43722 2010-08-09 08:26:03 -0700 cross_fuzz WebCore::RenderBlock::addChild* NULL ptrs 2010-09-01 18:58:07 -0700 1 1 1 Unclassified WebKit DOM 528+ (Nightly build) PC Windows Vista RESOLVED FIXED InRadar P1 Normal --- 42959 1 skylined webkit-unassigned bdakin commit-queue eric hyatt levin rolandsteiner oldest_to_newest 262145 0 63895 skylined 2010-08-09 08:26:03 -0700 Created attachment 63895 Repro The following code triggers a NULL ptr in Chromium latest: <html> <head> <style> :before{ content:"" }; </style> </head> <body onload="document.linkColor=0;"> <ruby> <rt></rt> </ruby> </body> </html> id: WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks ReadAV@NULL (8861963c2158cde00d41e1ee9baea2f1) description: Attempt to read from NULL pointer (+0xC) in WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks signatures: Function: WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks Basic signature: WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks(...)-2D824F8 stack: WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks WebCore::RenderBlock::addChildIgnoringContinuation WebCore::RenderBlock::addChild WebCore::RenderRubyRun::addChild WebCore::RenderRubyAsInline::addChild WebCore::RenderObjectChildList::updateBeforeAfterContent WebCore::RenderInline::styleDidChange WebCore::RenderObject::setStyle WebCore::RenderObject::setAnimatableStyle WebCore::Node::setRenderStyle WebCore::Element::recalcStyle WebCore::Element::recalcStyle WebCore::Element::recalcStyle WebCore::Document::recalcStyle WebCore::StyledElement::attributeChanged WebCore::NamedNodeMap::addAttribute WebCore::Element::setAttribute WebCore::Element::setAttribute WebCore::HTMLBodyElement::setLink WebCore::HTMLDocument::setLinkColor WebCore::HTMLDocumentInternal::linkColorAttrSetter v8::internal::JSObject::SetPropertyWithCallback v8::internal::JSObject::SetProperty v8::internal::JSObject::SetPropertyPostInterceptor v8::internal::JSObject::SetPropertyWithInterceptor v8::internal::JSObject::SetProperty v8::internal::JSObject::SetProperty v8::internal::StoreIC::Store v8::internal::StoreIC_Miss v8::internal::Invoke v8::internal::Execution::Call ... During fuzzzing, I have seen NULL ptr crashes two levels up the stack as well, in Renderblock::AddChild. I expect the cause is the same. 262241 1 63911 abarth 2010-08-09 11:32:58 -0700 Created attachment 63911 Patch (review carefully) 262260 2 eric 2010-08-09 12:14:17 -0700 I'm not sure who does ruby stuff. 265880 3 levin 2010-08-17 17:58:10 -0700 Roland, any comments? 271333 4 63911 commit-queue 2010-08-30 00:35:58 -0700 Comment on attachment 63911 Patch (review carefully) Clearing flags on attachment: 63911 Committed r66371: <http://trac.webkit.org/changeset/66371> 271334 5 commit-queue 2010-08-30 00:36:03 -0700 All reviewed patches have been landed. Closing bug. 271922 6 ddkilzer 2010-08-30 21:45:47 -0700 <rdar://problem/8375382> 273156 7 rolandsteiner 2010-09-01 18:58:07 -0700 Whoa, this bug thread completely sneaked by me, sorry about that! :( FWIW, I think the patch is fine. My recently r+'d patch for https://bugs.webkit.org/show_bug.cgi?id=41040 (not yet landed) also concerns :before/:after content. AFAICT it will subsume this patch once merged and landed. 63895 2010-08-09 08:26:03 -0700 2010-08-09 08:26:03 -0700 Repro repro.html text/html 190 skylined PGh0bWw+CiAgPGhlYWQ+CiAgICA8c3R5bGU+CiAgICAgIDpiZWZvcmV7CiAgICAgICAgY29udGVu dDoiIgogICAgICB9OwogICAgPC9zdHlsZT4KICA8L2hlYWQ+CiAgPGJvZHkgb25sb2FkPSJkb2N1 bWVudC5saW5rQ29sb3I9MDsiPgogICAgPHJ1Ynk+CiAgICAgIDxydD48L3J0PgogICAgPC9ydWJ5 PgogIDwvYm9keT4KPC9odG1sPg== 63911 2010-08-09 11:32:58 -0700 2010-08-30 00:35:58 -0700 Patch (review carefully) bug-43722-20100809113257.patch text/plain 3829 abarth ZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxv ZwppbmRleCA0MjYyNmQwOTAzMmUyNGM4NmYzMmM4NDgyYTNlYTlhZWUxNTY3YWUwLi40NWVkNjI2 OTcyNTAwY2Y3MmJkNDA2ZWJlNTczZjA4YWZkYmZiNzM1IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0 cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTMgQEAK KzIwMTAtMDgtMDkgIEFkYW0gQmFydGggIDxhYmFydGhAd2Via2l0Lm9yZz4KKworICAgICAgICBS ZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBXZWJDb3JlOjpSZW5kZXJCbG9j azo6YWRkQ2hpbGQqIE5VTEwgcHRycworICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9z aG93X2J1Zy5jZ2k/aWQ9NDM3MjIKKworICAgICAgICAqIGZhc3QvcnVieS9iZWZvcmUtZG9lc250 LWNyYXNoLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogZmFzdC9ydWJ5L2JlZm9yZS1k b2VzbnQtY3Jhc2guaHRtbDogQWRkZWQuCisKIDIwMTAtMDgtMDkgIFNhbSBXZWluaWcgIDxzYW1A d2Via2l0Lm9yZz4KIAogICAgICAgICBSZXZpZXdlZCBieSBBbmRlcnMgQ2FybHNzb24KZGlmZiAt LWdpdCBhL0xheW91dFRlc3RzL2Zhc3QvcnVieS9iZWZvcmUtZG9lc250LWNyYXNoLWV4cGVjdGVk LnR4dCBiL0xheW91dFRlc3RzL2Zhc3QvcnVieS9iZWZvcmUtZG9lc250LWNyYXNoLWV4cGVjdGVk LnR4dApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwLi4zYjBiYzIwZWJmYmMxYTcwYjE4MmIwNDY1OThjMzQzMzE3NzhkZjg4 Ci0tLSAvZGV2L251bGwKKysrIGIvTGF5b3V0VGVzdHMvZmFzdC9ydWJ5L2JlZm9yZS1kb2VzbnQt Y3Jhc2gtZXhwZWN0ZWQudHh0CkBAIC0wLDAgKzEsMiBAQAorIAorIFRoaXMgdGVzdCBwYXNzZXMg aWYgaXQgZG9lc24ndCBjcmFzaC4KZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2Zhc3QvcnVieS9i ZWZvcmUtZG9lc250LWNyYXNoLmh0bWwgYi9MYXlvdXRUZXN0cy9mYXN0L3J1YnkvYmVmb3JlLWRv ZXNudC1jcmFzaC5odG1sCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLmM5M2FmMjY4Nzk3NTZlYjY4YTA0NGRiNDc1YWQx NDA2ZWY1MzMwYmQKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9mYXN0L3J1YnkvYmVm b3JlLWRvZXNudC1jcmFzaC5odG1sCkBAIC0wLDAgKzEsMTkgQEAKKzxodG1sPgorICA8aGVhZD4K KyAgICA8c3R5bGU+CisgICAgICA6YmVmb3JleworICAgICAgICBjb250ZW50OiIiCisgICAgICB9 OworICAgIDwvc3R5bGU+CisgIDwvaGVhZD4KKyAgPGJvZHkgb25sb2FkPSJkb2N1bWVudC5saW5r Q29sb3I9MDsiPgorICAgIDxydWJ5PgorICAgICAgPHJ0PjwvcnQ+CisgICAgPC9ydWJ5PgorICAg IDxzY3JpcHQ+CisgICAgICBpZiAod2luZG93LmxheW91dFRlc3RDb250cm9sbGVyKQorICAgICAg ICAgIGxheW91dFRlc3RDb250cm9sbGVyLmR1bXBBc1RleHQoKTsKKyAgICA8L3NjcmlwdD4KKyAg ICBUaGlzIHRlc3QgcGFzc2VzIGlmIGl0IGRvZXNuJ3QgY3Jhc2guCisgIDwvYm9keT4KKzwvaHRt bD4KZGlmZiAtLWdpdCBhL1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5k ZXggYjUxOGUxZGFkZTU0MTNiMmNkZGUyMjg3NWRlZDRjYjg4MWYyNTlhMS4uMzJhMTdmY2VjZDc0 OGQ4YTY1ZWZkYWEzZTk0M2Y0OTBmMzdiYzU3MyAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VM b2cKKysrIGIvV2ViQ29yZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxNyBAQAorMjAxMC0wOC0wOSAg QWRhbSBCYXJ0aCAgPGFiYXJ0aEB3ZWJraXQub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5P Qk9EWSAoT09QUyEpLgorCisgICAgICAgIFdlYkNvcmU6OlJlbmRlckJsb2NrOjphZGRDaGlsZCog TlVMTCBwdHJzCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9p ZD00MzcyMgorCisgICAgICAgIEFsc28gaW5jbHVkZXMgc29tZSBjbGVhbnVwIG9mIGNvbW1lbnRz IGFuZCBBU1NFUlRzLgorCisgICAgICAgIFRlc3Q6IGZhc3QvcnVieS9iZWZvcmUtZG9lc250LWNy YXNoLmh0bWwKKworICAgICAgICAqIHJlbmRlcmluZy9SZW5kZXJSdWJ5LmNwcDoKKyAgICAgICAg KFdlYkNvcmU6OlJlbmRlclJ1YnlBc0lubGluZTo6YWRkQ2hpbGQpOgorCiAyMDEwLTA4LTA5ICBN YXJjdXMgQnVsYWNoICA8YnVsYWNoQGNocm9taXVtLm9yZz4KIAogICAgICAgICBSZXZpZXdlZCBi eSBEYXJpbiBBZGxlci4KZGlmZiAtLWdpdCBhL1dlYkNvcmUvcmVuZGVyaW5nL1JlbmRlclJ1Ynku Y3BwIGIvV2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyUnVieS5jcHAKaW5kZXggNGFiOWQ3MzVlNjE1 OTQ1NWU2ZmZlMTU2MmMyZWJjOGZiZGI0ZDNiMi4uMmY1NDNkNTFhOGNkMmJjN2UzMjJmOWIyM2Mx NjZiZDMyMzI0MGFiYSAxMDA2NDQKLS0tIGEvV2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyUnVieS5j cHAKKysrIGIvV2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyUnVieS5jcHAKQEAgLTc1LDI0ICs3NSwx OSBAQCBib29sIFJlbmRlclJ1YnlBc0lubGluZTo6aXNDaGlsZEFsbG93ZWQoUmVuZGVyT2JqZWN0 KiBjaGlsZCwgUmVuZGVyU3R5bGUqKSBjb25zdAogCiB2b2lkIFJlbmRlclJ1YnlBc0lubGluZTo6 YWRkQ2hpbGQoUmVuZGVyT2JqZWN0KiBjaGlsZCwgUmVuZGVyT2JqZWN0KiBiZWZvcmVDaGlsZCkK IHsKLSAgICAvLyBOb3RlOiAnOmFmdGVyJyBjb250ZW50IGlzIGhhbmRsZWQgaW1wbGljaXRlbHkg YmVsb3cKKyAgICAvLyBOb3RlOiAnOmFmdGVyJyBjb250ZW50IGlzIGhhbmRsZWQgaW1wbGljaXRs eSBiZWxvdwogCi0gICAgLy8gaWYgY2hpbGQgaXMgYSBydWJ5IHJ1biwganVzdCBhZGQgaXQgbm9y bWFsbHkKICAgICBpZiAoY2hpbGQtPmlzUnVieVJ1bigpKSB7CiAgICAgICAgIFJlbmRlcklubGlu ZTo6YWRkQ2hpbGQoY2hpbGQsIGJlZm9yZUNoaWxkKTsKICAgICAgICAgcmV0dXJuOwogICAgIH0K IAotICAgIGlmIChiZWZvcmVDaGlsZCAmJiAhaXNBZnRlckNvbnRlbnQoYmVmb3JlQ2hpbGQpKSB7 Ci0gICAgICAgIC8vIGluc2VydCBjaGlsZCBpbnRvIHJ1bgotICAgICAgICBBU1NFUlQoIWJlZm9y ZUNoaWxkLT5pc1J1YnlSdW4oKSk7Ci0gICAgICAgIFJlbmRlclJ1YnlSdW4qIHJ1biA9IGZpbmRS dWJ5UnVuUGFyZW50KGJlZm9yZUNoaWxkKTsKLSAgICAgICAgQVNTRVJUKHJ1bik7IC8vIGJlZm9y ZUNoaWxkIHNob3VsZCBhbHdheXMgaGF2ZSBhIHJ1biBhcyBwYXJlbnQKLSAgICAgICAgaWYgKHJ1 bikgeworICAgIGlmIChiZWZvcmVDaGlsZCAmJiAhaXNBZnRlckNvbnRlbnQoYmVmb3JlQ2hpbGQp ICYmICFiZWZvcmVDaGlsZC0+aXNSdWJ5UnVuKCkpIHsKKyAgICAgICAgaWYgKFJlbmRlclJ1YnlS dW4qIHJ1biA9IGZpbmRSdWJ5UnVuUGFyZW50KGJlZm9yZUNoaWxkKSkgewogICAgICAgICAgICAg cnVuLT5hZGRDaGlsZChjaGlsZCwgYmVmb3JlQ2hpbGQpOwogICAgICAgICAgICAgcmV0dXJuOwog ICAgICAgICB9Ci0gICAgICAgIEFTU0VSVChmYWxzZSk7IC8vIGJlZm9yZUNoaWxkIHNob3VsZCBh bHdheXMgaGF2ZSBhIHJ1biBhcyBwYXJlbnQhCisgICAgICAgIEFTU0VSVF9OT1RfUkVBQ0hFRCgp OyAvLyBiZWZvcmVDaGlsZCBzaG91bGQgYWx3YXlzIGhhdmUgYSBydW4gYXMgcGFyZW50IQogICAg ICAgICAvLyBFbWVyZ2VuY3kgZmFsbGJhY2s6IGZhbGwgdGhyb3VnaCBhbmQganVzdCBhcHBlbmQu CiAgICAgfQogCg==