Bug 230581

Summary: [RenderTreeUpdater] NULL ptr deref in updateRenderTree
Product: WebKit Reporter: Brandon <brandonstewart>
Component: Layout and RenderingAssignee: Brandon <brandonstewart>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, brandonstewart, cdumez, changseok, esprehn+autocc, ews-watchlist, glenn, kangil.han, koivisto, kondapallykalyan, msaboff, pdr, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
ews-feeder: commit-queue-
Patch 2
ews-feeder: commit-queue-
Patch3 test
none
Patch
koivisto: review+, ews-feeder: commit-queue-
Patch ews-feeder: commit-queue-

Brandon
Reported 2021-09-21 16:06:28 PDT
This script causes a crash <script> onload = () => { let div0 = document.createElement('div'); div0.style.display = 'contents'; let div1 = document.createElement('div'); div1.append('ab'); div0.appendChild(div1); document.body.appendChild(div0); document.body.offsetTop; div1.innerHTML = 'a'; new Document().appendChild(div0); }; </script> Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001072d946f WebCore::shouldCreateRenderer(WebCore::Element const&, WebCore::RenderElement const&) + 0 (RenderTreeUpdater.cpp:137) [inlined] 1 com.apple.WebCore 0x00000001072d946f WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) + 2367 (RenderTreeUpdater.cpp:198) 2 com.apple.WebCore 0x00000001072d8a4b WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 507 (RenderTreeUpdater.cpp:126) 3 com.apple.WebCore 0x000000010664fe99 WebCore::Document::updateRenderTree(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 105 (Document.cpp:2023) 4 com.apple.WebCore 0x0000000106650357 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 1127 (Document.cpp:2113) 5 com.apple.WebCore 0x0000000106650973 WebCore::Document::updateStyleIfNeeded() + 371 (Document.cpp:2205) <rdar://83101139>
Attachments
Patch (6.23 KB, patch)
2021-09-21 17:02 PDT, Brandon 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch 2 (159.01 KB, patch)
2021-09-23 10:00 PDT, Brandon 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch3 test (4.41 KB, patch)
2021-09-23 15:54 PDT, Brandon 		no flags
DetailsFormatted DiffDiff
Patch (5.16 KB, patch)
2021-09-23 16:31 PDT, Brandon 		koivisto: review+
ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (5.12 KB, patch)
2021-09-23 23:23 PDT, Brandon 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Brandon
Comment 1 2021-09-21 17:02:21 PDT
Created attachment 438889 [details] Patch
Brandon
Comment 2 2021-09-23 10:00:06 PDT
Created attachment 439055 [details] Patch 2
zalan
Comment 3 2021-09-23 11:36:35 PDT
Let's not try to fix the Changelog formatting in this patch.
Brandon
Comment 4 2021-09-23 15:54:26 PDT
Created attachment 439102 [details] Patch3 test
Brandon
Comment 5 2021-09-23 16:31:13 PDT
Created attachment 439106 [details] Patch
Antti Koivisto
Comment 6 2021-09-23 22:41:30 PDT
Good fix.
Antti Koivisto
Comment 7 2021-09-23 22:47:04 PDT
Comment on attachment 439106 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=439106&action=review > LayoutTests/fast/dom/Document/clearPendingRenderTreeUpdater.html:15 > +<html> > +<script> > + onload = () => { > + let div0 = document.createElement('div'); > + div0.style.display = 'contents'; > + let div1 = document.createElement('div'); > + div1.append('ab'); > + div0.appendChild(div1); > + document.body.appendChild(div0); > + document.body.offsetTop; > + div1.innerHTML = 'a'; > + new Document().appendChild(div0); > + }; > +</script> > +</html> Please add if (window.testRunner) testRunner.dumpAsText() in the beginning. > LayoutTests/platform/mac/fast/dom/Document/clearPendingRenderTreeUpdater-expected.txt:5 > +layer at (0,0) size 800x600 > + RenderView at (0,0) size 800x600 > +layer at (0,0) size 800x600 > + RenderBlock {HTML} at (0,0) size 800x600 > + RenderBody {BODY} at (8,8) size 784x584 ...and avoid getting an unnecessary render tree dump.
Brandon
Comment 8 2021-09-23 23:23:18 PDT
Created attachment 439127 [details] Patch
EWS
Comment 9 2021-09-24 00:22:58 PDT
Committed r283030 (242090@main): <https://commits.webkit.org/242090@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 439127 [details].
Note You need to log in before you can comment on or make changes to this bug.