Bug 223539

Summary: Crash in RenderBlock::addOverflowFromChildren
Product: WebKit Reporter: Ali Juma <ajuma>
Component: SVGAssignee: Frédéric Wang (:fredw) <fred.wang>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cgarcia, ews-feeder, fred.wang, gpoo, product-security, rbuis, rniwa, rohitrao, svillar, webkit-bug-importer, zimmermann
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Minimal test case
none
Patch
ews-feeder: commit-queue-
Patch
none
Patch
none
Patch
rniwa: review+, ews-feeder: commit-queue-
Patch for landing
none
Patch for landing none

Ali Juma
Reported 2021-03-19 14:22:28 PDT
Created attachment 423778 [details] Minimal test case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. This reproduces in an ASan build of WebKitTestRunner, and also crashes in STP 122. Stack: ================================================================= ==62931==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00078565bafd bp 0x7ffeef117c90 sp 0x7ffeef117c90 T0) ==62931==The signal is caused by a READ memory access. ==62931==Hint: address points to the zero page. ==62931==WARNING: invalid path to external symbolizer! ==62931==WARNING: Failed to use and restart external symbolizer! #0 0x78565bafc in WTF::VectorBufferBase<WebCore::LayoutIntegration::Line, WTF::FastMalloc>::buffer() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x38eeafc) #1 0x785f43885 in WebCore::LayoutIntegration::LineLayout::collectOverflow() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x41d6885) #2 0x786d47e54 in WebCore::RenderBlock::addOverflowFromChildren() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fdae54) #3 0x786d4811c in WebCore::RenderBlock::computeOverflow(WebCore::LayoutUnit, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fdb11c) #4 0x786d8d653 in WebCore::RenderBlockFlow::computeOverflow(WebCore::LayoutUnit, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5020653) #5 0x787207917 in WebCore::RenderSVGBlock::computeOverflow(WebCore::LayoutUnit, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x549a917) #6 0x786d76ea7 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5009ea7) #7 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674) #8 0x78720b560 in WebCore::RenderSVGForeignObject::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x549e560) #9 0x78728a812 in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x551d812) #10 0x78724d016 in WebCore::RenderSVGRoot::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x54e0016) #11 0x786c7f895 in WebCore::ComplexLineLayout::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4f12895) #12 0x786d781af in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500b1af) #13 0x786d7685e in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500985e) #14 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674) #15 0x786d7b970 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500e970) #16 0x786d784ed in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500b4ed) #17 0x786d76869 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5009869) #18 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674) #19 0x786d7b970 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500e970) #20 0x786d784ed in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500b4ed) #21 0x786d76869 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5009869) #22 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674) #23 0x786d7b970 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500e970) #24 0x786d784ed in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500b4ed) #25 0x786d76869 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5009869) #26 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674) #27 0x7870de60a in WebCore::RenderView::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x537160a) #28 0x7862c1299 in WebCore::FrameViewLayoutContext::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4554299) #29 0x7851e3af6 in WebCore::Document::implicitClose() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3476af6) #30 0x78604ebb2 in WebCore::FrameLoader::checkCompleted() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42e1bb2) #31 0x78604b1a0 in WebCore::FrameLoader::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42de1a0) #32 0x785202822 in WebCore::Document::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3495822) #33 0x785b1383a in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3da683a) #34 0x78601c7e0 in WebCore::DocumentWriter::end() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42af7e0) #35 0x785fcda2c in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4260a2c) #36 0x785fcd3a9 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42603a9) #37 0x78618c7ef in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x441f7ef) #38 0x7861886ab in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x441b6ab) #39 0x786103f07 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4396f07) #40 0x102c435c6 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x21535c6) #41 0x103300e46 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2810e46) #42 0x103300453 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2810453) #43 0x102c04a4a in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2114a4a) #44 0x100b7c399 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8c399) #45 0x100b7cdf6 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8cdf6) #46 0x100b7d9bb in IPC::Connection::dispatchOneIncomingMessage() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8d9bb) #47 0x79fc6b2ec in WTF::RunLoop::performWork() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xce2ec) #48 0x79fc6e995 in WTF::RunLoop::performWork(void*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd1995) #49 0x7fff35d39883 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84883) #50 0x7fff35d39822 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84822) #51 0x7fff35d3963c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x8463c) #52 0x7fff35d38358 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x83358) #53 0x7fff35d37952 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x82952) #54 0x7fff383f51c7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601c7) #55 0x7fff384a7c6e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c6e) #56 0x7fff6ff144e9 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x164e9) #57 0x7fff6ff1442f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1642f) #58 0x7fff6ff13f62 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f62) #59 0x1019e6923 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0xef6923) #60 0x7fff6fcc2cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8) ==62931==Register values: rax = 0x0000000000000003 rbx = 0x00007ffeef117d00 rcx = 0x0000100000000003 rdx = 0x0000100000000000 rdi = 0x0000000000000018 rsi = 0x0000000781de3880 rbp = 0x00007ffeef117c90 rsp = 0x00007ffeef117c90 r8 = 0x0000100000000000 r9 = 0x0000000000000000 r10 = 0xffffffffffffffff r11 = 0x00000fffffffffff r12 = 0x0000000000000000 r13 = 0x00001fffdde22f94 r14 = 0x0000000000000018 r15 = 0x00007ffeef117dc0 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x38eeafc) in WTF::VectorBufferBase<WebCore::LayoutIntegration::Line, WTF::FastMalloc>::buffer() const
Attachments
Minimal test case (499 bytes, text/html)
2021-03-19 14:22 PDT, Ali Juma 		no flags
Details
Patch (5.95 KB, patch)
2021-04-07 06:54 PDT, Frédéric Wang (:fredw) 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (20.33 KB, patch)
2021-04-12 05:05 PDT, Frédéric Wang (:fredw) 		no flags
DetailsFormatted DiffDiff
Patch (20.33 KB, patch)
2021-04-12 07:07 PDT, Frédéric Wang (:fredw) 		no flags
DetailsFormatted DiffDiff
Patch (9.52 KB, patch)
2021-04-13 04:43 PDT, Frédéric Wang (:fredw) 		rniwa: review+
ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch for landing (10.74 KB, patch)
2021-04-14 00:35 PDT, Frédéric Wang (:fredw) 		no flags
DetailsFormatted DiffDiff
Patch for landing (11.31 KB, patch)
2021-04-14 02:00 PDT, Frédéric Wang (:fredw) 		no flags
DetailsFormatted DiffDiff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-03-19 14:22:38 PDT
<rdar://problem/75636310>
Frédéric Wang (:fredw)
Comment 2 2021-04-07 06:25:33 PDT
In release mode, we are dereferencing a nullptr inlineContent() here: https://webkit-search.igalia.com/webkit/source/Source/WebCore/layout/integration/LayoutIntegrationLineLayout.cpp#345 In debug mode, we are actually first hitting the following assertion failure: ASSERTION FAILED: formattingContextRoot.establishesInlineFormattingContext() ../../Source/WebCore/layout/LayoutState.cpp(162) Debugging a bit, we arrive at a weird state where there is no in-flow child. Also, the inner <svg> has a RenderSVGViewportContainer renderer, not an RenderSVGRoot: (rr) up (rr) https://webkit-search.igalia.com/webkit/rev/c981d4cdcc3401f39ce3157655e0fe7c78afeb0d/Source/WebCore/layout/LayoutState.cpp#162 (rr) bt #0 0x00007f393ddd19d3 in WebCore::Layout::LayoutState::ensureInlineFormattingState(WebCore::Layout::ContainerBox const&) at ../../Source/WebCore/layout/LayoutState.cpp:162 #1 0x00007f393c653e3e in WebCore::LayoutIntegration::LineLayout::LineLayout(WebCore::RenderBlockFlow&) at ../../Source/WebCore/layout/integration/LayoutIntegrationLineLayout.cpp:64 #2 0x00007f393cfb3663 in std::make_unique<WebCore::LayoutIntegration::LineLayout, WebCore::RenderBlockFlow&>(WebCore::RenderBlockFlow&) () at /usr/include/c++/10.2.0/bits/unique_ptr.h:962 #3 0x00007f393cfad794 in WTF::makeUnique<WebCore::LayoutIntegration::LineLayout, WebCore::RenderBlockFlow&>(WebCore::RenderBlockFlow&) () at WTF/Headers/wtf/StdLibExtras.h:507 #4 0x00007f393cfa1efb in WebCore::RenderBlockFlow::layoutModernLines(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:3661 #5 0x00007f393cf935e9 in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:696 #6 0x00007f393cf92985 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:523 #7 0x00007f393cf811ff in WebCore::RenderBlock::layout() at ../../Source/WebCore/rendering/RenderBlock.cpp:598 #8 0x00007f393d29c6d8 in WebCore::RenderSVGForeignObject::layout() at ../../Source/WebCore/rendering/svg/RenderSVGForeignObject.cpp:168 (rr) p formattingContextRoot.firstInFlowChild() $1 = (const WebCore::Layout::Box *) 0x0 (rr) up (rr) (rr) (rr) https://webkit-search.igalia.com/webkit/rev/c981d4cdcc3401f39ce3157655e0fe7c78afeb0d/Source/WebCore/rendering/RenderBlockFlow.cpp#3661 (rr) p showRenderTree(this) (B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, hasLayer(S)crollableArea, (C)omposited, (+)Dirty style, (+)Dirty layout B---YGLS- -+ RenderView at (0,0) size 785x0 renderer->(0x7f5d1ff79270) layout->[normal child] B-----LS- -+ HTML RenderBlock at (0,0) size 785x0 renderer->(0x7f5d1ff796e0) node->(0x7f5d1ff7bac0) layout->[self][normal child] B-------- -+ BODY RenderBody at (0,8) size 769x0 renderer->(0x7f5d1ff79800) node->(0x7f5d1ff7bbe0) layout->[self][normal child] B-------- -+ DIV RenderBlock at (0,0) size 769x0 renderer->(0x7f5d1ff6c4e0) node->(0x7f5d1ff7bc70) layout->[self][normal child] I-------- -+ svg RenderSVGRoot at (0,0) size 300x150 renderer->(0x7f5d1ff6c600) node->(0x7f5d1ff6c010) layout->[self][normal child] B-------- -+* foreignObject RenderSVGForeignObject at (0,0) size 0x0 renderer->(0x7f5d1ff6c7e0) node->(0x7f5d1ff6c1a0) layout->[self][normal child] I-------- -+ svg RenderSVGViewportContainer renderer->(0x7f5d1ff6c980) node->(0x7f5d1ff6c2e0) layout->[self] $2 = void This RenderSVGViewportContainer is created because the rule "we're living in a shadow tree" wins over the rule "we're a direct child of a <foreignObject> element" here: https://webkit-search.igalia.com/webkit/rev/c981d4cdcc3401f39ce3157655e0fe7c78afeb0d/Source/WebCore/svg/SVGElement.cpp#203 Tweaking the order of rules, this addresses the debug/release issue. I'll prepare a patch with a test. I'm not sure whether the "we're a <svg> element that got created as replacement for a <symbol> element or a cloned <svg> element in the referenced tree" assumption is always true though.
Frédéric Wang (:fredw)
Comment 3 2021-04-07 06:54:31 PDT
Created attachment 425390 [details] Patch
Ryosuke Niwa
Comment 4 2021-04-07 16:43:05 PDT
Comment on attachment 425390 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425390&action=review > Source/WebCore/svg/SVGElement.cpp:216 > + if (isInShadowTree() && is<SVGElement>(parentOrShadowHostElement())) This looks wrong. This isn't necessarily true if we're in a shadow tree created by scripts as is the case in this test case. We should be checking whether we're inside a shadow tree of an use element or not.
Frédéric Wang (:fredw)
Comment 5 2021-04-08 00:29:15 PDT
Comment on attachment 425390 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425390&action=review >> Source/WebCore/svg/SVGElement.cpp:216 >> + if (isInShadowTree() && is<SVGElement>(parentOrShadowHostElement())) > > This looks wrong. > This isn't necessarily true if we're in a shadow tree created by scripts as is the case in this test case. > We should be checking whether we're inside a shadow tree of an use element or not. Right, that's what I meant a the end of comment 2. But that said this was already there before the patch and I didn't want to modify this too much. @Niko: I think you originally added this code. Can you please check whether it still makes sense?
Nikolas Zimmermann
Comment 6 2021-04-10 14:54:11 PDT
(In reply to Ryosuke Niwa from comment #4) > Comment on attachment 425390 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=425390&action=review > > > Source/WebCore/svg/SVGElement.cpp:216 > > + if (isInShadowTree() && is<SVGElement>(parentOrShadowHostElement())) > > This looks wrong. > This isn't necessarily true if we're in a shadow tree created by scripts as > is the case in this test case. > We should be checking whether we're inside a shadow tree of an use element > or not. Agreed -- that condition seems is what we aim for. I'd propose to change it together with the security fix in one patch.
Frédéric Wang (:fredw)
Comment 7 2021-04-12 05:05:33 PDT
Created attachment 425733 [details] Patch
Frédéric Wang (:fredw)
Comment 8 2021-04-12 05:05:56 PDT
Comment on attachment 425390 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425390&action=review >>>> Source/WebCore/svg/SVGElement.cpp:216 >>>> + if (isInShadowTree() && is<SVGElement>(parentOrShadowHostElement())) >>> >>> This looks wrong. >>> This isn't necessarily true if we're in a shadow tree created by scripts as is the case in this test case. >>> We should be checking whether we're inside a shadow tree of an use element or not. >> >> Right, that's what I meant a the end of comment 2. But that said this was already there before the patch and I didn't want to modify this too much. >> >> @Niko: I think you originally added this code. Can you please check whether it still makes sense? > > Agreed -- that condition seems is what we aim for. > I'd propose to change it together with the security fix in one patch. Thanks, I tried something in the latest version.
Frédéric Wang (:fredw)
Comment 9 2021-04-12 07:07:25 PDT
Created attachment 425742 [details] Patch
Ryosuke Niwa
Comment 10 2021-04-12 23:25:50 PDT
Comment on attachment 425742 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425742&action=review > LayoutTests/svg/outermost-svg-root.html:1 > +<!DOCTYPE html> Please make this a ref test so that the expected result can be shared across platforms.
Frédéric Wang (:fredw)
Comment 11 2021-04-12 23:29:18 PDT
Comment on attachment 425742 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425742&action=review >> LayoutTests/svg/outermost-svg-root.html:1 >> +<!DOCTYPE html> > > Please make this a ref test so that the expected result can be shared across platforms. The point of this bug is to check whether a "RenderSVGRoot" or a "RenderSVGViewportContainer" renderer is used for the <svg> element, so dumping the render tree was intentional. Not sure how I can make this a reftest, unless there is a way to visually differentiate the two kind of renderers.
Ryosuke Niwa
Comment 12 2021-04-13 02:05:32 PDT
(In reply to Frédéric Wang (:fredw) from comment #11) > Comment on attachment 425742 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=425742&action=review > > >> LayoutTests/svg/outermost-svg-root.html:1 > >> +<!DOCTYPE html> > > > > Please make this a ref test so that the expected result can be shared across platforms. > > The point of this bug is to check whether a "RenderSVGRoot" or a > "RenderSVGViewportContainer" renderer is used for the <svg> element, so > dumping the render tree was intentional. Not sure how I can make this a > reftest, unless there is a way to visually differentiate the two kind of > renderers. Oh, I see. Can we instead use internals.elementRenderTreeAsText and explicitly check for that? The problem with these render tree dumps is that it's very much unclear when the test is a pass and when it's a fail.
Ryosuke Niwa
Comment 13 2021-04-13 02:11:12 PDT
It also looks like RenderSVGViewportContainer knows how to clip itself when overflow: hidden is appleid but not RenderSVGViewportContainer so maybe you can make a visual difference with overflow: hidden.
Frédéric Wang (:fredw)
Comment 14 2021-04-13 02:59:53 PDT
Comment on attachment 425742 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425742&action=review >>>> LayoutTests/svg/outermost-svg-root.html:1 >>>> +<!DOCTYPE html> >>> >>> Please make this a ref test so that the expected result can be shared across platforms. >> >> The point of this bug is to check whether a "RenderSVGRoot" or a "RenderSVGViewportContainer" renderer is used for the <svg> element, so dumping the render tree was intentional. Not sure how I can make this a reftest, unless there is a way to visually differentiate the two kind of renderers. > > Oh, I see. Can we instead use internals.elementRenderTreeAsText and explicitly check for that? The problem with these render tree dumps is that it's very much unclear when the test is a pass and when it's a fail. Yes, I don't like these either... will try to write a better test with your suggestions, thanks!
Frédéric Wang (:fredw)
Comment 15 2021-04-13 04:43:46 PDT
Created attachment 425862 [details] Patch
Ryosuke Niwa
Comment 16 2021-04-13 17:20:21 PDT
Comment on attachment 425862 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425862&action=review > Source/WebCore/svg/SVGElement.cpp:213 > + if (isInShadowTree() && is<SVGUseElement>(parentOrShadowHostElement())) > + return false; Wait, this isn't quite right, right? This node can be a child of use element both of which are a shadow tree? We want to check is<SVGUseElement>(shadowHost()) instead. Please add a test case for that.
Frédéric Wang (:fredw)
Comment 17 2021-04-14 00:35:30 PDT
Created attachment 425957 [details] Patch for landing
Frédéric Wang (:fredw)
Comment 18 2021-04-14 00:37:20 PDT
Comment on attachment 425862 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425862&action=review >> Source/WebCore/svg/SVGElement.cpp:213 >> + return false; > > Wait, this isn't quite right, right? This node can be a child of use element both of which are a shadow tree? > We want to check is<SVGUseElement>(shadowHost()) instead. Please add a test case for that. Done, but actually this does not change behavior since is<SVGUseElement>(*parentNode()) implies !is<SVGElement>(*parentNode()) == false in the statement below.
Ryosuke Niwa
Comment 19 2021-04-14 00:40:46 PDT
Comment on attachment 425862 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425862&action=review >>> Source/WebCore/svg/SVGElement.cpp:213 >>> + return false; >> >> Wait, this isn't quite right, right? This node can be a child of use element both of which are a shadow tree? >> We want to check is<SVGUseElement>(shadowHost()) instead. Please add a test case for that. > > Done, but actually this does not change behavior since is<SVGUseElement>(*parentNode()) implies !is<SVGElement>(*parentNode()) == false in the statement below. Oh, I see. That makes sense.
Frédéric Wang (:fredw)
Comment 20 2021-04-14 02:00:48 PDT
Created attachment 425961 [details] Patch for landing
EWS
Comment 21 2021-04-14 08:13:43 PDT
Committed r275944 (236506@main): <https://commits.webkit.org/236506@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 425961 [details].
Note You need to log in before you can comment on or make changes to this bug.