x0000000194820058 (CoreFoundation + 0x000ae058 ) __CFRunLoopDoSource0
0x000000019481f7c4 (CoreFoundation + 0x000ad7c4 ) __CFRunLoopDoSources0
0x000000019481a690 (CoreFoundation + 0x000a8690 ) __CFRunLoopRun
0x0000000194819f3c (CoreFoundation + 0x000a7f3c ) CFRunLoopRunSpecific
0x000000019ea95530 (GraphicsServices + 0x00003530 ) GSEventRunModal
0x0000000198991e04 (UIKitCore + 0x00a42e04 ) UIApplicationMain
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191119/1fd46443/attachment.htm>
More information about the webkit-unassigned
mailing list