Bug 272294

Summary: nullderef in LayoutIntegration::BoxTree::layoutBoxForRenderer
Product: WebKit Reporter: bin7o8v
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: bfulgham, simon.fraser, zalan
Priority: P2    
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Linux   
Attachments:
Description Flags
PoC none

bin7o8v
Reported 2024-04-06 22:59:14 PDT
Created attachment 470798 [details] PoC Version: - OS: Ubuntu Desktop 22.04 - WebKit: WebKitGTK 2.43.4 How to reproduce: 1. Compile WebKit from source 2. Serve poc.html on 127.0.0.1:8080 3. Launch MiniBrowser with url 127.0.0.1:8080/poc.html Crash log: ==2710716==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c (pc 0x7fa8af3d08be bp 0x7ffc9fcc7c80 sp 0x7ffc9fcc7b50 T0) ==2710716==The signal is caused by a READ memory access. ==2710716==Hint: address points to the zero page. SCARINESS: 10 (null-deref) #0 0x7fa8af3d08be in WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>::isEmpty() const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/OptionSet.h:106:46 #1 0x7fa8af3d08be in WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>::operator bool() const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/OptionSet.h:111:56 #2 0x7fa8af3d08be in WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>::containsAny(WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>) const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/OptionSet.h:120:18 #3 0x7fa8af3d08be in WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>::contains(WebCore::Layout::Box::BaseTypeFlag) const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/OptionSet.h:115:16 #4 0x7fa8af3d08be in WebCore::Layout::Box::isElementBox() const /webkitgtk-2.43.4/Source/WebCore/layout/layouttree/LayoutBox.h:164:56 #5 0x7fa8af3d08be in WTF::TypeCastTraits<WebCore::Layout::ElementBox const, WebCore::Layout::Box const, false>::isType(WebCore::Layout::Box const&) /webkitgtk-2.43.4/Source/WebCore/layout/layouttree/LayoutElementBox.h:119:1 #6 0x7fa8af3d08be in WTF::TypeCastTraits<WebCore::Layout::ElementBox const, WebCore::Layout::Box const, false>::isOfType(WebCore::Layout::Box const&) /webkitgtk-2.43.4/Source/WebCore/layout/layouttree/LayoutElementBox.h:119:1 #7 0x7fa8af3d08be in bool WTF::is<WebCore::Layout::ElementBox, WebCore::Layout::Box>(WebCore::Layout::Box const&) /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/TypeCasts.h:58:12 #8 0x7fa8af3d08be in std::conditional<std::is_const_v<WebCore::Layout::Box const>, std::add_const<WebCore::Layout::ElementBox>::type, std::remove_const<WebCore::Layout::ElementBox>::type>::type& WTF::downcast<WebCore::Layout::ElementBox, WebCore::Layout::Box const>(WebCore::Layout::Box const&) /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/TypeCasts.h:120:5 #9 0x7fa8af3d08be in WebCore::LayoutIntegration::BoxTree::layoutBoxForRenderer(WebCore::RenderElement const&) const /webkitgtk-2.43.4/Source/WebCore/layout/integration/LayoutIntegrationBoxTree.cpp:356:12 #10 0x7fa8b0903a75 in WebCore::RenderInline::frameRectForStickyPositioning() const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderInline.h:133:69 #11 0x7fa8b06baf19 in WebCore::RenderBoxModelObject::stickyPositionOffset() const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBoxModelObject.cpp:630:5 #12 0x7fa8b06baf19 in WebCore::RenderBoxModelObject::offsetForInFlowPosition() const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBoxModelObject.cpp:642:16 #13 0x7fa8b08ad3fe in WebCore::RenderInline::offsetFromContainer(WebCore::RenderElement&, WebCore::LayoutPoint const&, bool*) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderInline.cpp:771:19 #14 0x7fa8b074d666 in WebCore::RenderBox::computeVisibleRectsInContainer(WebCore::RenderObject::RepaintRects const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBox.cpp:2669:49 #15 0x7fa8b0a1c112 in WebCore::RenderObject::computeRects(WebCore::RenderObject::RepaintRects const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1132:19 #16 0x7fa8b0a1c112 in WebCore::RenderObject::clippedOverflowRect(WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1127:12 #17 0x7fa8b0a1a511 in WebCore::RenderObject::clippedOverflowRectForRepaint(WebCore::RenderLayerModelObject const*) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.h:1016:109 #18 0x7fa8b0a1a511 in WebCore::RenderObject::issueRepaint(std::optional<WebCore::LayoutRect>, WebCore::RenderObject::ClipRepaintToLayer, WebCore::RenderObject::ForceRepaint, std::optional<WebCore::RectEdges<WebCore::LayoutUnit>>) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1035:23 #19 0x7fa8b0a1a933 in WebCore::RenderObject::repaint() const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1045:5 #20 0x7fa8b0a21e56 in WebCore::invalidateLineLayoutAfterTreeMutationIfNeeded(WebCore::RenderObject&, WebCore::IsRemoval) /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1806:20 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/webkitgtk-2.43.4/build-asan/lib/libwebkit2gtk-4.0.so.37+0x79358be) ==2710716==ABORTING
Attachments
PoC (426 bytes, text/html)
2024-04-06 22:59 PDT, bin7o8v 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
alan
Comment 1 2024-04-07 06:43:08 PDT
Hi, thank you for filing this bug. The test reduction is great!
alan
Comment 2 2024-04-07 06:44:15 PDT
(this has been fixed on trunk. see bug 269009) *** This bug has been marked as a duplicate of bug 269009 ***
Note You need to log in before you can comment on or make changes to this bug.