64693 2011-07-18 07:26:22 -0700 -webkit-marquee with anonymous node causes segmentation fault in Node::document 2011-07-29 15:49:09 -0700 1 1 1 Unclassified WebKit Layout and Rendering 528+ (Nightly build) All All RESOLVED FIXED InRadar P2 Normal --- 1 noel.gordon eae aestes ap bdakin dglazkov eae sam simon.fraser webkit-bug-importer webkit.review.bot oldest_to_newest 438450 0 noel.gordon 2011-07-18 07:26:22 -0700 Reproduction: <!DOCTYPE html> <style> p:first-letter { overflow: -webkit-marquee; float: left; } </style> <p>a</p> Crash reproduces so far in: Safari 5.0.5 (7533.21.1) Win32 Chrome 14.0.822.0 (Developer Build 92402) WebKit 535.1 (trunk@90358) Linux Ubuntu 11.04 (x86_64), Win32 Chrome 13.0.782.56 (Official Build 92025) Beta Linux Ubuntu 11.04 (x86_64) Chrome 12.0.742.122 Stable Win32 crbug.com/89595 438504 1 inferno 2011-07-18 08:57:14 -0700 Noel, why did you mark this security ? To me, this looks a obvious null ptr exception crash. this and renderer() vtables are all right and renderer()->node() is an anonymous node, so null. I have also hit this in my fuzzers, so remember analyzing this. Am i missing anything ? renderer()->node()->document()->eventQueue()->enqueueOrDispatchScrollEvent(renderer()->node(), EventQueue::ScrollEventElementTarget); 438519 2 lforschler 2011-07-18 09:41:10 -0700 <rdar://problem/9792726> 439663 3 noel.gordon 2011-07-20 00:36:43 -0700 (In reply to comment #1) > Noel, why did you mark this security ? I was not concerned about Chromium; there it's a tab crash. My concern was for Safari and other WebCore users. Should I consider simple ways to crash those users as a security matter or not? 440505 4 inferno 2011-07-21 11:22:16 -0700 Null ptr crashes are not security bugs. 441007 5 ap 2011-07-22 10:49:26 -0700 ASSERTION FAILED: this /Users/ap/Safari/OpenSource/Source/WebCore/dom/Node.h(365) : WebCore::Document* WebCore::Node::document() const 1 WebCore::Node::document() const 2 WebCore::RenderLayer::scrollTo(int, int) 3 WebCore::RenderLayer::setScrollOffset(WebCore::IntPoint const&) 4 WebCore::ScrollableArea::setScrollOffsetFromAnimation(WebCore::IntPoint const&) 5 WebCore::ScrollAnimator::notityPositionChanged() 6 WebCore::ScrollAnimatorMac::notityPositionChanged() 7 WebCore::ScrollAnimatorMac::immediateScrollToPoint(WebCore::FloatPoint const&) 8 WebCore::ScrollAnimatorMac::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) 9 WebCore::ScrollableArea::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) 10 WebCore::RenderLayer::scrollToOffset(int, int, WebCore::RenderLayer::ScrollOffsetClamping) 11 WebCore::RenderMarquee::start() ... 443599 6 102281 eae 2011-07-28 12:05:17 -0700 Created attachment 102281 Patch 443844 7 102281 morrita 2011-07-29 01:08:33 -0700 Comment on attachment 102281 Patch How about to use renderer()->document() ? 444023 8 eae 2011-07-29 11:24:39 -0700 (In reply to comment #7) > (From update of attachment 102281 [details]) > How about to use renderer()->document() ? That would allow us to dispatch a scroll event but as there is no corresponding dom node to set the target to I'm not sure how useful that event would be. 444150 9 102281 webkit.review.bot 2011-07-29 15:49:03 -0700 Comment on attachment 102281 Patch Clearing flags on attachment: 102281 Committed r92025: <http://trac.webkit.org/changeset/92025> 444151 10 webkit.review.bot 2011-07-29 15:49:09 -0700 All reviewed patches have been landed. Closing bug. 102281 2011-07-28 12:05:17 -0700 2011-07-29 15:49:03 -0700 Patch bug-64693-20110728120516.patch text/plain 3329 eae SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDkxOTQxKQorKysgU291cmNlL1dlYkNvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTYgQEAKKzIwMTEtMDctMjggIEVtaWwgQSBF a2x1bmQgIDxlYWVAY2hyb21pdW0ub3JnPgorCisgICAgICAgIC13ZWJraXQtbWFycXVlZSB3aXRo IGFub255bW91cyBub2RlIGNhdXNlcyBzZWdtZW50YXRpb24gZmF1bHQgaW4gTm9kZTo6ZG9jdW1l bnQKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTY0Njkz CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGVzdDog ZmFzdC9jc3Mvd2Via2l0LW1hcnF1ZWUtYW5vbnltb3VzLW5vZGUtY3Jhc2guaHRtbAorCisgICAg ICAgICogcmVuZGVyaW5nL1JlbmRlckxheWVyLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OlJlbmRl ckxheWVyOjpzY3JvbGxUbyk6CisgICAgICAgIEFkZCBudWxsIGNoZWNrIGFzIHJlbmRlcmVyKCkt Pm5vZGUoKSBpcyBudWxsIGZvciBhbm9ueW1vdXMgbm9kZXMuCisKIDIwMTEtMDctMjggIERhdmlk IEtpbHplciAgPGRka2lsemVyQGFwcGxlLmNvbT4KIAogICAgICAgICA8aHR0cDovL3dlYmtpdC5v cmcvYi82NTI4OT4gUmVtb3ZlIEdlb2xvY2F0aW9uUG9zaXRpb25DYWNoZQpJbmRleDogU291cmNl L1dlYkNvcmUvcmVuZGVyaW5nL1JlbmRlckxheWVyLmNwcAo9PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2Uv V2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyTGF5ZXIuY3BwCShyZXZpc2lvbiA5MTkzOCkKKysrIFNv dXJjZS9XZWJDb3JlL3JlbmRlcmluZy9SZW5kZXJMYXllci5jcHAJKHdvcmtpbmcgY29weSkKQEAg LTEzNzYsNyArMTM3Niw4IEBAIHZvaWQgUmVuZGVyTGF5ZXI6OnNjcm9sbFRvKGludCB4LCBpbnQg eSkKICAgICAgICAgcmVuZGVyZXIoKS0+cmVwYWludFVzaW5nQ29udGFpbmVyKHJlcGFpbnRDb250 YWluZXIsIHJlY3RGb3JSZXBhaW50KTsKIAogICAgIC8vIFNjaGVkdWxlIHRoZSBzY3JvbGwgRE9N IGV2ZW50LgotICAgIHJlbmRlcmVyKCktPm5vZGUoKS0+ZG9jdW1lbnQoKS0+ZXZlbnRRdWV1ZSgp LT5lbnF1ZXVlT3JEaXNwYXRjaFNjcm9sbEV2ZW50KHJlbmRlcmVyKCktPm5vZGUoKSwgRXZlbnRR dWV1ZTo6U2Nyb2xsRXZlbnRFbGVtZW50VGFyZ2V0KTsKKyAgICBpZiAocmVuZGVyZXIoKS0+bm9k ZSgpKQorICAgICAgICByZW5kZXJlcigpLT5ub2RlKCktPmRvY3VtZW50KCktPmV2ZW50UXVldWUo KS0+ZW5xdWV1ZU9yRGlzcGF0Y2hTY3JvbGxFdmVudChyZW5kZXJlcigpLT5ub2RlKCksIEV2ZW50 UXVldWU6OlNjcm9sbEV2ZW50RWxlbWVudFRhcmdldCk7CiB9CiAKIHZvaWQgUmVuZGVyTGF5ZXI6 OnNjcm9sbFJlY3RUb1Zpc2libGUoY29uc3QgSW50UmVjdCYgcmVjdCwgY29uc3QgU2Nyb2xsQWxp Z25tZW50JiBhbGlnblgsIGNvbnN0IFNjcm9sbEFsaWdubWVudCYgYWxpZ25ZKQpJbmRleDogTGF5 b3V0VGVzdHMvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL0NoYW5nZUxvZwko cmV2aXNpb24gOTE5NDEpCisrKyBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHdvcmtpbmcgY29weSkK QEAgLTEsMyArMSwxNCBAQAorMjAxMS0wNy0yOCAgRW1pbCBBIEVrbHVuZCAgPGVhZUBjaHJvbWl1 bS5vcmc+CisKKyAgICAgICAgLXdlYmtpdC1tYXJxdWVlIHdpdGggYW5vbnltb3VzIG5vZGUgY2F1 c2VzIHNlZ21lbnRhdGlvbiBmYXVsdCBpbiBOb2RlOjpkb2N1bWVudAorICAgICAgICBodHRwczov L2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9NjQ2OTMKKworICAgICAgICBSZXZpZXdl ZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAqIGZhc3QvY3NzL3dlYmtpdC1tYXJxdWVl LWFub255bW91cy1ub2RlLWNyYXNoLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogZmFz dC9jc3Mvd2Via2l0LW1hcnF1ZWUtYW5vbnltb3VzLW5vZGUtY3Jhc2guaHRtbDogQWRkZWQuCisg ICAgICAgIEFkZCB0ZXN0IGZvciB1c2luZyAtd2Via2l0LW1hcnF1ZWUgd2l0aCBhbiBhbm9ueW1v dXMgbm9kZS4KKwogMjAxMS0wNy0yOCAgU3RlcGhlbiBXaGl0ZSAgPHNlbm9yYmxhbmNvQGNocm9t aXVtLm9yZz4KIAogICAgICAgICBDaHJvbWl1bSB0ZXN0X2V4cGVjdGF0aW9ucyB1cGRhdGU6ICBy ZW1vdmUgYSBidW5jaCBvZiBjb21tZW50ZWQtb3V0CkluZGV4OiBMYXlvdXRUZXN0cy9mYXN0L2Nz cy93ZWJraXQtbWFycXVlZS1hbm9ueW1vdXMtbm9kZS1jcmFzaC1leHBlY3RlZC50eHQKPT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQotLS0gTGF5b3V0VGVzdHMvZmFzdC9jc3Mvd2Via2l0LW1hcnF1ZWUtYW5vbnltb3VzLW5v ZGUtY3Jhc2gtZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVzdHMvZmFzdC9j c3Mvd2Via2l0LW1hcnF1ZWUtYW5vbnltb3VzLW5vZGUtY3Jhc2gtZXhwZWN0ZWQudHh0CShyZXZp c2lvbiAwKQpAQCAtMCwwICsxIEBACitTaG91bGQgbm90IGNyYXNoCkluZGV4OiBMYXlvdXRUZXN0 cy9mYXN0L2Nzcy93ZWJraXQtbWFycXVlZS1hbm9ueW1vdXMtbm9kZS1jcmFzaC5odG1sCj09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT0KLS0tIExheW91dFRlc3RzL2Zhc3QvY3NzL3dlYmtpdC1tYXJxdWVlLWFub255bW91cy1u b2RlLWNyYXNoLmh0bWwJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9mYXN0L2Nzcy93ZWJr aXQtbWFycXVlZS1hbm9ueW1vdXMtbm9kZS1jcmFzaC5odG1sCShyZXZpc2lvbiAwKQpAQCAtMCww ICsxLDkgQEAKKzwhRE9DVFlQRSBodG1sPg0KKzxzdHlsZT5wOmZpcnN0LWxldHRlciB7IG92ZXJm bG93OiAtd2Via2l0LW1hcnF1ZWU7IGZsb2F0OiBsZWZ0OyB9PC9zdHlsZT4NCis8c2NyaXB0Pg0K K2lmICh3aW5kb3cubGF5b3V0VGVzdENvbnRyb2xsZXIpDQorICAgIGxheW91dFRlc3RDb250cm9s bGVyLmR1bXBBc1RleHQoKTsNCis8L3NjcmlwdD4NCis8Ym9keT4NCisgICAgPHA+U2hvdWxkIG5v dCBjcmFzaDwvcD4NCis8L2JvZHk+DQo=