RESOLVED FIXED 159519
CVE-2016-4765 REGRESSION (r199054): CrashTracer: [USER] parseWebKit at WebCore: WebCore::RenderBlockFlow::checkFloatsInCleanLine + 107 
https://bugs.webkit.org/show_bug.cgi?id=159519
Summary REGRESSION (r199054): CrashTracer: [USER] parseWebKit at WebCore: WebCore::Re...
Antti Koivisto
Reported 2016-07-07 11:11:47 PDT
> 1 com.apple.WebCore 0x00d22b2b WebCore::RenderBlockFlow::checkFloatsInCleanLine(WebCore::RootInlineBox*, WTF::Vector<WebCore::FloatWithRect, 0ul, WTF::CrashOnOverflow, 16ul>&, unsigned long&, bool&, bool&) + 107 2 com.apple.WebCore 0x00d1efd4 WebCore::RenderBlockFlow::determineEndPosition(WebCore::LineLayoutState&, WebCore::RootInlineBox*, WebCore::InlineIterator&, WebCore::BidiStatus&) + 116 3 com.apple.WebCore 0x00d1d7a1 WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 961 4 com.apple.WebCore 0x00d221a5 WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1845 5 com.apple.WebCore 0x00d0cf49 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 905 6 com.apple.WebCore 0x00060386 WebCore::RenderBlock::layout() + 54 7 com.apple.WebCore 0x00d0ed33 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 899 8 com.apple.WebCore 0x00d0dc3c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 524 9 com.apple.WebCore 0x00d0cf31 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 881 10 com.apple.WebCore 0x00060386 WebCore::RenderBlock::layout() + 54 11 com.apple.WebCore 0x00d0e895 WebCore::RenderBlockFlow::insertFloatingObject(WebCore::RenderBox&) + 325 12 com.apple.WebCore 0x00bd8512 WebCore::LineBreaker::skipLeadingWhitespace(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::FloatingObject*, WebCore::LineWidth&) + 226 13 com.apple.WebCore 0x00bd87f7 WebCore::LineBreaker::nextLineBreak(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::LineLayoutState&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) + 231 14 com.apple.WebCore 0x00d1f45e WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 862 15 com.apple.WebCore 0x00d1d8c8 WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1256 16 com.apple.WebCore 0x00d221a5 WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1845 17 com.apple.WebCore 0x00d0cf49 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 905 18 com.apple.WebCore 0x00060386 WebCore::RenderBlock::layout() + 54 19 com.apple.WebCore 0x00d0ed33 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 899 20 com.apple.WebCore 0x00d0dc3c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 524 21 com.apple.WebCore 0x00d0cf31 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 881 22 com.apple.WebCore 0x00060386 WebCore::RenderBlock::layout() + 54 23 com.apple.WebCore 0x00d0e895 WebCore::RenderBlockFlow::insertFloatingObject(WebCore::RenderBox&) + 325 24 com.apple.WebCore 0x00d0dc46 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 534 25 com.apple.WebCore 0x00d0cf31 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 881 26 com.apple.WebCore 0x00060386 WebCore::RenderBlock::layout() + 54 27 com.apple.WebCore 0x00d0ed33 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 899 28 com.apple.WebCore 0x00d0dc3c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 524 29 com.apple.WebCore 0x00d0cf31 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 881 30 com.apple.WebCore 0x00060386 WebCore::RenderBlock::layout() + 54 31 com.apple.WebCore 0x000601fd WebCore::RenderView::layout() + 781 32 com.apple.WebCore 0x0005d745 WebCore::FrameView::layout(bool) + 3045 33 com.apple.WebCore 0x0005c40a WebCore::Document::implicitClose() + 874 34 com.apple.WebCore 0x0005bc43 WebCore::FrameLoader::checkCompleted() + 275 35 com.apple.WebCore 0x0005a99b WebCore::FrameLoader::finishedParsing() + 123 36 com.apple.WebCore 0x000596e6 WebCore::Document::finishedParsing() + 390 37 com.apple.WebCore 0x00033bc2 WebCore::HTMLDocumentParser::prepareToStopParsing() + 162 38 com.apple.WebCore 0x0003297a WebCore::DocumentWriter::end() + 58 39 com.apple.WebCore 0x0002476c WebCore::DocumentLoader::finishedLoading(double) + 268 40 com.apple.WebCore 0x000b6229 WebCore::CachedResource::checkNotify() + 153 41 com.apple.WebCore 0x0036be63 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 227 42 com.apple.WebCore 0x000b605b WebCore::SubresourceLoader::didFinishLoading(double) + 1163 43 com.apple.WebCore 0x00e53ae5 std::__1::__function::__func<WebCore::ResourceLoader::loadDataURL()::$_0, std::__1::allocator<WebCore::ResourceLoader::loadDataURL()::$_0>, void (WTF::Optional<WebCore::DataURLDecoder::Result>)>::operator()(WTF::Optional<WebCore::DataURLDecoder::Result>&&) + 821 44 com.apple.WebCore 0x00496452 WebCore::DataURLDecoder::DecodingResultDispatcher::timerFired() + 114 45 com.apple.JavaScriptCore 0x00af80f3 WTF::timerFired(__CFRunLoopTimer*, void*) + 35 46 com.apple.CoreFoundation 0x00092b94 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1258.1/RunLoop.subproj/CFRunLoop.c:1628) 47 com.apple.CoreFoundation 0x00092823 __CFRunLoopDoTimer + 1075 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1258.1/RunLoop.subproj/CFRunLoop.c:2167) 48 com.apple.CoreFoundation 0x0009237a __CFRunLoopDoTimers + 298 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1258.1/RunLoop.subproj/CFRunLoop.c:2306) 49 com.apple.CoreFoundation 0x00089871 __CFRunLoopRun + 1841 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1258.1/RunLoop.subproj/CFRunLoop.c:2688) 50 com.apple.CoreFoundation 0x00088ed8 CFRunLoopRunSpecific + 296 (/Library/Caches/com.apple.xbs/Sources/CF/CF-1258.1/RunLoop.subproj/CFRunLoop.c:2814) 51 com.apple.Foundation 0x00024ed9 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 270 (/Library/Caches/com.apple.xbs/Sources/Foundation/Foundation-1259/Soil.subproj/NSRunLoop.m:366) 52 parseWebKit 0x00002988 main + 4104 53 libdyld.dylib 0x000035ad start + 1 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/libdyld/dyld-360.22/src/start_glue.s:47)
Attachments
Patch (5.27 KB, patch)
2016-07-07 11:26 PDT, Antti Koivisto 		no flags
DetailsFormatted DiffDiff
Patch (7.32 KB, patch)
2016-07-07 11:28 PDT, Antti Koivisto 		no flags
DetailsFormatted DiffDiff
Patch (7.24 KB, patch)
2016-07-07 11:30 PDT, Antti Koivisto 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Antti Koivisto
Comment 1 2016-07-07 11:12:12 PDT
rdar://problem/26822922
Antti Koivisto
Comment 2 2016-07-07 11:26:14 PDT
Created attachment 283031 [details] Patch
Antti Koivisto
Comment 3 2016-07-07 11:28:32 PDT
Created attachment 283032 [details] Patch
Antti Koivisto
Comment 4 2016-07-07 11:30:13 PDT
Created attachment 283033 [details] Patch
WebKit Commit Bot
Comment 5 2016-07-07 14:25:23 PDT
Comment on attachment 283033 [details] Patch Clearing flags on attachment: 283033 Committed r202931: <http://trac.webkit.org/changeset/202931>
WebKit Commit Bot
Comment 6 2016-07-07 14:25:28 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.