BestHub
Sign in
Mobile Development 29 min read

Analyzing and Fixing iOS 16 WKWebView Crash via Reverse Engineering and Hooking

By reverse‑engineering the iOS 16 WKWebView image‑analysis crash, the team identified a nil‑buffer bug in VisionKitCore’s CGImage creation, then mitigated it by runtime‑hooking VKCRemoveBackgroundResult’s createCGImage (returning NULL) and suppressing the image‑analysis gesture, reducing crashes from thousands to near zero.

DaTaobao Tech
DaTaobao Tech
DaTaobao Tech
Analyzing and Fixing iOS 16 WKWebView Crash via Reverse Engineering and Hooking

Background: Mobile Taobao experienced a high crash rate caused by a system bug in iOS 16.0‑iOS 16.2 WKWebView image‑analysis feature.

Crash information: The crash stack shows _platform_memmove in libsystem_platform.dylib , followed by CoreGraphics and VisionKitCore functions, ultimately leading to EXC_BAD_ACCESS .

Investigation: A search on Apple forums revealed similar reports. Assembly of __platform_memmove and related functions was examined, revealing that memmove is a tail‑call optimized, frameless function, which explains missing stack frames.

Analysis of VisionKitCore’s -[VKCRemoveBackgroundResult _createCGImageFromBGRAPixelBuffer:cropRect:] uncovered the image‑analysis flow and how WKWebView passes a bitmap to VisionKit.

Key findings: The bug originates from the new iOS 16 image‑analysis gesture in WKWebView; the crash occurs when the gesture triggers a call to VisionKitCore with a nil or corrupted buffer.

Solution 1: Hook VKCRemoveBackgroundResult ’s createCGImage method to return NULL , disabling the image‑analysis feature.

Class cls = objc_getClass("VKCRemoveBackgroundResult");
SEL sel = sel_registerName("createCGImage");
Method m = class_getInstanceMethod(cls, sel);
IMP newImp = imp_implementationWithBlock(^CGImageRef(id self, SEL _cmd){ return NULL; });
class_replaceMethod(cls, sel, newImp, method_getTypeEncoding(m));

Solution 2: Hook WKContentView ’s imageAnalysisGestureDidBegin: to suppress the gesture on iOS 16.0‑<16.2.

Class cls = objc_getClass("WKContentView");
SEL sel = sel_registerName("imageAnalysisGestureDidBegin:");
Method m = class_getInstanceMethod(cls, sel);
IMP newImp = imp_implementationWithBlock(^void(id self, UILongPressGestureRecognizer *g){ /* do nothing */ });
class_replaceMethod(cls, sel, newImp, method_getTypeEncoding(m));

After deploying the hook in the safety‑pad SDK and rolling it out gradually, crash counts dropped from over 1200 pv to near zero without user impact.

Conclusion: The issue was a system‑level bug in iOS 16’s WKWebView image‑analysis; disabling the feature via runtime hooking provided a safe, effective fix.

iOScrashanalysisassemblyHookingVisionKitWKWebView
DaTaobao Tech
Written by

DaTaobao Tech

Official account of DaTaobao Technology

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment