Bug 221442

Summary: [CoreIPC] Nullptr crash in Ref<SharedBuffer>::copyRef() via IPC::ArgumentCoder<WebCore::PasteboardCustomData, void>::decode
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: HTML EditingAssignee: Rob Buis <rbuis>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, cgarcia, commit-queue, ews-feeder, fred.wang, gpoo, jenner, product-security, rbuis, svillar, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 222689    
Bug Blocks:    
Attachments:
Description Flags
Test
none
Test
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch none

Ryosuke Niwa
Reported 2021-02-04 18:13:20 PST
Using the new IPC testing code I added in https://trac.webkit.org/r268239, we can reproduce the following crash in macOS ASAN builds (tested in r272114): ================================================================= ==53853==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x00011d3efc6d bp 0x7ffeee836b10 sp 0x7ffeee836b00 T0) #0 0x11d3efc6d in WTF::RefCountedBase::ref() const RefCounted.h:46 #1 0x11d437077 in WTF::Ref<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer> >::Ref(WebCore::SharedBuffer&) Ref.h:67 #2 0x11d422848 in WTF::Ref<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer> >::Ref(WebCore::SharedBuffer&) Ref.h:66 #3 0x11d56cde9 in WTF::Ref<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer> >::copyRef() const & Ref.h:125 #4 0x122014435 in WebCore::copyPlatformData(WTF::Variant<WTF::String, WTF::Ref<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer> > > const&) PasteboardCustomData.cpp:42 #5 0x122014331 in WebCore::PasteboardCustomData::Entry::Entry(WebCore::PasteboardCustomData::Entry const&) PasteboardCustomData.cpp:50 #6 0x1220144c8 in WebCore::PasteboardCustomData::Entry::Entry(WebCore::PasteboardCustomData::Entry const&) PasteboardCustomData.cpp:51 #7 0x12201b7c9 in void WTF::VectorCopier<false, WebCore::PasteboardCustomData::Entry>::uninitializedCopy<WebCore::PasteboardCustomData::Entry>(WebCore::PasteboardCustomData::Entry const*, WebCore::PasteboardCustomData::Entry const*, WebCore::PasteboardCustomData::Entry*) Vector.h:168 #8 0x12201b6f8 in WTF::VectorTypeOperations<WebCore::PasteboardCustomData::Entry>::uninitializedCopy(WebCore::PasteboardCustomData::Entry const*, WebCore::PasteboardCustomData::Entry const*, WebCore::PasteboardCustomData::Entry*) Vector.h:268 #9 0x12201622d in WTF::Vector<WebCore::PasteboardCustomData::Entry, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator=(WTF::Vector<WebCore::PasteboardCustomData::Entry, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) Vector.h:930 #10 0x12201611f in WebCore::PasteboardCustomData::operator=(WebCore::PasteboardCustomData const&) PasteboardCustomData.cpp:174 #11 0x111f01b36 in IPC::ArgumentCoder<WebCore::PasteboardCustomData, void>::decode(IPC::Decoder&, WebCore::PasteboardCustomData&) WebCoreArgumentCoders.cpp:1620 #12 0x10fd9a0df in IPC::Decoder& IPC::Decoder::operator>><WebCore::PasteboardCustomData>(WTF::Optional<WebCore::PasteboardCustomData>&) Decoder.h:110 #13 0x10fd99cbb in IPC::VectorArgumentCoder<false, WebCore::PasteboardCustomData, 0ul, WTF::CrashOnOverflow, 16ul>::decode(IPC::Decoder&) ArgumentCoders.h:403 #14 0x10fd999b7 in IPC::Decoder& IPC::Decoder::operator>><WTF::Vector<WebCore::PasteboardCustomData, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >(WTF::Optional<WTF::Vector<WebCore::PasteboardCustomData, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&) Decoder.h:107 #15 0x1121c2135 in IPC::TupleDecoderImpl<WTF::Vector<WebCore::PasteboardCustomData, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::String>::decode(IPC::Decoder&) ArgumentCoders.h:300 #16 0x1121c203d in IPC::TupleDecoder<2ul, WTF::Vector<WebCore::PasteboardCustomData, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::String>::decode(IPC::Decoder&) ArgumentCoders.h:328 #17 0x1121c1f5d in IPC::ArgumentCoder<std::__1::tuple<WTF::Vector<WebCore::PasteboardCustomData, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::String>, void>::decode(IPC::Decoder&) ArgumentCoders.h:348 #18 0x1121c1d61 in IPC::Decoder& IPC::Decoder::operator>><std::__1::tuple<WTF::Vector<WebCore::PasteboardCustomData, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::String> >(WTF::Optional<std::__1::tuple<WTF::Vector<WebCore::PasteboardCustomData, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::String> >&) Decoder.h:107 #19 0x1121bd81c in void IPC::handleMessageSynchronousWantsConnection<Messages::WebPasteboardProxy::WriteCustomData, WebKit::WebPasteboardProxy, void (WebKit::WebPasteboardProxy::*)(IPC::Connection&, WTF::Vector<WebCore::PasteboardCustomData, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::String const&, WTF::CompletionHandler<void (long long)>&&)>(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&, WebKit::WebPasteboardProxy*, void (WebKit::WebPasteboardProxy::*)(IPC::Connection&, WTF::Vector<WebCore::PasteboardCustomData, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::String const&, WTF::CompletionHandler<void (long long)>&&)) HandleMessage.h:155 #20 0x1121bd218 in WebKit::WebPasteboardProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) WebPasteboardProxyMessageReceiver.cpp:403 #21 0x110025106 in IPC::MessageReceiverMap::dispatchSyncMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) MessageReceiverMap.cpp:135 #22 0x110f6490c in WebKit::AuxiliaryProcessProxy::dispatchSyncMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) AuxiliaryProcessProxy.cpp:221 #23 0x111351ebb in WebKit::WebProcessProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) WebProcessProxy.cpp:824 #24 0x10fb110e2 in IPC::Connection::dispatchSyncMessage(IPC::Decoder&) Connection.cpp:941 #25 0x10fb13210 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) Connection.cpp:1136 #26 0x10fb10029 in IPC::Connection::dispatchIncomingMessages() Connection.cpp:1242 #27 0x10fb3232e in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_8::operator()() Connection.cpp:999 #28 0x10fb3229c in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_8, void>::call() Function.h:52 #29 0x10186f74e in WTF::Function<void ()>::operator()() const Function.h:83 #30 0x10190a818 in WTF::RunLoop::performWork() RunLoop.cpp:128 #31 0x10190db35 in WTF::RunLoop::performWork(void*) RunLoopCF.cpp:46 <rdar://problem/73570423>
Attachments
Test (422 bytes, text/html)
2021-02-04 20:59 PST, Ryosuke Niwa 		no flags
Details
Test (1.15 KB, text/html)
2021-02-25 00:13 PST, Ryosuke Niwa 		no flags
Details
Patch (4.03 KB, patch)
2021-03-01 05:32 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (4.00 KB, patch)
2021-03-01 22:51 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (4.04 KB, patch)
2021-03-02 01:21 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (4.07 KB, patch)
2021-03-03 22:19 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (2.24 KB, patch)
2021-03-04 13:54 PST, Rob Buis 		no flags
DetailsFormatted DiffDiff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2021-02-04 20:59:56 PST
Created attachment 419359 [details] Test
Rob Buis
Comment 2 2021-02-22 02:10:37 PST
I get a different backtrace on MacOS: ASSERTION FAILED: node.isConnected() ./style/StyleScope.cpp(155) : static WebCore::Style::Scope &WebCore::Style::Scope::forNode(WebCore::Node &) 1 0x79ea9a899 WTFCrash 2 0x75fcc19e0 canLoad_libAccessibility__AXSIsolatedTreeMode 3 0x76c724678 WebCore::Style::Scope::forNode(WebCore::Node&) 4 0x76c60b7c1 WebCore::Style::ElementRuleCollector::matchSlottedPseudoElementRules() 5 0x76c60b3a0 WebCore::Style::ElementRuleCollector::collectMatchingAuthorRules() 6 0x76c60b235 WebCore::Style::ElementRuleCollector::matchAuthorRules() 7 0x76c6f2a61 WebCore::Style::Resolver::pseudoStyleRulesForElement(WebCore::Element const*, WebCore::PseudoId, unsigned int) 8 0x76c6f267e WebCore::Style::Resolver::styleRulesForElement(WebCore::Element const*, unsigned int) 9 0x768230939 WebCore::styleFromMatchedRulesForElement(WebCore::Element&, unsigned int) 10 0x768230dc7 WebCore::EditingStyle::removeStyleFromRulesAndContext(WebCore::StyledElement&, WebCore::Node*) 11 0x768362f7b WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline(WebCore::ReplaceSelectionCommand::InsertedNodes&) 12 0x76836a094 WebCore::ReplaceSelectionCommand::doApply() 13 0x7681a20c8 WebCore::CompositeEditCommand::apply() 14 0x76825af35 WebCore::Editor::replaceSelectionWithFragment(WebCore::DocumentFragment&, WebCore::Editor::SelectReplacement, WebCore::Editor::SmartReplace, WebCore::Editor::MatchStyle, WebCore::EditAction, WebCore::MailBlockquoteHandling) 15 0x76825a13c WebCore::Editor::handleTextEvent(WebCore::TextEvent&) 16 0x769f55cc8 WebCore::EventHandler::defaultTextInputEventHandler(WebCore::TextEvent&) 17 0x767e690bb WebCore::Node::defaultEventHandler(WebCore::Event&) 18 0x767cdd8f3 WebCore::callDefaultEventHandlersInBubblingOrder(WebCore::Event&, WebCore::EventPath const&) 19 0x767cdca62 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) 20 0x767e67efd WebCore::Node::dispatchEvent(WebCore::Event&) 21 0x76825f71c WebCore::Editor::pasteAsFragment(WTF::Ref<WebCore::DocumentFragment, WTF::RawPtrTraits<WebCore::DocumentFragment> >&&, bool, bool, WebCore::MailBlockquoteHandling) 22 0x762599770 WebCore::Editor::pasteWithPasteboard(WebCore::Pasteboard*, WTF::OptionSet<WebCore::Editor::PasteOption>) 23 0x768270d1b WebCore::Editor::paste(WebCore::Pasteboard&, WebCore::Editor::FromMenuOrKeyBinding) 24 0x76827078d WebCore::Editor::paste(WebCore::Editor::FromMenuOrKeyBinding) 25 0x7682e57c2 WebCore::executePaste(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) 26 0x7682757a0 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const
Frédéric Wang (:fredw)
Comment 3 2021-02-22 02:14:59 PST
(In reply to Rob Buis from comment #2) > I get a different backtrace on MacOS: > ASSERTION FAILED: node.isConnected() This looks like a duplicate of bug 221651. Can you please try with the patch?
Frédéric Wang (:fredw)
Comment 4 2021-02-22 05:57:01 PST
(In reply to Frédéric Wang (:fredw) from comment #3) > (In reply to Rob Buis from comment #2) > > I get a different backtrace on MacOS: > > ASSERTION FAILED: node.isConnected() > > This looks like a duplicate of bug 221651. Can you please try with the patch? So checking now, actually the node.isConnected() failure is happening with a <slot> element (which always has `display: content`) ; so this is similar but different to bug 221651. Will investigate more... (rr) p showTree(&node) SUMMARY 0x7f04d475fde0 (renderer (nil)) STYLE=padding: 1px; (needs style recalc) #document-fragment 0x7f04d475fe70 (renderer (nil)) (needs style recalc) (child needs style recalc) DIV 0x7f04d4750010 (renderer (nil)) * SLOT 0x7f04d47500a0 (renderer (nil)) IMG 0x7f04d47513b0 (renderer (nil)) STYLE=caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none; $1 = void
Ryosuke Niwa
Comment 5 2021-02-25 00:12:43 PST
Comment on attachment 419359 [details] Test Sorry, this test is for https://bugs.webkit.org/show_bug.cgi?id=221440.
Ryosuke Niwa
Comment 6 2021-02-25 00:13:14 PST
Created attachment 421507 [details] Test
Rob Buis
Comment 7 2021-02-25 00:26:43 PST
(In reply to Ryosuke Niwa from comment #6) > Created attachment 421507 [details] > Test Thnx, now same bt is reproducible on MacOS, will have a look.
Ryosuke Niwa
Comment 8 2021-02-27 01:22:41 PST
(In reply to Rob Buis from comment #7) > (In reply to Ryosuke Niwa from comment #6) > > Created attachment 421507 [details] > > Test > > Thnx, now same bt is reproducible on MacOS, will have a look. Nice!
Rob Buis
Comment 9 2021-03-01 05:32:07 PST
Created attachment 421812 [details] Patch
Ryosuke Niwa
Comment 10 2021-03-01 16:11:08 PST
Comment on attachment 421812 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=421812&action=review > LayoutTests/ChangeLog:9 > + * ipc/pasteboard-write-custom-data-expected.txt: Added. > + * ipc/pasteboard-write-custom-data.html: Added. Oh, we probably need to skip this entire directory in release builds since this API isn't available there.
Rob Buis
Comment 11 2021-03-01 22:51:14 PST
Created attachment 421908 [details] Patch
Rob Buis
Comment 12 2021-03-01 22:53:09 PST
Comment on attachment 421812 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=421812&action=review >> LayoutTests/ChangeLog:9 >> + * ipc/pasteboard-write-custom-data.html: Added. > > Oh, we probably need to skip this entire directory in release builds since this API isn't available there. I made a mistake when trying to protect calling the API through testing window.IPC, should work this time.
EWS
Comment 13 2021-03-02 00:05:56 PST
/Volumes/Data/worker/Commit-Queue/build/LayoutTests/ChangeLog neither lists a valid reviewer nor contains the string "Unreviewed" or "Rubber stamp" (case insensitive).
Ryosuke Niwa
Comment 14 2021-03-02 00:08:48 PST
Comment on attachment 421908 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=421908&action=review > LayoutTests/ChangeLog:7 > + Add test for this. > + You're missing: Reviewed by NOBODY (OOPS!).
Rob Buis
Comment 15 2021-03-02 01:21:15 PST
Comment on attachment 421908 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=421908&action=review >> LayoutTests/ChangeLog:7 >> + > > You're missing: Reviewed by NOBODY (OOPS!). Need more coffee :(
Rob Buis
Comment 16 2021-03-02 01:21:52 PST
Created attachment 421913 [details] Patch
EWS
Comment 17 2021-03-02 02:15:15 PST
Committed r273727: <https://commits.webkit.org/r273727> All reviewed patches have been landed. Closing bug and clearing flags on attachment 421913 [details].
WebKit Commit Bot
Comment 18 2021-03-03 14:32:33 PST
Re-opened since this is blocked by bug 222689
Ryosuke Niwa
Comment 19 2021-03-03 17:31:33 PST
https://results.webkit.org/?suite=layout-tests&test=ipc%2Fpasteboard-write-custom-data.html https://build.webkit.org/results/Apple-BigSur-Debug-WK2-Tests/r273832%20(488)/ipc/pasteboard-write-custom-data-crash-log.txt Application Specific Information: CRASHING TEST: ipc/pasteboard-write-custom-data.html Thread 0 Crashed: 0 com.apple.JavaScriptCore 0x0000000101d5c58e WTFCrash + 14 (Assertions.cpp:295) 1 com.apple.WebKit 0x000000010d90d1bb WTFCrashWithInfo(int, char const*, char const*, int) + 27 (Assertions.h:671) 2 com.apple.WebKit 0x000000010de137c9 IPC::MessageReceiverMap::dispatchSyncMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) + 169 (MessageReceiverMap.cpp:133) 3 com.apple.WebKit 0x000000010ebccdc6 WebKit::AuxiliaryProcessProxy::dispatchSyncMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) + 54 (AuxiliaryProcessProxy.cpp:226) 4 com.apple.WebKit 0x000000010ef2db7f WebKit::WebProcessProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >&) + 63 (WebProcessProxy.cpp:835) 5 com.apple.WebKit 0x000000010d98c973 IPC::Connection::dispatchSyncMessage(IPC::Decoder&) + 483 (Connection.cpp:915) 6 com.apple.WebKit 0x000000010d98d6e2 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 610 (Connection.cpp:1053) 7 com.apple.WebKit 0x000000010d98bee1 IPC::Connection::dispatchIncomingMessages() + 913 (Connection.cpp:1159) 8 com.apple.WebKit 0x000000010d9ac9d2 IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_9::operator()() + 66 (Connection.cpp:977) 9 com.apple.WebKit 0x000000010d9ac8fe WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_9, void>::call() + 30 (Function.h:52) 10 com.apple.JavaScriptCore 0x0000000101d87a82 WTF::Function<void ()>::operator()() const + 130 (Function.h:83) 11 com.apple.JavaScriptCore 0x0000000101e09925 WTF::RunLoop::performWork() + 341 (RunLoop.cpp:128) 12 com.apple.JavaScriptCore 0x0000000101e0e1e1 WTF::RunLoop::performWork(void*) + 33 (RunLoopCF.cpp:46) 13 com.apple.CoreFoundation 0x00007fff2046da0c __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 14 com.apple.CoreFoundation 0x00007fff2046d974 __CFRunLoopDoSource0 + 180
Rob Buis
Comment 20 2021-03-03 22:19:35 PST
Created attachment 422182 [details] Patch
Ryosuke Niwa
Comment 21 2021-03-03 22:26:50 PST
Comment on attachment 421913 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=421913&action=review > LayoutTests/ipc/pasteboard-write-custom-data.html:9 > + IPC.sendMessage('UI',9,IPC.messages.WebPasteboardProxy_WriteCustomData.name,[buf]); Oh yeah, 9, wouldn't work LOL. Sorry, should have caught that during the code review.
EWS
Comment 22 2021-03-04 05:53:30 PST
Committed r273886: <https://commits.webkit.org/r273886> All reviewed patches have been landed. Closing bug and clearing flags on attachment 422182 [details].
Robert Jenner
Comment 24 2021-03-04 12:33:55 PST
(In reply to Robert Jenner from comment #23) > Reverted this due to consistent crashing. > > HISTORY URL: > https://results.webkit.org/?suite=layout-tests&test=ipc%2Fpasteboard-write- > custom-data.html > > > CRASHLOG: > https://build.webkit.org/results/Apple-BigSur-Debug-WK2-Tests/ > r273832%20(488)/ipc/pasteboard-write-custom-data-crash-log.txt Reverted in https://webkit.org/b/222689
Rob Buis
Comment 25 2021-03-04 13:54:26 PST
Reopening to attach new patch.
Rob Buis
Comment 26 2021-03-04 13:54:30 PST
Created attachment 422279 [details] Patch
EWS
Comment 27 2021-03-05 16:02:42 PST
Committed r274016: <https://commits.webkit.org/r274016> All reviewed patches have been landed. Closing bug and clearing flags on attachment 422279 [details].
Note You need to log in before you can comment on or make changes to this bug.