Bug 218490

Created attachment 413024 [details] poc.html VERSION WebkitGTK Version: 2.30.2 stable. Operating System: Ubuntu 18.04(Docker). REPRODUCTION CASE 0. build WebkitGTK with ASAN flags or you can use my docker script at https://github.com/Mipu94/Docker_webkitASAN 1.open poc.html in MiniBrowser(ASAN build) CRASH INFROMATION root@8b2127d9cd7a:~/webkitASAN# ASAN_SYMBOLIZER_PATH=/root/clang/bin/llvm-symbolizer ./bin/MiniBrowser test.html WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled. WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled. WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled. AddressSanitizer:DEADLYSIGNAL ================================================================= ==302==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f80b3c6d817 bp 0x62d000101848 sp 0x7fffbbd7b120 T0) ==302==The signal is caused by a READ memory access. ==302==Hint: address points to the zero page. #0 0x7f80b3c6d817 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x59817) #1 0x7f80b3c7f86e (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6b86e) #2 0x7f80b3c80401 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x6c401) #3 0x7f80b3c3a236 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x26236) #4 0x7f80b3c4bf01 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x37f01) #5 0x7f80b3c842b8 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x702b8) #6 0x7f80b3c421c3 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x2e1c3) #7 0x7f80b3c3bbc8 (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x27bc8) #8 0x7f80b3c349d4 in cairo_stroke (/usr/lib/x86_64-linux-gnu/libcairo.so.2+0x209d4) #9 0x7f80c2cc74ad in WebCore::Cairo::strokePath(WebCore::PlatformContextCairo&, WebCore::Path const&, WebCore::Cairo::StrokeSource const&, WebCore::Cairo::ShadowState const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/platform/graphics/cairo/CairoOperations.cpp:820:5 #10 0x7f80c2ceaf1d in WebCore::GraphicsContextImplCairo::strokePath(WebCore::Path const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/platform/graphics/cairo/GraphicsContextImplCairo.cpp:219:5 #11 0x7f80c2ce2358 in WebCore::GraphicsContext::strokePath(WebCore::Path const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/platform/graphics/cairo/GraphicsContextCairo.cpp:197:17 #12 0x7f80c317d528 in WebCore::RenderBoxModelObject::drawBoxSideFromPath(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::Path const&, WebCore::BorderEdge const*, float, float, WebCore::BoxSide, WebCore::RenderStyle const&, WebCore::Color, WebCore::BorderStyle, WebCore::BackgroundBleedAvoidance, bool, bool) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBoxModelObject.cpp:2048:25 #13 0x7f80c3176af8 in WebCore::RenderBoxModelObject::paintOneBorderSide(WebCore::GraphicsContext&, WebCore::RenderStyle const&, WebCore::RoundedRect const&, WebCore::RoundedRect const&, WebCore::LayoutRect const&, WebCore::BoxSide, WebCore::BoxSide, WebCore::BoxSide, WebCore::BorderEdge const*, WebCore::Path const*, WebCore::BackgroundBleedAvoidance, bool, bool, bool, WebCore::Color const*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBoxModelObject.cpp:1687:9 #14 0x7f80c317f291 in WebCore::RenderBoxModelObject::paintBorderSides(WebCore::GraphicsContext&, WebCore::RenderStyle const&, WebCore::RoundedRect const&, WebCore::RoundedRect const&, WebCore::IntPoint const&, WebCore::BorderEdge const*, unsigned int, WebCore::BackgroundBleedAvoidance, bool, bool, bool, WebCore::Color const*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBoxModelObject.cpp:1753:9 #15 0x7f80c312cea7 in WebCore::RenderBoxModelObject::paintBorder(WebCore::PaintInfo const&, WebCore::LayoutRect const&, WebCore::RenderStyle const&, WebCore::BackgroundBleedAvoidance, bool, bool) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBoxModelObject.cpp:1993:9 #16 0x7f80c31275a3 in WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBox.cpp:1399:9 #17 0x7f80c345c1f5 in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderReplaced.cpp:180:9 #18 0x7f80c31d6300 in WebCore::paintPhase(WebCore::RenderElement&, WebCore::PaintPhase, WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderElement.cpp:1024:13 #19 0x7f80c31d6300 in WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderElement.cpp:1039:9 #20 0x7f80c3029a67 in WebCore::InlineElementBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/InlineElementBox.cpp:81:16 #21 0x7f80c303ea8e in WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/InlineFlowBox.cpp:1217:23 #22 0x7f80c35c55db in WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RootInlineBox.cpp:168:20 #23 0x7f80c33cca9d in WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLineBoxList.cpp:260:19 #24 0x7f80c30a298e in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1129:9 #25 0x7f80c30a298e in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1298:9 #26 0x7f80c309ea74 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1108:5 #27 0x7f80c30a0df2 in WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1185:19 #28 0x7f80c30a070d in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1149:14 #29 0x7f80c30a29d5 in WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1142:9 #30 0x7f80c30a29d5 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1298:9 #31 0x7f80c309ea74 in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderBlock.cpp:1108:5 #32 0x7f80c332f7f9 in WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:5134:20 #33 0x7f80c33279c4 in WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:5111:9 #34 0x7f80c331c261 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4706:17 #35 0x7f80c3317d2e in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4414:5 #36 0x7f80c3317d2e in WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4396:5 #37 0x7f80c331c449 in WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4824:21 #38 0x7f80c331c449 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4722:13 #39 0x7f80c3317d2e in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4414:5 #40 0x7f80c3317d2e in WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4396:5 #41 0x7f80c3314a46 in WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::RenderLayer::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/rendering/RenderLayer.cpp:4189:5 #42 0x7f80c271faa4 in WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/page/FrameView.cpp:4313:16 #43 0x7f80c2a4f037 in WebCore::ScrollView::paint(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) /root/webkitgtk-2.30.2/mybuild/../Source/WebCore/platform/ScrollView.cpp:1277:9 #44 0x7f80beb56d47 in WebKit::WebPage::drawRect(WebCore::GraphicsContext&, WebCore::IntRect const&) /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/WebProcess/WebPage/WebPage.cpp:1848:39 #45 0x7f80bebde0ef in WebKit::DrawingAreaCoordinatedGraphics::display(WebKit::UpdateInfo&) /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:800:23 #46 0x7f80bebdb6f5 in WebKit::DrawingAreaCoordinatedGraphics::sendDidUpdateBackingStoreState() /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:480:9 #47 0x7f80bebd894d in WebKit::DrawingAreaCoordinatedGraphics::display() /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:709:9 #48 0x7f80bb44b5a4 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::operator()(void*) const /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:177:16 #49 0x7f80bb44b5a4 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::$_3::__invoke(void*) /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:169:43 #50 0x7f80bb448b3c in WTF::RunLoop::$_0::operator()(_GSource*, int (*)(void*), void*) const /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:53:28 #51 0x7f80bb448b3c in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:45:5 #52 0x7f80afa21284 in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c284) #53 0x7f80afa2164f (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c64f) #54 0x7f80afa21961 in g_main_loop_run (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c961) #55 0x7f80bb44a08e in WTF::RunLoop::run() /root/webkitgtk-2.30.2/mybuild/../Source/WTF/wtf/glib/RunLoopGLib.cpp:108:9 #56 0x7f80bec13bec in int WebKit::AuxiliaryProcessMain<WebKit::WebProcess, WebKit::WebProcessMainGtk>(int, char**) /root/webkitgtk-2.30.2/mybuild/../Source/WebKit/Shared/AuxiliaryProcessMain.h:68:5 #57 0x7f80abe0cb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310 #58 0x41cfa9 in _start (/usr/libexec/webkit2gtk-4.0/WebKitWebProcess+0x41cfa9)