272294 2024-04-06 22:59:14 -0700 nullderef in LayoutIntegration::BoxTree::layoutBoxForRenderer 2024-04-07 06:44:15 -0700 1 1 1 Unclassified WebKit Layout and Rendering WebKit Local Build Unspecified Linux RESOLVED DUPLICATE 269009 P2 Normal --- 1 bin7o8v webkit-unassigned bfulgham simon.fraser zalan oldest_to_newest 2026601 0 470798 bin7o8v 2024-04-06 22:59:14 -0700 Created attachment 470798 PoC Version: - OS: Ubuntu Desktop 22.04 - WebKit: WebKitGTK 2.43.4 How to reproduce: 1. Compile WebKit from source 2. Serve poc.html on 127.0.0.1:8080 3. Launch MiniBrowser with url 127.0.0.1:8080/poc.html Crash log: ==2710716==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c (pc 0x7fa8af3d08be bp 0x7ffc9fcc7c80 sp 0x7ffc9fcc7b50 T0) ==2710716==The signal is caused by a READ memory access. ==2710716==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7fa8af3d08be in WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>::isEmpty() const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/OptionSet.h:106:46 #1 0x7fa8af3d08be in WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>::operator bool() const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/OptionSet.h:111:56 #2 0x7fa8af3d08be in WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>::containsAny(WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>) const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/OptionSet.h:120:18 #3 0x7fa8af3d08be in WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>::contains(WebCore::Layout::Box::BaseTypeFlag) const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/OptionSet.h:115:16 #4 0x7fa8af3d08be in WebCore::Layout::Box::isElementBox() const /webkitgtk-2.43.4/Source/WebCore/layout/layouttree/LayoutBox.h:164:56 #5 0x7fa8af3d08be in WTF::TypeCastTraits<WebCore::Layout::ElementBox const, WebCore::Layout::Box const, false>::isType(WebCore::Layout::Box const&) /webkitgtk-2.43.4/Source/WebCore/layout/layouttree/LayoutElementBox.h:119:1 #6 0x7fa8af3d08be in WTF::TypeCastTraits<WebCore::Layout::ElementBox const, WebCore::Layout::Box const, false>::isOfType(WebCore::Layout::Box const&) /webkitgtk-2.43.4/Source/WebCore/layout/layouttree/LayoutElementBox.h:119:1 #7 0x7fa8af3d08be in bool WTF::is<WebCore::Layout::ElementBox, WebCore::Layout::Box>(WebCore::Layout::Box const&) /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/TypeCasts.h:58:12 #8 0x7fa8af3d08be in std::conditional<std::is_const_v<WebCore::Layout::Box const>, std::add_const<WebCore::Layout::ElementBox>::type, std::remove_const<WebCore::Layout::ElementBox>::type>::type& WTF::downcast<WebCore::Layout::ElementBox, WebCore::Layout::Box const>(WebCore::Layout::Box const&) /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/TypeCasts.h:120:5 #9 0x7fa8af3d08be in WebCore::LayoutIntegration::BoxTree::layoutBoxForRenderer(WebCore::RenderElement const&) const /webkitgtk-2.43.4/Source/WebCore/layout/integration/LayoutIntegrationBoxTree.cpp:356:12 #10 0x7fa8b0903a75 in WebCore::RenderInline::frameRectForStickyPositioning() const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderInline.h:133:69 #11 0x7fa8b06baf19 in WebCore::RenderBoxModelObject::stickyPositionOffset() const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBoxModelObject.cpp:630:5 #12 0x7fa8b06baf19 in WebCore::RenderBoxModelObject::offsetForInFlowPosition() const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBoxModelObject.cpp:642:16 #13 0x7fa8b08ad3fe in WebCore::RenderInline::offsetFromContainer(WebCore::RenderElement&, WebCore::LayoutPoint const&, bool*) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderInline.cpp:771:19 #14 0x7fa8b074d666 in WebCore::RenderBox::computeVisibleRectsInContainer(WebCore::RenderObject::RepaintRects const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBox.cpp:2669:49 #15 0x7fa8b0a1c112 in WebCore::RenderObject::computeRects(WebCore::RenderObject::RepaintRects const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1132:19 #16 0x7fa8b0a1c112 in WebCore::RenderObject::clippedOverflowRect(WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1127:12 #17 0x7fa8b0a1a511 in WebCore::RenderObject::clippedOverflowRectForRepaint(WebCore::RenderLayerModelObject const*) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.h:1016:109 #18 0x7fa8b0a1a511 in WebCore::RenderObject::issueRepaint(std::optional<WebCore::LayoutRect>, WebCore::RenderObject::ClipRepaintToLayer, WebCore::RenderObject::ForceRepaint, std::optional<WebCore::RectEdges<WebCore::LayoutUnit>>) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1035:23 #19 0x7fa8b0a1a933 in WebCore::RenderObject::repaint() const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1045:5 #20 0x7fa8b0a21e56 in WebCore::invalidateLineLayoutAfterTreeMutationIfNeeded(WebCore::RenderObject&, WebCore::IsRemoval) /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1806:20 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/webkitgtk-2.43.4/build-asan/lib/libwebkit2gtk-4.0.so.37+0x79358be) ==2710716==ABORTING 2026616 1 zalan 2024-04-07 06:43:08 -0700 Hi, thank you for filing this bug. The test reduction is great! 2026617 2 zalan 2024-04-07 06:44:15 -0700 (this has been fixed on trunk. see bug 269009) *** This bug has been marked as a duplicate of bug 269009 *** 470798 2024-04-06 22:59:14 -0700 2024-04-06 22:59:14 -0700 PoC poc.html text/html 426 bin7o8v PGh0bWw+Cgo8aGVhZD4KICAgIDxzdHlsZT4KICAgICAgICBxIHsKICAgICAgICAgICAgcG9zaXRp b246IHN0aWNreTsKICAgICAgICB9CgogICAgICAgIHE6OmFmdGVyIHsKICAgICAgICAgICAgcG9z aXRpb246IGZpeGVkOwogICAgICAgIH0KCiAgICAgICAgdmlkZW8gewogICAgICAgICAgICBtYXJn aW4tYm90dG9tOiAyNTZweDsKICAgICAgICAgICAgZGlzcGxheTogbGlzdC1pdGVtOwogICAgICAg IH0KICAgIDwvc3R5bGU+CjwvaGVhZD4KCjxib2R5PgogICAgPHZpZGVvPgogICAgICAgIDx0cmFj az4KICAgICAgICA8L3RyYWNrPgogICAgPC92aWRlbz4KICAgIDxpZnJhbWU+PC9pZnJhbWU+CiAg ICA8dmlkZW8+CiAgICAgICAgPHRyYWNrPgogICAgICAgIDwvdHJhY2s+CiAgICA8L3ZpZGVvPgog ICAgPHE+PC9xPgo8L2JvZHk+Cgo8L2h0bWw+