Bug 43722

Summary: cross_fuzz WebCore::RenderBlock::addChild* NULL ptrs
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bdakin, commit-queue, eric, hyatt, levin, rolandsteiner
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Bug Depends on:    
Bug Blocks: 42959    
Attachments:
Description Flags
Repro
none
Patch (review carefully) none

Description Berend-Jan Wever 2010-08-09 08:26:03 PDT 
Created attachment 63895 [details]
Repro

The following code triggers a NULL ptr in Chromium latest:
<html>
  <head>
    <style>
      :before{
        content:""
      };
    </style>
  </head>
  <body onload="document.linkColor=0;">
    <ruby>
      <rt></rt>
    </ruby>
  </body>
</html>

id:             WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks ReadAV@NULL (8861963c2158cde00d41e1ee9baea2f1)
description:    Attempt to read from NULL pointer (+0xC) in WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks
signatures:     Function: WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks
                Basic signature: WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks(...)-2D824F8
stack:          WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks
                WebCore::RenderBlock::addChildIgnoringContinuation
                WebCore::RenderBlock::addChild
                WebCore::RenderRubyRun::addChild
                WebCore::RenderRubyAsInline::addChild
                WebCore::RenderObjectChildList::updateBeforeAfterContent
                WebCore::RenderInline::styleDidChange
                WebCore::RenderObject::setStyle
                WebCore::RenderObject::setAnimatableStyle
                WebCore::Node::setRenderStyle
                WebCore::Element::recalcStyle
                WebCore::Element::recalcStyle
                WebCore::Element::recalcStyle
                WebCore::Document::recalcStyle
                WebCore::StyledElement::attributeChanged
                WebCore::NamedNodeMap::addAttribute
                WebCore::Element::setAttribute
                WebCore::Element::setAttribute
                WebCore::HTMLBodyElement::setLink
                WebCore::HTMLDocument::setLinkColor
                WebCore::HTMLDocumentInternal::linkColorAttrSetter
                v8::internal::JSObject::SetPropertyWithCallback
                v8::internal::JSObject::SetProperty
                v8::internal::JSObject::SetPropertyPostInterceptor
                v8::internal::JSObject::SetPropertyWithInterceptor
                v8::internal::JSObject::SetProperty
                v8::internal::JSObject::SetProperty
                v8::internal::StoreIC::Store
                v8::internal::StoreIC_Miss
                v8::internal::Invoke
                v8::internal::Execution::Call
                ...

During fuzzzing, I have seen NULL ptr crashes two levels up the stack as well, in Renderblock::AddChild. I expect the cause is the same.
Comment 1 Adam Barth 2010-08-09 11:32:58 PDT 
Created attachment 63911 [details]
Patch (review carefully)
Comment 2 Eric Seidel (no email) 2010-08-09 12:14:17 PDT 
I'm not sure who does ruby stuff.
Comment 3 David Levin 2010-08-17 17:58:10 PDT 
Roland, any comments?
Comment 4 WebKit Commit Bot 2010-08-30 00:35:58 PDT 
Comment on attachment 63911 [details]
Patch (review carefully)

Clearing flags on attachment: 63911

Committed r66371: <http://trac.webkit.org/changeset/66371>
Comment 5 WebKit Commit Bot 2010-08-30 00:36:03 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 6 David Kilzer (:ddkilzer) 2010-08-30 21:45:47 PDT 
<rdar://problem/8375382>
Comment 7 Roland Steiner 2010-09-01 18:58:07 PDT 
Whoa, this bug thread completely sneaked by me, sorry about that! :(

FWIW, I think the patch is fine. My recently r+'d patch for https://bugs.webkit.org/show_bug.cgi?id=41040 (not yet landed) also concerns :before/:after content. AFAICT it will subsume this patch once merged and landed.