Changeset 247180 in webkit

Timestamp:

Jul 5, 2019 2:56:58 PM (5 years ago)

Author:

rniwa@webkit.org

Message:

[iOS] Crash in WebKit::WebPage::positionInformation via Range::startPosition
​https://bugs.webkit.org/show_bug.cgi?id=199503

Reviewed by Wenson Hsieh.

Source/WebCore:

• editing/Editor.cpp:

(WebCore::Editor::compositionRange const): Added a FIXME.

Source/WebKit:

The crash was caused because focusedElementPositionInformation asssumes Editor::compositionRange is not null
whenever Editor::hasComposition returns true, which is not necessary the case when Editor::m_compositionNode
contains no text (data is of length 0).

Fixed the crash by adding an early return for when Editor::compositionRange returns nullptr.

• WebProcess/WebPage/ios/WebPageIOS.mm:

(WebKit::focusedElementPositionInformation):

Tools:

Added UIScriptController.ensurePositionInformationIsUpToDateAt using the existing WKWebView SPI:
_requestActivatedElementAtPosition

• DumpRenderTree/ios/UIScriptControllerIOS.mm:

(WTR::UIScriptController::ensurePositionInformationIsUpToDateAt):

• DumpRenderTree/mac/UIScriptControllerMac.mm:

(WTR::UIScriptController::ensurePositionInformationIsUpToDateAt):

• TestRunnerShared/UIScriptContext/Bindings/UIScriptController.idl:
• TestRunnerShared/UIScriptContext/UIScriptController.cpp:

(WTR::UIScriptController::ensurePositionInformationIsUpToDateAt):

• TestRunnerShared/UIScriptContext/UIScriptController.h:
• WebKitTestRunner/ios/UIScriptControllerIOS.mm:

(WTR::UIScriptController::ensurePositionInformationIsUpToDateAt):

• WebKitTestRunner/ios/UIScriptControllerMac.mm:

(WTR::UIScriptController::ensurePositionInformationIsUpToDateAt):

LayoutTests:

Added a regression test for the crash.

• editing/input/delete-text-in-composition-expected.txt: Added.
• editing/input/delete-text-in-composition.html: Added.
• resources/ui-helper.js:

(window.UIHelper.ensurePositionInformationUpdateForElement): Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/editing/input/delete-text-in-composition-expected.txt (added)
• LayoutTests/editing/input/delete-text-in-composition.html (added)
• LayoutTests/resources/ui-helper.js (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/editing/Editor.cpp (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/DumpRenderTree/ios/UIScriptControllerIOS.mm (modified) (1 diff)
• Tools/DumpRenderTree/mac/UIScriptControllerMac.mm (modified) (1 diff)
• Tools/TestRunnerShared/UIScriptContext/Bindings/UIScriptController.idl (modified) (1 diff)
• Tools/TestRunnerShared/UIScriptContext/UIScriptController.cpp (modified) (1 diff)
• Tools/TestRunnerShared/UIScriptContext/UIScriptController.h (modified) (1 diff)
• Tools/WebKitTestRunner/ios/UIScriptControllerIOS.mm (modified) (1 diff)
• Tools/WebKitTestRunner/mac/UIScriptControllerMac.mm (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2019-07-05  Ryosuke Niwa  <rniwa@webkit.org>
+
+        [iOS] Crash in WebKit::WebPage::positionInformation via Range::startPosition
+        https://bugs.webkit.org/show_bug.cgi?id=199503
+
+        Reviewed by Wenson Hsieh.
+
+        Added a regression test for the crash.
+
+        * editing/input/delete-text-in-composition-expected.txt: Added.
+        * editing/input/delete-text-in-composition.html: Added.
+        * resources/ui-helper.js:
+        (window.UIHelper.ensurePositionInformationUpdateForElement): Added.
+
 2019-07-02  Myles C. Maxfield  <mmaxfield@apple.com>
 

trunk/LayoutTests/resources/ui-helper.js

@@ -255 +255 @@
     }
 
+    static ensurePositionInformationUpdateForElement(element)
+    {
+        const boundingRect = element.getBoundingClientRect();
+        const x = boundingRect.x + 5;
+        const y = boundingRect.y + 5;
+
+        if (!this.isWebKit2()) {
+            testRunner.display();
+            return Promise.resolve();
+        }
+
+        return new Promise(resolve => {
+            testRunner.runUIScript(`
+                uiController.ensurePositionInformationIsUpToDateAt(${x}, ${y}, function () {
+                    uiController.uiScriptComplete();
+                });`, resolve);
+        });
+    }
+
     static delayFor(ms)
     {

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-07-05  Ryosuke Niwa  <rniwa@webkit.org>
+
+        [iOS] Crash in WebKit::WebPage::positionInformation via Range::startPosition
+        https://bugs.webkit.org/show_bug.cgi?id=199503
+
+        Reviewed by Wenson Hsieh.
+
+        * editing/Editor.cpp:
+        (WebCore::Editor::compositionRange const): Added a FIXME.
+
 2019-07-02  Myles C. Maxfield  <mmaxfield@apple.com>
 

trunk/Source/WebCore/editing/Editor.cpp

@@ -3078 +3078 @@
     unsigned start = std::min(m_compositionStart, length);
     unsigned end = std::min(std::max(start, m_compositionEnd), length);
+    // FIXME: Why is this early return neeed?
     if (start >= end)
         return nullptr;

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2019-07-05  Ryosuke Niwa  <rniwa@webkit.org>
+
+        [iOS] Crash in WebKit::WebPage::positionInformation via Range::startPosition
+        https://bugs.webkit.org/show_bug.cgi?id=199503
+
+        Reviewed by Wenson Hsieh.
+
+        The crash was caused because focusedElementPositionInformation asssumes Editor::compositionRange is not null
+        whenever Editor::hasComposition returns true, which is not necessary the case when Editor::m_compositionNode
+        contains no text (data is of length 0).
+
+        Fixed the crash by adding an early return for when Editor::compositionRange returns nullptr.
+
+        * WebProcess/WebPage/ios/WebPageIOS.mm:
+        (WebKit::focusedElementPositionInformation):
+
 2019-07-05  Zalan Bujtas  <zalan@apple.com>
 

trunk/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm

@@ -2509 +2509 @@
 
     RefPtr<Range> compositionRange = frame.editor().compositionRange();
+    if (!compositionRange)
+        return;
+
     if (position < compositionRange->startPosition())
         position = compositionRange->startPosition();

trunk/Tools/ChangeLog

@@ +1 @@
+2019-07-05  Ryosuke Niwa  <rniwa@webkit.org>
+
+        [iOS] Crash in WebKit::WebPage::positionInformation via Range::startPosition
+        https://bugs.webkit.org/show_bug.cgi?id=199503
+
+        Reviewed by Wenson Hsieh.
+
+        Added UIScriptController.ensurePositionInformationIsUpToDateAt using the existing WKWebView SPI:
+        _requestActivatedElementAtPosition
+
+        * DumpRenderTree/ios/UIScriptControllerIOS.mm:
+        (WTR::UIScriptController::ensurePositionInformationIsUpToDateAt):
+        * DumpRenderTree/mac/UIScriptControllerMac.mm:
+        (WTR::UIScriptController::ensurePositionInformationIsUpToDateAt):
+        * TestRunnerShared/UIScriptContext/Bindings/UIScriptController.idl:
+        * TestRunnerShared/UIScriptContext/UIScriptController.cpp:
+        (WTR::UIScriptController::ensurePositionInformationIsUpToDateAt):
+        * TestRunnerShared/UIScriptContext/UIScriptController.h:
+        * WebKitTestRunner/ios/UIScriptControllerIOS.mm:
+        (WTR::UIScriptController::ensurePositionInformationIsUpToDateAt):
+        * WebKitTestRunner/ios/UIScriptControllerMac.mm:
+        (WTR::UIScriptController::ensurePositionInformationIsUpToDateAt):
+
 2019-07-05  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/Tools/DumpRenderTree/ios/UIScriptControllerIOS.mm

@@ -64 +64 @@
 }
 
+void UIScriptController::ensurePositionInformationIsUpToDateAt(long x, long y, JSValueRef callback)
+{
+    return doAsyncTask(callback);
+}
+
 void UIScriptController::doAfterVisibleContentRectUpdate(JSValueRef callback)
 {

trunk/Tools/DumpRenderTree/mac/UIScriptControllerMac.mm

@@ -62 +62 @@
 }
 
+void UIScriptController::ensurePositionInformationIsUpToDateAt(long x, long y, JSValueRef callback)
+{
+    doAsyncTask(callback);
+}
+
 void UIScriptController::doAfterVisibleContentRectUpdate(JSValueRef callback)
 {

trunk/Tools/TestRunnerShared/UIScriptContext/Bindings/UIScriptController.idl

@@ -46 +46 @@
     void doAfterPresentationUpdate(object callback); // Call the callback after sending a message to the WebProcess and receiving a subsequent update.
     void doAfterNextStablePresentationUpdate(object callback);
-
+    void ensurePositionInformationIsUpToDateAt(long x, long y, object callback);
     void doAfterVisibleContentRectUpdate(object callback);
 

trunk/Tools/TestRunnerShared/UIScriptContext/UIScriptController.cpp

@@ -102 +102 @@
 }
 
+void UIScriptController::ensurePositionInformationIsUpToDateAt(long x, long y, JSValueRef)
+{
+}
+
 void UIScriptController::doAfterVisibleContentRectUpdate(JSValueRef)
 {

trunk/Tools/TestRunnerShared/UIScriptContext/UIScriptController.h

@@ -68 +68 @@
     void doAfterPresentationUpdate(JSValueRef callback);
     void doAfterNextStablePresentationUpdate(JSValueRef callback);
+    void ensurePositionInformationIsUpToDateAt(long x, long y, JSValueRef callback);
     void doAfterVisibleContentRectUpdate(JSValueRef callback);
 

trunk/Tools/WebKitTestRunner/ios/UIScriptControllerIOS.mm

@@ -158 +158 @@
 }
 
+void UIScriptController::ensurePositionInformationIsUpToDateAt(long x, long y, JSValueRef callback)
+{
+    TestRunnerWKWebView *webView = TestController::singleton().mainWebView()->platformView();
+
+    unsigned callbackID = m_context->prepareForAsyncTask(callback, CallbackTypeNonPersistent);
+    [webView _requestActivatedElementAtPosition:CGPointMake(x, y) completionBlock:^(_WKActivatedElementInfo *) {
+        if (!m_context)
+            return;
+        m_context->asyncTaskComplete(callbackID);
+    }];
+}
+
 void UIScriptController::doAfterVisibleContentRectUpdate(JSValueRef callback)
 {

trunk/Tools/WebKitTestRunner/mac/UIScriptControllerMac.mm

@@ -60 +60 @@
 }
 
+void UIScriptController::ensurePositionInformationIsUpToDateAt(long, long, JSValueRef callback)
+{
+    doAsyncTask(callback);
+}
+
 void UIScriptController::doAfterVisibleContentRectUpdate(JSValueRef callback)
 {