Bug 226799

Summary:

Nullptr crash in null ptr deref in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline

Product:

WebKit

Reporter:

Ryosuke Niwa <rniwa>

Component:

HTML Editing

Assignee:

Frédéric Wang (:fredw) <fred.wang>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, cgarcia, darin, ews-feeder, fred.wang, gpoo, product-security, rbuis, svillar, webkit-bug-importer, wenson_hsieh

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Test	none
Patch	none

Ryosuke Niwa

Reported 2021-06-08 17:15:32 PDT

Created attachment 430918 [details] Test e.g. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000161224430 WTF::OptionSet<WebCore::Node::NodeFlag>::isEmpty() const + 1 (OptionSet.h:164) [inlined] 1 com.apple.WebCore 0x0000000161224430 WTF::OptionSet<WebCore::Node::NodeFlag>::operator bool() + 1 (OptionSet.h:169) [inlined] 2 com.apple.WebCore 0x0000000161224430 WTF::OptionSet<WebCore::Node::NodeFlag>::containsAny(WTF::OptionSet<WebCore::Node::NodeFlag>) const + 1 (OptionSet.h:178) [inlined] 3 com.apple.WebCore 0x0000000161224430 WTF::OptionSet<WebCore::Node::NodeFlag>::contains(WebCore::Node::NodeFlag) const + 1 (OptionSet.h:173) [inlined] 4 com.apple.WebCore 0x0000000161224430 WebCore::Node::hasNodeFlag(WebCore::Node::NodeFlag) const + 1 (Node.h:585) [inlined] 5 com.apple.WebCore 0x0000000161224430 WebCore::Node::isTextNode() const + 1 (Node.h:191) [inlined] 6 com.apple.WebCore 0x0000000161224430 WebCore::firstPositionInNode(WebCore::Node*) + 1 (Position.h:322) [inlined] 7 com.apple.WebCore 0x0000000161224430 WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline(WebCore::ReplaceSelectionCommand::InsertedNodes&) + 992 (ReplaceSelectionCommand.cpp:667) 8 com.apple.WebCore 0x000000016122927c WebCore::ReplaceSelectionCommand::doApply() + 10860 (ReplaceSelectionCommand.cpp:1362) 9 com.apple.WebCore 0x00000001611a93b7 WebCore::CompositeEditCommand::apply() + 167 (CompositeEditCommand.cpp:397) 10 com.apple.WebCore 0x00000001611de4ec WebCore::Editor::replaceSelectionWithFragment(WebCore::DocumentFragment&, WebCore::Editor::SelectReplacement, WebCore::Editor::SmartReplace, WebCore::Editor::MatchStyle, WebCore::EditAction, WebCore::MailBlockquoteHandling) + 892 (Editor.cpp:698) 11 com.apple.WebCore 0x00000001611de088 WebCore::Editor::handleTextEvent(WebCore::TextEvent&) + 72 (Editor.cpp:347) 12 com.apple.WebCore 0x00000001616b70df WebCore::EventHandler::defaultTextInputEventHandler(WebCore::TextEvent&) + 31 (EventHandler.cpp:4182) 13 com.apple.WebCore 0x0000000161115013 WebCore::callDefaultEventHandlersInBubblingOrder(WebCore::Event&, WebCore::EventPath const&) + 39 (EventDispatcher.cpp:63) [inlined] 14 com.apple.WebCore 0x0000000161115013 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1763 (EventDispatcher.cpp:204) 15 com.apple.WebCore 0x00000001611e0ae5 WebCore::Editor::pasteAsFragment(WTF::Ref<WebCore::DocumentFragment, WTF::RawPtrTraits<WebCore::DocumentFragment> >&&, bool, bool, WebCore::MailBlockquoteHandling) + 245 (Editor.cpp:629) 16 com.apple.WebCore 0x00000001604ee133 WebCore::Editor::pasteWithPasteboard(WebCore::Pasteboard*, WTF::OptionSet<WebCore::Editor::PasteOption>) + 259 (EditorMac.mm:97) 17 com.apple.WebCore 0x00000001611e7e39 WebCore::Editor::paste(WebCore::Pasteboard&, WebCore::Editor::FromMenuOrKeyBinding) + 377 (Editor.cpp:1479) 18 com.apple.WebCore 0x00000001611e7c7f WebCore::Editor::paste(WebCore::Editor::FromMenuOrKeyBinding) + 95 (Editor.cpp:1465) 19 com.apple.WebCore 0x000000016120a063 WebCore::executePaste(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 51 (EditorCommand.cpp:904) 20 com.apple.WebCore 0x00000001610d7cac WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 76 (Document.cpp:5759) 21 com.apple.WebCore 0x0000000160357a16 WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) + 218 (JSDocument.cpp:5859) [inlined] 22 com.apple.WebCore 0x0000000160357a16 long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 392 (JSDOMOperation.h:63) [inlined] 23 com.apple.WebCore 0x0000000160357a16 WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) + 422 (JSDocument.cpp:5864) 24 ??? 0x00003634ef4011d8 0 + 59600980152792 25 com.apple.JavaScriptCore 0x0000000165ba65f7 llint_entry + 110528 (LowLevelInterpreter.asm:1097) 26 com.apple.JavaScriptCore 0x0000000165b8b436 vmEntryToJavaScript + 216 (LowLevelInterpreter64.asm:316) <rdar://78689218>

Attachments
Test (637 bytes, text/html) 2021-06-08 17:15 PDT, Ryosuke Niwa	no flags	Details
Patch (4.58 KB, patch) 2021-06-17 02:01 PDT, Frédéric Wang (:fredw)	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Ryosuke Niwa

Comment 1 2021-06-08 17:15:44 PDT

Reproduced with non-ASAN release build of WebKitTestRunner at r278627.

Frédéric Wang (:fredw)

Comment 2 2021-06-16 08:39:45 PDT

(In reply to Ryosuke Niwa from comment #1) > Reproduced with non-ASAN release build of WebKitTestRunner at r278627. FWIW ASAN build gives: ==75==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f9b19cf6b86 bp 0x7ffe7ea01800 sp 0x7ffe7ea01750 T0) ==75==The signal is caused by a READ memory access. ==75==Hint: address points to the zero page. #0 0x7f9b19cf6b86 in WTF::OptionSet<WebCore::Node::NodeFlag>::containsAny(WTF::OptionSet<WebCore::Node::NodeFlag>) const (/app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.1.so.0+0x8baeb86) #1 0x7f9b19cf456a in WTF::OptionSet<WebCore::Node::NodeFlag>::contains(WebCore::Node::NodeFlag) const (/app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.1.so.0+0x8bac56a) #2 0x7f9b19cf2979 in WebCore::Node::hasNodeFlag(WebCore::Node::NodeFlag) const (/app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.1.so.0+0x8baa979) #3 0x7f9b19df2eb2 in WebCore::Node::isTextNode() const (/app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.1.so.0+0x8caaeb2) #4 0x7f9b1ad554af in WebCore::firstPositionInNode(WebCore::Node*) (/app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.1.so.0+0x9c0d4af) #5 0x7f9b1f565394 in WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline(WebCore::ReplaceSelectionCommand::InsertedNodes&) (/app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.1.so.0+0xe41d394) will take a look at this bug.

Darin Adler

Comment 3 2021-06-16 08:59:54 PDT

Looks like the local variable named context, the element’s parent, is nullptr.

Frédéric Wang (:fredw)

Comment 4 2021-06-16 23:18:25 PDT

(In reply to Darin Adler from comment #3) > Looks like the local variable named context, the element’s parent, is > nullptr. Right, so it looks like when Paste is called, callDefaultEventHandlersInBubblingOrder will also execute the Indent command queued in the microtask which is the one removing the h1 element from the tree. Checking whether the node is orphan seems enought to prevent the crash in the testcase. Thread 1 received signal SIGSEGV, Segmentation fault. (rr) reverse-f (rr) (rr) (rr) (rr) (rr) at ../../Source/WebCore/editing/ReplaceSelectionCommand.cpp:667 667 RefPtr<Node> blockquoteNode = isMailPasteAsQuotationNode(context.get()) ? context.get() : enclosingNodeOfType(firstPositionInNode(context.get()), isMailBlockquote, CanCrossEditingBoundary); (rr) p context.get() $1 = (WebCore::ContainerNode *) 0x0 (rr) bt #0 0x00007fdeea729390 in WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline(WebCore::ReplaceSelectionCommand::InsertedNodes&) (this=0x615000261680, insertedNodes=...) at ../../Source/WebCore/editing/ReplaceSelectionCommand.cpp:667 #1 0x00007fdeea732a0d in WebCore::ReplaceSelectionCommand::doApply() (this=0x615000261680) at ../../Source/WebCore/editing/ReplaceSelectionCommand.cpp:1362 #2 0x00007fdeee955195 in WebCore::CompositeEditCommand::apply() (this=0x615000261680) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:397 #3 0x00007fdeea660251 in WebCore::Editor::replaceSelectionWithFragment(WebCore::DocumentFragment&, WebCore::Editor::SelectReplacement, WebCore::Editor::SmartReplace, WebCore::Editor::MatchStyle, WebCore::EditAction, WebCore::MailBlockquoteHandling) (this=0x614000077a40, fragment=..., selectReplacement=WebCore::Editor::SelectReplacement::No, smartReplace=WebCore::Editor::SmartReplace::No, matchStyle=WebCore::Editor::MatchStyle::No, editingAction=WebCore::EditAction::Paste, mailBlockquoteHandling=WebCore::MailBlockquoteHandling::RespectBlockquote) at ../../Source/WebCore/editing/Editor.cpp:698 #4 0x00007fdeea65c0a6 in WebCore::Editor::handleTextEvent(WebCore::TextEvent&) (this=0x614000077a40, event=...) at ../../Source/WebCore/editing/Editor.cpp:347 #5 0x00007fdeeb8ef946 in WebCore::EventHandler::defaultTextInputEventHandler(We bCore::TextEvent&) (this=0x616000384c80, event=...) at ../../Source/WebCore/page/EventHandler.cpp:4182 #6 0x00007fdeea4062ae in WebCore::Node::defaultEventHandler(WebCore::Event&) (this=0x61200007e7c0, event=warning: RTTI symbol not found for class 'WebCore::TextEvent' ...) at ../../Source/WebCore/dom/Node.cpp:2451 #7 0x00007fdeeaa33e7b in WebCore::HTMLInputElement::defaultEventHandler(WebCore::Event&) (this=0x61200007e7c0, event=warning: RTTI symbol not found for class 'WebCore::TextEvent' ...) at ../../Source/WebCore/html/HTMLInputElement.cpp:1258 #8 0x00007fdeea2ed704 in WebCore::callDefaultEventHandlersInBubblingOrder(WebCore::Event&, WebCore::EventPath const&) (event=warning: RTTI symbol not found for class 'WebCore::TextEvent' ..., path=...) at ../../Source/WebCore/dom/EventDispatcher.cpp:63 #9 0x00007fdeea2ee863 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (node=..., event=warning: RTTI symbol not found for class 'WebCore::TextEvent' ...) at ../../Source/WebCore/dom/EventDispatcher.cpp:204 #10 0x00007fdeea4056f3 in WebCore::Node::dispatchEvent(WebCore::Event&) (this=0x61200007e7c0, event=warning: RTTI symbol not found for class 'WebCore::TextEvent' ...) at ../../Source/WebCore/dom/Node.cpp:2381 #11 0x00007fdeea65eda9 in WebCore::Editor::pasteAsFragment(WTF::Ref<WebCore::DocumentFragment, WTF::RawPtrTraits<WebCore::DocumentFragment> >&&, bool, bool, WebCore::MailBlockquoteHandling) (this=0x614000077a40, pastingFragment=..., smartReplace=false, matchStyle=false, respectsMailBlockquote=WebCore::MailBlockquoteHandling::RespectBlockquote) at ../../Source/WebCore/editing/Editor.cpp:629 ... (rr) p showTree(element) warning: RTTI symbol not found for class 'WebCore::HTMLHeadingElement' *H1 0x60c0002b39c0 (renderer (nil)) STYLE=caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none; $2 = void (rr) watch -l element->m_parentNode (rr) rc (rr) delete (rr) reverse-f (rr) bt #0 0x00007fdeea0b3a05 in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) (this=0x60c0002a6a00, previousChild=0x60c0002b8f40, nextChild=0x60c0002a8380, oldChild=warning: RTTI symbol not found for class 'WebCore::HTMLHeadingElement' ...) at ../../Source/WebCore/dom/ContainerNode.cpp:655 #1 0x00007fdeea0c19a2 in WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node&, WebCore::ContainerNode::ChildChange::Source) (this=0x60c0002a6a00, childToRemove=warning: RTTI symbol not found for class 'WebCore::HTMLHeadingElement' ..., source=WebCore::ContainerNode::ChildChange::Source::API) at ../../Source/WebCore/dom/ContainerNode.cpp:181 #2 0x00007fdeea0b3355 in WebCore::ContainerNode::removeChild(WebCore::Node&) (this=0x60c0002a6a00, oldChild=warning: RTTI symbol not found for class 'WebCore::HTMLHeadingElement' ...) at ../../Source/WebCore/dom/ContainerNode.cpp:614 #3 0x00007fdeea3f85a0 in WebCore::Node::remove() (this=0x60c0002b39c0) at ../../Source/WebCore/dom/Node.cpp:642 ... #17 0x00007fdeea695d53 in WebCore::executeIndent(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (frame=...) at ../../Source/WebCore/editing/EditorCommand.cpp:445 ... (rr) reverse-f (rr) reverse-f (rr) reverse-f (rr) p showTree(parent) *BODY 0x60c0002a6a00 (renderer 0x61200007dbc0) H1 0x60c0002a8080 (renderer 0x61200007fe40) DIV 0x60c0002a82c0 (renderer 0x61200006c4c0) BLOCKQUOTE 0x60c0002b8f40 (renderer 0x612000097e40) STYLE=margin: 0 0 0 40px; border: none; padding: 0px; H1 0x60c0002b9780 (renderer 0x612000098d40) STYLE=caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none; INPUT 0x612000098140 (renderer 0x612000098ec0) #document-fragment 0x6120000982c0 (renderer (nil)) (needs style recalc) (child needs style recalc) DIV 0x60c0002b9900 (renderer 0x612000099040) H1 0x60c0002b39c0 (renderer 0x612000094fc0) STYLE=caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none; H2 0x60c0002a8380 (renderer 0x61200006c7c0) H3 0x60c0002a8440 (renderer 0x612000096c40) IFRAME 0x61400007d840 (renderer 0x612000096dc0) $3 = void

Frédéric Wang (:fredw)

Comment 5 2021-06-17 02:01:28 PDT

Created attachment 431636 [details] Patch More debugging: 0x00007f6f7b667a08 in WebCore::ReplaceSelectionCommand::doApply ( this=0x615000261180) at ../../Source/WebCore/editing/ReplaceSelectionCommand.cpp:1364 1364 removeRedundantStylesAndKeepStyleSpanInline(insertedNodes); (rr) p showTree(insertedNodes.firstNodeInserted()) warning: RTTI symbol not found for class 'WebCore::HTMLHeadingElement' *H1 0x60c0002b3780 (renderer (nil)) STYLE=caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none; $1 = void (rr) rn (rr) (rr) (rr) (rr) 1355 makeInsertedContentRoundTrippableWithHTMLTreeBuilder(insertedNodes); (rr) rn 1352 if (insertedNodes.isEmpty()) (rr) p showTree(insertedNodes.firstNodeInserted()) warning: RTTI symbol not found for class 'WebCore::HTMLHeadingElement' BODY 0x60c0002a6880 (renderer 0x61200007dbc0) H1 0x60c0002a7f00 (renderer 0x61200007fe40) * H1 0x60c0002b3780 (renderer 0x6120000a3b40) STYLE=caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: -webkit-standard; font-style: normal; font-variant-caps: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-tap-highlight-color: rgba(0, 0, 0, 0.4); -webkit-text-stroke-width: 0px; text-decoration: none; INPUT 0x6120000a2640 (renderer 0x6120000a3cc0) #document-fragment 0x6120000a27c0 (renderer (nil)) (needs style recalc) (child needs style recalc) DIV 0x60c0002b3900 (renderer 0x6120000a3e40) DIV 0x60c0002a8140 (renderer 0x61200006c4c0) H2 0x60c0002a8200 (renderer 0x61200006c7c0) H3 0x60c0002a82c0 (renderer 0x61200006c940) IFRAME 0x61400007d840 (renderer 0x6120000a1740) $3 = void

EWS

Comment 6 2021-06-22 02:06:20 PDT

Committed r279110 (239027@main): <https://commits.webkit.org/239027@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 431636 [details].

Note You need to log in before you can comment on or make changes to this bug.