271849 2024-03-28 14:52:22 -0700 nullptr crash in moveOutOfAllShadowRoots 2024-03-28 17:17:53 -0700 1 1 1 Unclassified WebKit DOM Other Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 rniwa rniwa webkit-bug-importer oldest_to_newest 2024558 0 rniwa 2024-03-28 14:52:22 -0700 e.g. Thread[0] EXC_BAD_ACCESS (SIGSEGV) (0x0000000000000001, 0x000000000000001d) [ 0] 0x00000001a8a8dba0 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 36 at EventPath.cpp:294:5 290 291 static Node* moveOutOfAllShadowRoots(Node& startingNode) 292 { 293 Node* node = &startingNode; -> 294 while (node->isInShadowTree()) 295 node = downcast<ShadowRoot>(node->treeScope().rootNode()).host(); 296 return node; 297 } 298 0x00000001a8a8db90: cbz x8, 0x16d9b9c ; <+1992> [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 32 at WeakPtr.h 0x00000001a8a8db94: ldr x9, [x8, #0x8] 0x00000001a8a8db98: b 0x16d9ba0 ; <+1996> [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 36 at EventPath.cpp:294:5 0x00000001a8a8db9c: mov x9, #0x0 -> 0x00000001a8a8dba0: ldrb w8, [x9, #0x1d] 0x00000001a8a8dba4: tbnz w8, #0x3, 0x16d9b84 ; <+1968> [inlined] WebCore::Node::treeScope() const at Node.h:388:17 0x00000001a8a8dba8: ldr w8, [x9, #0x18] 0x00000001a8a8dbac: add w8, w8, #0x2 0x00000001a8a8dbb0: str w8, [x9, #0x18] [ 0] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35 312 return; 313 } 314 if (relatedNode.isConnected() != target.isConnected()) { 315 m_hasDifferentTreeRoot = true; -> 316 m_retargetedRelatedNode = moveOutOfAllShadowRoots(relatedNode); 317 return; 318 } 319 320 collectTreeScopes(); [ 0] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1 298 299 RelatedNodeRetargeter::RelatedNodeRetargeter(Node& relatedNode, Node& target) 300 : m_relatedNode(relatedNode) 301 , m_retargetedRelatedNode(&relatedNode) -> 302 { 303 auto& targetTreeScope = target.treeScope(); 304 TreeScope* currentTreeScope = &m_relatedNode->treeScope(); 305 if (LIKELY(currentTreeScope == &targetTreeScope && target.isConnected() && m_relatedNode->isConnected())) 306 return; [ 0] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27 144 } 145 146 void EventPath::setRelatedTarget(Node& origin, Node& relatedNode) 147 { -> 148 RelatedNodeRetargeter retargeter(relatedNode, *m_path[0].node()); 149 150 bool originIsRelatedTarget = &origin == &relatedNode; 151 Node& rootNodeInOriginTreeScope = origin.treeScope().rootNode(); 152 TreeScope* previousTreeScope = nullptr; [ 1] 0x00000001a8a8db9f WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 35 at WeakPtr.h:0:56 [ 1] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35 [ 1] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1 [ 1] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27 [ 2] 0x00000001a8a8db9f WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 35 at WeakPtr.h:0:56 [ 2] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35 [ 2] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1 [ 2] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27 [ 3] 0x00000001a8a8db9f WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 35 at WeakPtr.h:0:56 [ 3] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35 [ 3] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1 [ 3] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27 2024560 1 rniwa 2024-03-28 14:59:26 -0700 Pull request: https://github.com/WebKit/WebKit/pull/26576 2024561 2 rniwa 2024-03-28 14:59:54 -0700 <rdar://121268633> 2024626 3 ews-feeder 2024-03-28 17:17:51 -0700 Committed 276815@main (26bc2e2bb52f): <https://commits.webkit.org/276815@main> Reviewed commits have been landed. Closing PR #26576 and removing active labels.