Bug 253965

Summary: REGRESSION (iOS 16.4): Chrome crashes in -[WKWebGeolocationPolicyDecider _executeNextChallenge]
Product: WebKit Reporter: Ali Juma <ajuma>
Component: WebKit2Assignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, cdumez, kkinnunen, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Crash log none

Description Ali Juma 2023-03-15 08:03:22 PDT 
Created attachment 465446 [details]
Crash log

Chrome for iOS is getting reports of a new crash in -[WKWebGeolocationPolicyDecider _executeNextChallenge] in iOS 16.4 beta, including the most recent seed (20E5229e). I've attached a crash log.

The crash stack is:

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000000

Thread 0 Crashed:
0   WebKit                        	0x00000001a56d1524 __54-[WKWebGeolocationPolicyDecider _executeNextChallenge]_block_invoke_3 + 28 (WKWebGeolocationPolicyDeciderIOS.mm:191)
1   UIKitCore                     	0x0000000194bcb5b0 -[UIAlertController _invokeHandlersForAction:] + 88 (UIAlertController.m:1204)
2   UIKitCore                     	0x0000000194d5b530 __103-[UIAlertController _dismissAnimated:triggeringAction:triggeredByPopoverDimmingView:dismissCompletion:]_block_invoke_2 + 36 (UIAlertController.m:1369)
3   UIKitCore                     	0x0000000194a1e1ec -[UIPresentationController transitionDidFinish:] + 1124 (UIPresentationController.m:601)
4   UIKitCore                     	0x0000000194f0a1a0 __56-[UIPresentationController runTransitionForCurrentState]_block_invoke.110 + 320 (UIPresentationController.m:1303)
5   UIKitCore                     	0x0000000194a57bbc -[_UIViewControllerTransitionContext completeTransition:] + 116 (UIViewControllerTransitioning.m:289)
6   UIKitCore                     	0x00000001958042fc __UIVIEW_IS_EXECUTING_ANIMATION_COMPLETION_BLOCK__ + 36 (UIView.m:15136)
7   UIKitCore                     	0x0000000194874324 -[UIViewAnimationBlockDelegate _didEndBlockAnimation:finished:context:] + 636 (UIView.m:15169)
8   UIKitCore                     	0x0000000194873280 -[UIViewAnimationState sendDelegateAnimationDidStop:finished:] + 436 (UIView.m:0)
9   UIKitCore                     	0x000000019487299c -[UIViewAnimationState animationDidStop:finished:] + 196 (UIView.m:2325)
10  UIKit                         	0x000000021c14cbf8 -[UIViewAnimationStateAccessibility animationDidStop:finished:] + 172 (UIViewAnimationStateAccessibility.m:106)
11  UIKitCore                     	0x0000000194872ab0 -[UIViewAnimationState animationDidStop:finished:] + 472 (UIView.m:2344)
12  UIKit                         	0x000000021c14cbf8 -[UIViewAnimationStateAccessibility animationDidStop:finished:] + 172 (UIViewAnimationStateAccessibility.m:106)
13  QuartzCore                    	0x0000000193c6bc64 CA::Layer::run_animation_callbacks(void*) + 232 (CALayer.mm:7337)
14  libdispatch.dylib             	0x0000000199c01f48 _dispatch_client_callout + 20 (object.m:560)
15  libdispatch.dylib             	0x0000000199c106cc _dispatch_main_queue_drain + 928 (inline_internal.h:2633)
16  libdispatch.dylib             	0x0000000199c1031c _dispatch_main_queue_callback_4CF + 44 (queue.c:7916)
17  CoreFoundation                	0x00000001927c5d18 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 16 (CFRunLoop.c:1780)
18  CoreFoundation                	0x00000001927a7650 __CFRunLoopRun + 1992 (CFRunLoop.c:3147)
19  CoreFoundation                	0x00000001927ac4dc CFRunLoopRunSpecific + 612 (CFRunLoop.c:3418)
20  GraphicsServices              	0x00000001cd47d35c GSEventRunModal + 164 (GSEvent.c:2196)
21  UIKitCore                     	0x0000000194b42c48 -[UIApplication _run] + 888 (UIApplication.m:3773)
22  UIKitCore                     	0x0000000194b428ac UIApplicationMain + 340 (UIApplication.m:5363)
23  Chrome                        	0x00000001026394cc 0x1025c8000 + 464076
24  dyld                          	0x00000001b1c06dec start + 2220 (dyldMain.cpp:1165)
Comment 1 Radar WebKit Bug Importer 2023-03-15 12:14:40 PDT 
<rdar://problem/106767100>
Comment 2 Chris Dumez 2023-03-15 15:33:52 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/11576
Comment 3 Chris Dumez 2023-03-15 15:40:04 PDT 
Thanks for the report Ali. Have you been able to reproduce?
I haven't found a way to reproduce yet but I have a speculative fix.
Comment 4 EWS 2023-03-15 20:13:09 PDT 
Committed 261728@main (4429746eddd4): <https://commits.webkit.org/261728@main>

Reviewed commits have been landed. Closing PR #11576 and removing active labels.
Comment 5 Ali Juma 2023-03-16 06:05:15 PDT 
(In reply to Chris Dumez from comment #3)
> Thanks for the report Ali. Have you been able to reproduce?
> I haven't found a way to reproduce yet but I have a speculative fix.

Thanks for the fix! I haven't been able to reproduce either. In Chrome's crash reports, it looks like all of the crashes are on pages where Chrome is showing an infobar on top of the WKWebView (the infobar that says "Translate page?" when on a page that isn't in the user's own language).

So this might be similar to bug 251548, where we were crashing because of trying to present the same WebValidationBubbleViewController twice when a translate infobar was being displayed in Chrome. In that case, it was the the sliding-away effect of the infobar that seemed to trigger the logic to present the WebValidationBubbleViewController again.