Exception when the autofill SMS code is tapped multiple times in the predictive keyboard

Originator:pablobart
Number:rdar://7428013 Date Originated:5 Nov 2019
Status:Open Resolved:
Product:UIKit Product Version:12.0+
Classification: Reproducible:Yes
 
Steps to reproduce:
- Receive a SMS with a second factor authentication code
- The code is detected and presented in the predictive view of keyboard 
- Tap the prediction multiple times in order to enter the code (e.g a web view), (the second tap in the predictive view ends up touching an empty prediction)

Result:
- A NSInvalidArgumentException from NSString is raised because “-[NSTaggedPointerString stringByReplacingCharactersInRange:withString:]: nil argument”


------------------------------

NSInvalidArgumentException: *** -[NSTaggedPointerString stringByReplacingCharactersInRange:withString:]: nil argument

0  CoreFoundation   ___exceptionPreprocess
1  libobjc.A.dylib  _objc_exception_throw
2  Foundation       -[NSString stringByReplacingCharactersInRange:withString:]
3  TextInput        -[TIDocumentState(StateTransitions) documentStateAfterReplacingText:withText:]
4  UIKitCore        -[UIKeyboardImpl setDocumentStateForAutocorrection:]
5  UIKitCore        ___82-[UIKeyboardImpl acceptAutocorrection:executionContextPassingTIKeyboardCandidate:]_block_invoke_2
6  WebKit           -[WKContentView(WKInteraction) applyAutocorrection:toString:withCompletionHandler:]
7  UIKitCore        -[UIKeyboardImpl acceptAutocorrection:executionContextPassingTIKeyboardCandidate:]
8  UIKitCore        -[UIKeyboardImpl acceptAutocorrectionForWordTerminator:executionContextPassingTIKeyboardCandidate:]
9  UIKitCore        ___56-[UIKeyboardImpl acceptAutocorrectionForWordTerminator:]_block_invoke
10 UIKitCore        -[UIKeyboardTaskEntry execute:]
11 UIKitCore        -[UIKeyboardTaskQueue continueExecutionOnMainThread]
12 UIKitCore        -[UIKeyboardTaskQueue performTaskOnMainThread:waitUntilDone:]
13 UIKitCore        -[UIKeyboardImpl acceptAutocorrectionForWordTerminator:]
14 UIKitCore        -[UIKeyboardImpl acceptAutocorrection]
15 UIKitCore        ___38-[UIKeyboardImpl acceptAutocorrection]_block_invoke
16 UIKitCore        -[UIKeyboardTaskEntry execute:]
17 UIKitCore        -[UIKeyboardTaskQueue continueExecutionOnMainThread]
18 UIKitCore        -[UIKeyboardImpl acceptAutocorrection]
19 UIKitCore        -[UIKeyboardImpl setDelegate:force:]
20 UIKitCore        -[UIInputResponderController _reloadInputViewsForKeyWindowSceneResponder:]
21 UIKitCore        -[UIInputResponderController _reloadInputViewsForResponder:]
22 UIKitCore        -[UIResponder(UIResponderInputViewAdditions) reloadInputViews]
23 WebKit           -[WKContentView(WKInteraction) _hideKeyboard]
24 WebKit           -[WKContentViewAccessibility _hideKeyboard]
25 WebKit           -[WKContentView(WKInteraction) _elementDidBlur]
26 WebKit           WebKit::WebPageProxy::elementDidBlur()
27 WebKit           WebKit::WebPageProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&)
28 WebKit           IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&)
29 WebKit           WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&)
30 WebKit           IPC::Connection::dispatchMessage(IPC::Decoder&)
31 WebKit           IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)
32 WebKit           IPC::Connection::dispatchIncomingMessages()
33 WebKit           WTF::Detail::CallableWrapper<IPC::Connection::MessagesThrottler::scheduleMessagesDispatch()::$_13, void>::call()
34 JavaScriptCore   WTF::RunLoop::performWork()
35 JavaScriptCore   WTF::RunLoop::performWork(void*)
36 CoreFoundation   ___CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
37 CoreFoundation   ___CFRunLoopDoSource0
38 CoreFoundation   ___CFRunLoopDoSources0
39 CoreFoundation   ___CFRunLoopRun
40 CoreFoundation   _CFRunLoopRunSpecific
41 GraphicsServices _GSEventRunModal
42 UIKitCore        _UIApplicationMain
43 App       main (main.swift:35:5)
44 libdyld.dylib    _start

Comments

Workaround by swizzling `NSString stringByReplacingCharactersInRange:withString:`

We had a similar issue with webview and SMS code autofill (the same stacktrace) which was:

  • Deactivate "Predictive" in Settings > General > Keyboards
  • Receive a SMS with a second factor authentication code
  • Start by entering some digits (first 3)
  • tap on the one time code from messages.

Result: the app will crash

By swizzling NSString stringByReplacingCharactersInRange:withString: the crash no longer occurs for those steps and the original steps of this radar.

https://gist.github.com/kyle-ilantzis/00f4685462a150506481a15ac2af7259

By kilantzis at Dec. 2, 2019, 4:59 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!