Bug 230770

Summary:

Line iterator firstRun/lastRun may return runs from wrong lines

Product:

WebKit

Reporter:

Ali Juma <ajuma>

Component:

Layout and Rendering

Assignee:

Antti Koivisto <koivisto>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

beidson, bfulgham, fpizlo, koivisto, msaboff, product-security, rniwa, rohitrao, simon.fraser, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Minimal test case	none
Patch	none

Description Ali Juma 2021-09-24 13:50:47 PDT

Created attachment 439193 [details]
Minimal test case

Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug.

This reproduces in an ASan build of WebKitTestRunner.

Stack:
=================================================================
==51278==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x0005c23cdaad bp 0x7ffee3c4c580 sp 0x7ffee3c4c580 T0)
==51278==The signal is caused by a READ memory access.
==51278==Hint: address points to the zero page.
    #0 0x5c23cdaac in WTF::RefPtr<WTF::WeakPtrImpl<WTF::EmptyCounter>, WTF::RawPtrTraits<WTF::WeakPtrImpl<WTF::EmptyCounter> >, WTF::DefaultRefDerefTraits<WTF::WeakPtrImpl<WTF::EmptyCounter> > >::operator bool() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x21aac)
    #1 0x5c4e3545d in WTF::WeakPtr<WebCore::RenderObject, WTF::EmptyCounter>::get() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2a8945d)
    #2 0x5c4e35448 in WTF::WeakPtr<WebCore::RenderObject, WTF::EmptyCounter>::operator*() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2a89448)
    #3 0x5c4e3508d in decltype(WTF::visit(makeVisitor(std::forward<WebCore::LayoutIntegration::PathRun::renderer() const::'lambda'(auto&)>(fp0)), std::forward<auto>(fp))) WTF::switchOn<WTF::Variant<WebCore::LayoutIntegration::RunIteratorModernPath, WebCore::LayoutIntegration::RunIteratorLegacyPath> const&, WebCore::LayoutIntegration::PathRun::renderer() const::'lambda'(auto&)>(auto&&, WebCore::LayoutIntegration::PathRun::renderer() const::'lambda'(auto&)&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2a8908d)
    #4 0x5c4e2183f in WebCore::LayoutIntegration::PathRun::renderer() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2a7583f)
    #5 0x5c7543e57 in WebCore::RenderBlockFlow::inlineSelectionGaps(WebCore::RenderBlock&, WebCore::LayoutPoint const&, WebCore::LayoutSize const&, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LogicalSelectionOffsetCaches const&, WebCore::PaintInfo const*)::$_5::operator()(WebCore::LayoutIntegration::LineIterator const&, WebCore::LayoutUnit, WebCore::LayoutUnit) const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5197e57)
    #6 0x5c7542b36 in WebCore::RenderBlockFlow::inlineSelectionGaps(WebCore::RenderBlock&, WebCore::LayoutPoint const&, WebCore::LayoutSize const&, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LogicalSelectionOffsetCaches const&, WebCore::PaintInfo const*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5196b36)
    #7 0x5c74f6ef6 in WebCore::RenderBlock::selectionGaps(WebCore::RenderBlock&, WebCore::LayoutPoint const&, WebCore::LayoutSize const&, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LogicalSelectionOffsetCaches const&, WebCore::PaintInfo const*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x514aef6)
    #8 0x5c74f87b5 in WebCore::RenderBlock::blockSelectionGaps(WebCore::RenderBlock&, WebCore::LayoutPoint const&, WebCore::LayoutSize const&, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LogicalSelectionOffsetCaches const&, WebCore::PaintInfo const*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x514c7b5)
    #9 0x5c74f6f2b in WebCore::RenderBlock::selectionGaps(WebCore::RenderBlock&, WebCore::LayoutPoint const&, WebCore::LayoutSize const&, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LogicalSelectionOffsetCaches const&, WebCore::PaintInfo const*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x514af2b)
    #10 0x5c74f608e in WebCore::RenderBlock::selectionGapRectsForRepaint(WebCore::RenderLayerModelObject const*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x514a08e)
    #11 0x5c77ea1ef in WebCore::RenderBlockSelectionInfo::RenderBlockSelectionInfo(WebCore::RenderBlock&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x543e1ef)
    #12 0x5c78bc93f in std::__1::__unique_if<WebCore::RenderBlockSelectionInfo>::__unique_single std::__1::make_unique<WebCore::RenderBlockSelectionInfo, WebCore::RenderBlock&>(WebCore::RenderBlock&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x551093f)
    #13 0x5c78a986e in WebCore::collectSelectionData(WebCore::RenderRange const&, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x54fd86e)
    #14 0x5c78a6c0f in WebCore::SelectionRangeData::apply(WebCore::RenderRange const&, WebCore::SelectionRangeData::RepaintMode) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x54fac0f)
    #15 0x5c78a6892 in WebCore::SelectionRangeData::set(WebCore::RenderRange const&, WebCore::SelectionRangeData::RepaintMode) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x54fa892)
    #16 0x5c5bb54d5 in WebCore::FrameSelection::updateAppearance() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x38094d5)
    #17 0x5c5bb4a25 in WebCore::FrameSelection::updateAndRevealSelection(WebCore::AXTextStateChangeIntent const&, WebCore::ScrollBehavior, WebCore::RevealExtentOption) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3808a25)
    #18 0x5c5b7cbde in WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::AXTextStateChangeIntent, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x37d0bde)
    #19 0x5c5b7b371 in WebCore::FrameSelection::selectAll() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x37cf371)
    #20 0x5c5bd07b0 in WebCore::executeSelectAll(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x38247b0)
    #21 0x5c582f378 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3483378)
    #22 0x5c2c9abe5 in WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8eebe5)
    #23 0x5c2c9a67b in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8ee67b)
    #24 0x39c131c011d7  (<unknown module>)
    #25 0x5e0a5fec4 in llint_entry (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd3fec4)
    #26 0x5e0a5ff51 in llint_entry (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd3ff51)
    #27 0x5e0a43878 in vmEntryToJavaScript (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd23878)
    #28 0x5e231694a in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x25f694a)
    #29 0x5e2b2333f in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2e0333f)
    #30 0x5e2b236fb in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2e036fb)
    #31 0x5c4fbd338 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2c11338)
    #32 0x5c4fe7871 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2c3b871)
    #33 0x5c5954abf in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x35a8abf)
    #34 0x5c5954362 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x35a8362)
    #35 0x5c59240e8 in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x35780e8)
    #36 0x5c5943efc in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3597efc)
    #37 0x5c59434ae in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x35974ae)
    #38 0x5c68fc23b in WebCore::DOMWindow::dispatchLoadEvent() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x455023b)
    #39 0x5c5813be0 in WebCore::Document::dispatchWindowLoadEvent() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3467be0)
    #40 0x5c58134d0 in WebCore::Document::implicitClose() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x34674d0)
    #41 0x5c66ee282 in WebCore::FrameLoader::checkCompleted() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4342282)
    #42 0x5c66eaa70 in WebCore::FrameLoader::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x433ea70)
    #43 0x5c5835467 in WebCore::Document::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3489467)
    #44 0x5c61593fa in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3dad3fa)
    #45 0x5c6667c20 in WebCore::DocumentWriter::end() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42bbc20)
    #46 0x5c6666706 in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42ba706)
    #47 0x5c666f7db in WebCore::DocumentLoader::continueAfterContentPolicy(WebCore::PolicyAction) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42c37db)
    #48 0x5c6668e02 in WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42bce02)
    #49 0x5c666812c in WebCore::DocumentLoader::handleSubstituteDataLoadNow() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42bc12c)
    #50 0x5dfe0283e in WTF::RunLoop::dispatch(WTF::HashSet<WTF::RefPtr<WTF::SchedulePair, WTF::RawPtrTraits<WTF::SchedulePair>, WTF::DefaultRefDerefTraits<WTF::SchedulePair> >, WTF::SchedulePairHash, WTF::HashTraits<WTF::RefPtr<WTF::SchedulePair, WTF::RawPtrTraits<WTF::SchedulePair>, WTF::DefaultRefDerefTraits<WTF::SchedulePair> > >, WTF::HashTableTraits> const&, WTF::Function<void ()>&&)::$_0::operator()(__CFRunLoopTimer*, void*) const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xe283e)
    #51 0x7fff31374467 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x9f467)
    #52 0x7fff31373fcd in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x9efcd)
    #53 0x7fff31373ab8 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x9eab8)
    #54 0x7fff3135870c in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x8370c)
    #55 0x7fff31357952 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x82952)
    #56 0x7fff33a151c7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601c7)
    #57 0x7fff33ac7c6e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c6e)
    #58 0x7fff6b7144e9 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x164e9)
    #59 0x7fff6b71442f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1642f)
    #60 0x7fff6b713f62 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f62)
    #61 0x5b10eeee5 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x10eeee5)
    #62 0x7fff6b4c2cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)
==51278==Register values:
rax = 0x0000000000000004  rbx = 0x0000000000000020  rcx = 0x0000100000000004  rdx = 0x00000000e3c4c603
rdi = 0x0000000000000020  rsi = 0x00007ffee3c4c7c0  rbp = 0x00007ffee3c4c580  rsp = 0x00007ffee3c4c580
 r8 = 0x000000007fffffff   r9 = 0x0000100000000000  r10 = 0xffffffffffffffff  r11 = 0x00000fffffffffff
r12 = 0x00007ffee3c4c5e0  r13 = 0x00007ffee3c4c5c0  r14 = 0x0000000000000000  r15 = 0x00001fffdc7898b8
=====================================
Clusterfuzz-id: 5717398421045248

Comment 1 Radar WebKit Bug Importer 2021-09-24 13:51:00 PDT

<rdar://problem/83509753>

Comment 2 zalan 2021-09-24 13:59:42 PDT

probably a fallout from https://trac.webkit.org/changeset/282764/webkit

Comment 3 Antti Koivisto 2021-09-26 02:16:44 PDT

Created attachment 439292 [details]
Patch

Comment 4 EWS 2021-09-26 06:47:49 PDT

Committed r283087 (242145@main): <https://commits.webkit.org/242145@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 439292 [details].