Skip to site navigation (Press enter)

[webkit-changes] [214651] branches/safari-603-branch/Source/WebKit2

jmarcell Thu, 30 Mar 2017 19:45:26 -0700

Title: [214651] branches/safari-603-branch/Source/WebKit2

Revision: 214651
Author: jmarc...@apple.com
Date: 2017-03-30 19:33:39 -0700 (Thu, 30 Mar 2017)

Log Message

Merge r214003. rdar://problem/31331131


Modified Paths

branches/safari-603-branch/Source/WebKit2/ChangeLog
branches/safari-603-branch/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm

Diff

Modified: branches/safari-603-branch/Source/WebKit2/ChangeLog (214650 => 214651)


--- branches/safari-603-branch/Source/WebKit2/ChangeLog	2017-03-31 02:11:32 UTC (rev 214650)
+++ branches/safari-603-branch/Source/WebKit2/ChangeLog	2017-03-31 02:33:39 UTC (rev 214651)
@@ -1,3 +1,24 @@
+2017-03-30  Jason Marcell  <jmarc...@apple.com>
+
+        Merge r214003. rdar://problem/31331131
+
+    2017-03-15  Wenson Hsieh  <wenson_hs...@apple.com>
+
+            WebContent crash due to bad variant access in WebKit: WebKit::WebPage::expandedRangeFromHandle
+            https://bugs.webkit.org/show_bug.cgi?id=169657
+            <rdar://problem/30631070>
+
+            Reviewed by Tim Horton.
+
+            In WebPageIOS.mm, the call to unionDOMRanges from WebPage::expandedRangeFromHandle invokes
+            Range::compareBoundaryPoints, assuming that the return value is not an exception, and then attempts to perform
+            integer comparison on the result. This is one speculative cause of the web content crash in the radar.
+
+            There isn't a known way to reproduce this crash.
+
+            * WebProcess/WebPage/ios/WebPageIOS.mm:
+            (WebKit::unionDOMRanges):
+
 2017-03-20  Matthew Hanson  <matthew_han...@apple.com>
 
         Merge r213253. rdar://problem/30773140

Modified: branches/safari-603-branch/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm (214650 => 214651)


--- branches/safari-603-branch/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm	2017-03-31 02:11:32 UTC (rev 214650)
+++ branches/safari-603-branch/Source/WebKit2/WebProcess/WebPage/ios/WebPageIOS.mm	2017-03-31 02:33:39 UTC (rev 214651)
@@ -1265,9 +1265,17 @@
     if (!rangeA)
         return rangeB;
 
-    Range* start = rangeA->compareBoundaryPoints(Range::START_TO_START, *rangeB).releaseReturnValue() <= 0 ? rangeA : rangeB;
-    Range* end = rangeA->compareBoundaryPoints(Range::END_TO_END, *rangeB).releaseReturnValue() <= 0 ? rangeB : rangeA;
+    auto startToStartComparison = rangeA->compareBoundaryPoints(Range::START_TO_START, *rangeB);
+    if (startToStartComparison.hasException())
+        return nullptr;
 
+    auto endToEndComparison = rangeA->compareBoundaryPoints(Range::END_TO_END, *rangeB);
+    if (endToEndComparison.hasException())
+        return nullptr;
+
+    auto* start = startToStartComparison.releaseReturnValue() <= 0 ? rangeA : rangeB;
+    auto* end = endToEndComparison.releaseReturnValue() <= 0 ? rangeB : rangeA;
+
     return Range::create(rangeA->ownerDocument(), &start->startContainer(), start->startOffset(), &end->endContainer(), end->endOffset());
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes