WebContent crash in WebKit::WebPage::expandedRangeFromHandle
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 23 Oct 2014 21:51:08 +0000 (21:51 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 23 Oct 2014 21:51:08 +0000 (21:51 +0000)
https://bugs.webkit.org/show_bug.cgi?id=138023

Reviewed by Enrica Casucci.

The crashes are caused by rangeForBlockAtPoint returning a null Range.
Exit early or continue if a range is null in various places.

* WebProcess/WebPage/ios/WebPageIOS.mm:
(WebKit::WebPage::expandedRangeFromHandle): Continue looking for another point if the range returned by
rangeForBlockAtPoint is null.
(WebKit::WebPage::contractedRangeFromHandle): Ditto.
(WebKit::WebPage::computeExpandAndShrinkThresholdsForHandle): Removed the FIXME now that Enrica has
verified that this early exit added in r173788 is correct.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@175143 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm

index 207ca9e246ab91434177f6a9380fb9838be96dd7..2a83944c6916a32113a8b81d0677427ec39a7f8c 100644 (file)
@@ -1,3 +1,20 @@
+2014-10-23  Ryosuke Niwa  <rniwa@webkit.org>
+
+        WebContent crash in WebKit::WebPage::expandedRangeFromHandle
+        https://bugs.webkit.org/show_bug.cgi?id=138023
+
+        Reviewed by Enrica Casucci.
+
+        The crashes are caused by rangeForBlockAtPoint returning a null Range.
+        Exit early or continue if a range is null in various places.
+
+        * WebProcess/WebPage/ios/WebPageIOS.mm:
+        (WebKit::WebPage::expandedRangeFromHandle): Continue looking for another point if the range returned by
+        rangeForBlockAtPoint is null.
+        (WebKit::WebPage::contractedRangeFromHandle): Ditto.
+        (WebKit::WebPage::computeExpandAndShrinkThresholdsForHandle): Removed the FIXME now that Enrica has
+        verified that this early exit added in r173788 is correct.
+
 2014-10-23  Joseph Pecoraro  <pecoraro@apple.com>
 
         [iOS] iPhone unselecting items in <select multiple> shows incorrect values selected
index d6dc5ece686f0d04826e8112231b7affae1fcaff..4dd72f44516f69015cb6de605322e8cfa35b441c 100644 (file)
@@ -1137,7 +1137,7 @@ PassRefPtr<Range> WebPage::expandedRangeFromHandle(Range* currentRange, Selectio
 
         RefPtr<Range> newRange;
         RefPtr<Range> rangeAtPosition = rangeForBlockAtPoint(testPoint);
-        if (&currentRange->ownerDocument() != &rangeAtPosition->ownerDocument())
+        if (!rangeAtPosition || &currentRange->ownerDocument() != &rangeAtPosition->ownerDocument())
             continue;
 
         if (containsRange(rangeAtPosition.get(), currentRange))
@@ -1257,7 +1257,7 @@ PassRefPtr<Range> WebPage::contractedRangeFromHandle(Range* currentRange, Select
         distance *= multiple;
 
         RefPtr<Range> newRange = rangeForBlockAtPoint(testPoint);
-        if (&newRange->ownerDocument() != &currentRange->ownerDocument())
+        if (!newRange || &newRange->ownerDocument() != &currentRange->ownerDocument())
             continue;
 
         if (handlePosition == SelectionHandlePosition::Top || handlePosition == SelectionHandlePosition::Left)
@@ -1325,8 +1325,6 @@ void WebPage::computeExpandAndShrinkThresholdsForHandle(const IntPoint& point, S
     Frame& frame = m_page->focusController().focusedOrMainFrame();
     RefPtr<Range> currentRange = m_currentBlockSelection ? m_currentBlockSelection.get() : frame.selection().selection().toNormalizedRange();
 
-    // FIXME: This used to be an assertion but there appears to be some race condition under which we get a null range.
-    // Should we do other things in addition to the null check here?
     if (!currentRange)
         return;