Bug 312594

Summary:	[WebKit][Main+SU] [0de8fcf584c54561] ASAN_ABRT \| -[NSFileWrapper regularFileContents]; HTMLConverter::_addAttachmentForElement; HTMLConverter::_processElement
Product:	WebKit	Reporter:	Kristian Monsen <k_monsen>
Component:	HTML Editing	Assignee:	Kristian Monsen <k_monsen>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	bfulgham, webkit-bug-importer, wenson_hsieh
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Kristian Monsen

Reported 2026-04-17 11:59:43 PDT

<rdar://174642216> The attached testcase (mini-fuzz-8.html) crashes a Release ASan build of WebKit Found by fuzzer WebKitTestRunner-h-case-as This crash was seen 1 times during the past 7 days. Testcase: ``` <script> const nodes = new Map([['n0', new WeakRef(document.documentElement)]]); try { function storeNode(key, node) { let weak = new WeakRef(node); nodes.set(key, weak); } function getNodeSafe(key) { let weak = nodes.get(key); let node = weak.deref(); return node; } } catch (e) { } (async () => { try { (() => { let n29 = document.createElement('img'); n29.id = 'n4'; getNodeSafe('n0').append(n29); storeNode('n29', n29); })(); } catch {} try { getNodeSafe('n29').srcset = `.`; } catch {} try { document.execCommand('SelectAll'); } catch {} try { document.execCommand('Copy'); } catch {} })(); </script> ``` Reproduced on: WebKit main @ 310634@main WebKit SU @ 305413.617@safari-7624-branch Reproduction Command: DYLD_FRAMEWORK_PATH=$PWD DYLD_LIBRARY_PATH=$PWD __XPC_DYLD_FRAMEWORK_PATH=$PWD __XPC_DYLD_LIBRARY_PATH=$PWD ASAN_OPTIONS=handle_segv=2,handle_sigbus=2,handle_sigill=2,handle_abort=2,handle_sigtrap=2,allocator_may_return_null=1 __XPC_ASAN_OPTIONS=handle_segv=2,handle_sigbus=2,handle_sigill=2,handle_abort=2,handle_sigtrap=2,allocator_may_return_null=1 ./WebKitTestRunner --no-enable-all-experimental-feature --no-timeout fuzz-8.html fuzz-8.html Crash Log: AddressSanitizer:DEADLYSIGNAL ================================================================= ==45613==ERROR: AddressSanitizer: ABRT on unknown address 0x000185f0c5e8 (pc 0x000185f0c5e8 bp 0x00016b0abfe0 sp 0x00016b0abfc0 T0) ==45613==WARN: Invalid dyld module map detected. This is most likely a bug in the sanitizer. ==45613==WARN: Backtraces may be unreliable. #0 0x000185f0c5e8 in __pthread_kill+0x8 (libsystem_kernel.dylib:arm64e+0x95e8) #1 0x000185e4e78c in abort+0x90 (libsystem_c.dylib:arm64e+0x7878c) #2 0x000185efe728 in __abort_message+0x80 (libc++abi.dylib:arm64e+0x16728) #3 0x000185eeb584 in demangling_terminate_handler()+0x124 (libc++abi.dylib:arm64e+0x3584) #4 0x000185b08890 in _objc_terminate()+0x98 (libobjc.A.dylib:arm64e+0x24890) #5 0x000185efb758 in std::__terminate(void (*)())+0xc (libc++abi.dylib:arm64e+0x13758) #6 0x000185efdbe0 in __cxxabiv1::failed_throw(__cxxabiv1::__cxa_exception*)+0x54 (libc++abi.dylib:arm64e+0x15be0) #7 0x000185eea098 in __cxa_throw+0x58 (libc++abi.dylib:arm64e+0x2098) #8 0x000185afea80 in objc_exception_throw+0x1bc (libobjc.A.dylib:arm64e+0x1aa80) #9 0x000187890454 in -[NSFileWrapper regularFileContents]+0x1b0 (Foundation:arm64e+0x9d454) #10 0x0001470fbad4 in HTMLConverter::_addAttachmentForElement(WebCore::Element&, NSURL*, bool, bool)+0xb40 (WebCore:arm64e+0x13c7ad4) #11 0x00014710a608 in HTMLConverter::_processElement(WebCore::Element&, long)+0x3298 (WebCore:arm64e+0x13d6608) #12 0x0001470e5f98 in HTMLConverter::_traverseNode(WebCore::Node&, unsigned int, bool)+0x9b0 (WebCore:arm64e+0x13b1f98) #13 0x0001470e66c0 in HTMLConverter::_traverseNode(WebCore::Node&, unsigned int, bool)+0x10d8 (WebCore:arm64e+0x13b26c0) #14 0x0001470e3c88 in HTMLConverter::convert()+0x498 (WebCore:arm64e+0x13afc88) #15 0x000147119494 in WebCore::attributedString(WebCore::SimpleRange const&, WebCore::IgnoreUserSelectNone)+0x7ac (WebCore:arm64e+0x13e5494) #16 0x00014888a7b4 in WebCore::selectionAsAttributedString(WebCore::Document const&)+0x504 (WebCore:arm64e+0x2b567b4) Reproducibility: Original testcase: 6/6 (100.0%) - Average time: 11.35s Minimized testcase: 25/25 (100.0%) - Average time: 1.48s

Attachments
Add attachment proposed patch, testcase, etc.

Kristian Monsen

Comment 1 2026-04-17 12:04:10 PDT

Pull request: https://github.com/apple/WebKit/pull/4993

Kristian Monsen

Comment 2 2026-04-17 19:06:02 PDT

Pull request: https://github.com/WebKit/WebKit/pull/63020

EWS

Comment 3 2026-04-20 12:39:16 PDT

Committed 311610@main (dad1793d6498): <https://commits.webkit.org/311610@main> Reviewed commits have been landed. Closing PR #63020 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.