Bug 208314

Summary: Crash in Document::textNodesMerged
Product: WebKit Reporter: Ali Juma <ajuma>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: bfulgham, product-security, rniwa, rohitrao, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Minimal test case none

Ali Juma
Reported 2020-02-27 08:21:30 PST
Created attachment 391874 [details] Minimal test case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. Crash stack: ================================================================= ==45635==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0003304db9b4 bp 0x7ffee96d9350 sp 0x7ffee96d9350 T0) ==45635==The signal is caused by a WRITE memory access. ==45635==Hint: address points to the zero page. ==45635==WARNING: invalid path to external symbolizer! ==45635==WARNING: Failed to use and restart external symbolizer! #0 0x3304db9b3 in WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >::Ref(WebCore::Node&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4db9b3) #1 0x33313af25 in WebCore::boundaryTextNodesMerged(WebCore::RangeBoundaryPoint&, WebCore::NodeWithIndex&, unsigned int) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x313af25) #2 0x332f4cb9d in WebCore::Document::textNodesMerged(WebCore::Text&, unsigned int) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f4cb9d) #3 0x3330dcbba in WebCore::Node::normalize() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30dcbba) #4 0x33110eafd in WebCore::jsNodePrototypeFunctionNormalizeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSNode*, JSC::ThrowScope&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x110eafd) #5 0x33108e94b in long long WebCore::IDLOperation<WebCore::JSNode>::call<&(WebCore::jsNodePrototypeFunctionNormalizeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSNode*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x108e94b) #6 0x28fb55c01177 (<unknown module>) #7 0x34ab6145b in llint_entry (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa8c45b) #8 0x34ab4a3d8 in vmEntryToJavaScript (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa753d8) #9 0x34c172937 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x209d937) #10 0x34c79e140 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x26c9140) #11 0x34c79e242 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x26c9242) #12 0x34c79e61f in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x26c961f) #13 0x33289a01b in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x289a01b) #14 0x332964fa8 in WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2964fa8) #15 0x33296495a in WebCore::ScheduledAction::execute(WebCore::Document&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x296495a) #16 0x333ddeaaa in WebCore::DOMTimer::fired() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3ddeaaa) #17 0x33413cf06 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x413cf06) #18 0x3341b440e in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x41b440e) #19 0x7fff3d7fee14 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x59e14) #20 0x7fff3d7fe9c0 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x599c0) #21 0x7fff3d7fe4f9 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x594f9) #22 0x7fff3d7dfb33 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3ab33) #23 0x7fff3d7df084 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3a084) #24 0x7fff3fa53a9e in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1ca9e) #25 0x7fff3fa53973 in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1c973) #26 0x7fff69ecb1d6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x111d6) #27 0x7fff69ecacd8 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10cd8) #28 0x106e33465 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x904465) #29 0x7fff69c983d4 in start (/usr/lib/system/libdyld.dylib:x86_64+0x163d4) ==45635==Register values: rax = 0x0000100000000000 rbx = 0x00007ffee96d93c0 rcx = 0x0000100000000002 rdx = 0x00001c0c00032626 rdi = 0x00007ffee96d93a0 rsi = 0x0000000000000010 rbp = 0x00007ffee96d9350 rsp = 0x00007ffee96d9350 r8 = 0x0000100000000000 r9 = 0x00000fffffffffff r10 = 0x0000000000000000 r11 = 0x0000000000000128 r12 = 0x00001fffdd2db26c r13 = 0x00007ffee96d9460 r14 = 0x00007ffee96d9360 r15 = 0x00007ffee96d93a0
Attachments
Minimal test case (4.16 KB, text/html)
2020-02-27 08:21 PST, Ali Juma 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-02-27 08:21:41 PST
<rdar://problem/59847754>
Ryosuke Niwa
Comment 2 2020-03-04 19:44:31 PST
*** This bug has been marked as a duplicate of bug 207875 ***
Note You need to log in before you can comment on or make changes to this bug.