Bug 159519 (CVE-2016-4765)

Summary:

REGRESSION (r199054): CrashTracer: [USER] parseWebKit at WebCore: WebCore::RenderBlockFlow::checkFloatsInCleanLine + 107

Product:

WebKit

Reporter:

Antti Koivisto <koivisto>

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, commit-queue, esprehn+autocc, glenn, kondapallykalyan, mmaxfield, simon.fraser, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none

Antti Koivisto

Reported 2016-07-07 11:11:47 PDT

> 1 com.apple.WebCore 0x00d22b2b WebCore::RenderBlockFlow::checkFloatsInCleanLine(WebCore::RootInlineBox*, WTF::Vector<WebCore::FloatWithRect, 0ul, WTF::CrashOnOverflow, 16ul>&, unsigned long&, bool&, bool&) + 107 2 com.apple.WebCore 0x00d1efd4 WebCore::RenderBlockFlow::determineEndPosition(WebCore::LineLayoutState&, WebCore::RootInlineBox*, WebCore::InlineIterator&, WebCore::BidiStatus&) + 116 3 com.apple.WebCore 0x00d1d7a1 WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 961 4 com.apple.WebCore 0x00d221a5 WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1845 5 com.apple.WebCore 0x00d0cf49 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 905 6 com.apple.WebCore 0x00060386 WebCore::RenderBlock::layout() + 54 7 com.apple.WebCore 0x00d0ed33 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 899 8 com.apple.WebCore 0x00d0dc3c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 524 9 com.apple.WebCore 0x00d0cf31 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 881 10 com.apple.WebCore 0x00060386 WebCore::RenderBlock::layout() + 54 11 com.apple.WebCore 0x00d0e895 WebCore::RenderBlockFlow::insertFloatingObject(WebCore::RenderBox&) + 325 12 com.apple.WebCore 0x00bd8512 WebCore::LineBreaker::skipLeadingWhitespace(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::FloatingObject*, WebCore::LineWidth&) + 226 13 com.apple.WebCore 0x00bd87f7 WebCore::LineBreaker::nextLineBreak(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::LineLayoutState&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) + 231 14 com.apple.WebCore 0x00d1f45e WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 862 15 com.apple.WebCore 0x00d1d8c8 WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1256 16 com.apple.WebCore 0x00d221a5 WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1845 17 com.apple.WebCore 0x00d0cf49 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 905 18 com.apple.WebCore 0x00060386 WebCore::RenderBlock::layout() + 54 19 com.apple.WebCore 0x00d0ed33 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 899 20 com.apple.WebCore 0x00d0dc3c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 524 21 com.apple.WebCore 0x00d0cf31 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 881 22 com.apple.WebCore 0x00060386 WebCore::RenderBlock::layout() + 54 23 com.apple.WebCore 0x00d0e895 WebCore::RenderBlockFlow::insertFloatingObject(WebCore::RenderBox&) + 325 24 com.apple.WebCore 0x00d0dc46 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 534 25 com.apple.WebCore 0x00d0cf31 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 881 26 com.apple.WebCore 0x00060386 WebCore::RenderBlock::layout() + 54 27 com.apple.WebCore 0x00d0ed33 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 899 28 com.apple.WebCore 0x00d0dc3c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 524 29 com.apple.WebCore 0x00d0cf31 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 881 30 com.apple.WebCore 0x00060386 WebCore::RenderBlock::layout() + 54 31 com.apple.WebCore 0x000601fd WebCore::RenderView::layout() + 781 32 com.apple.WebCore 0x0005d745 WebCore::FrameView::layout(bool) + 3045 33 com.apple.WebCore 0x0005c40a WebCore::Document::implicitClose() + 874 34 com.apple.WebCore 0x0005bc43 WebCore::FrameLoader::checkCompleted() + 275 35 com.apple.WebCore 0x0005a99b WebCore::FrameLoader::finishedParsing() + 123 36 com.apple.WebCore 0x000596e6 WebCore::Document::finishedParsing() + 390 37 com.apple.WebCore 0x00033bc2 WebCore::HTMLDocumentParser::prepareToStopParsing() + 162 38 com.apple.WebCore 0x0003297a WebCore::DocumentWriter::end() + 58 39 com.apple.WebCore 0x0002476c WebCore::DocumentLoader::finishedLoading(double) + 268 40 com.apple.WebCore 0x000b6229 WebCore::CachedResource::checkNotify() + 153 41 com.apple.WebCore 0x0036be63 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 227 42 com.apple.WebCore 0x000b605b WebCore::SubresourceLoader::didFinishLoading(double) + 1163 43 com.apple.WebCore 0x00e53ae5 std::__1::__function::__func<WebCore::ResourceLoader::loadDataURL()::$_0, std::__1::allocator<WebCore::ResourceLoader::loadDataURL()::$_0>, void (WTF::Optional<WebCore::DataURLDecoder::Result>)>::operator()(WTF::Optional<WebCore::DataURLDecoder::Result>&&) + 821 44 com.apple.WebCore 0x00496452 WebCore::DataURLDecoder::DecodingResultDispatcher::timerFired() + 114 45 com.apple.JavaScriptCore 0x00af80f3 WTF::timerFired(__CFRunLoopTimer*, void*) + 35 46 com.apple.CoreFoundation 0x00092b94 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1258.1/RunLoop.subproj/CFRunLoop.c:1628) 47 com.apple.CoreFoundation 0x00092823 __CFRunLoopDoTimer + 1075 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1258.1/RunLoop.subproj/CFRunLoop.c:2167) 48 com.apple.CoreFoundation 0x0009237a __CFRunLoopDoTimers + 298 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1258.1/RunLoop.subproj/CFRunLoop.c:2306) 49 com.apple.CoreFoundation 0x00089871 __CFRunLoopRun + 1841 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1258.1/RunLoop.subproj/CFRunLoop.c:2688) 50 com.apple.CoreFoundation 0x00088ed8 CFRunLoopRunSpecific + 296 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1258.1/RunLoop.subproj/CFRunLoop.c:2814) 51 com.apple.Foundation 0x00024ed9 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 270 (/Library/Caches/com.apple.xbs/Sources/Foundation/Foundation-1259/Soil.subproj/NSRunLoop.m:366) 52 parseWebKit 0x00002988 main + 4104 53 libdyld.dylib 0x000035ad start + 1 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/libdyld/dyld-360.22/src/start_glue.s:47)

Attachments
Patch (5.27 KB, patch) 2016-07-07 11:26 PDT, Antti Koivisto	no flags	Details Formatted Diff Diff
Patch (7.32 KB, patch) 2016-07-07 11:28 PDT, Antti Koivisto	no flags	Details Formatted Diff Diff
Patch (7.24 KB, patch) 2016-07-07 11:30 PDT, Antti Koivisto	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.