WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
Bug 208316
Crash in CSSPrimitiveValue::cleanup
https://bugs.webkit.org/show_bug.cgi?id=208316
Summary
Crash in CSSPrimitiveValue::cleanup
Ali Juma
Reported
2020-02-27 08:31:37 PST
Created
attachment 391877
[details]
Minimal test case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. Crash stack: ================================================================= ==62534==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x0001bbb8ab7d bp 0x7ffeedf5da90 sp 0x7ffeedf5da80 T0) ==62534==The signal is caused by a READ memory access. ==62534==Hint: address points to the zero page. ==62534==WARNING: invalid path to external symbolizer! ==62534==WARNING: Failed to use and restart external symbolizer! #0 0x1bbb8ab7c in WTF::RefCountedBase::derefBase() const (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x10b7c) #1 0x1bbd0f36d in WebCore::CSSValue::deref() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19536d) #2 0x1be814650 in WebCore::CSSPrimitiveValue::cleanup() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c9a650) #3 0x1be81445d in WebCore::CSSPrimitiveValue::~CSSPrimitiveValue() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c9a45d) #4 0x1be852774 in WebCore::CSSValue::destroy() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cd8774) #5 0x1be803a77 in WTF::VectorDestructor<true, WTF::Ref<WebCore::CSSValue, WTF::DumbPtrTraits<WebCore::CSSValue> > >::destruct(WTF::Ref<WebCore::CSSValue, WTF::DumbPtrTraits<WebCore::CSSValue> >*, WTF::Ref<WebCore::CSSValue, WTF::DumbPtrTraits<WebCore::CSSValue> >*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c89a77) #6 0x1be8039da in WTF::Vector<WTF::Ref<WebCore::CSSValue, WTF::DumbPtrTraits<WebCore::CSSValue> >, 4ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::~Vector() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c899da) #7 0x1be7fc9b1 in WebCore::CSSValueList::~CSSValueList() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c829b1) #8 0x1be852c5a in WebCore::CSSValue::destroy() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cd8c5a) #9 0x1be77bff7 in WTF::VectorDestructor<true, WebCore::CSSProperty>::destruct(WebCore::CSSProperty*, WebCore::CSSProperty*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c01ff7) #10 0x1be90794a in WTF::Vector<WebCore::CSSProperty, 4ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::~Vector() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d8d94a) #11 0x1be8e939a in WebCore::MutableStyleProperties::~MutableStyleProperties() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d6f39a) #12 0x1be3d02e9 in WebCore::StylePropertiesBase::deref() const (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28562e9) #13 0x1bede2e0e in WebCore::EditingStyle::~EditingStyle() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3268e0e) #14 0x1b1b4edf2 in std::__1::default_delete<WebCore::EditingStyle>::operator()(WebCore::EditingStyle*) const (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1b4edf2) #15 0x1b1b04435 in WebKit::WebPage::editorState(WebKit::WebPage::IncludePostLayoutDataHint) const (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1b04435) #16 0x1b1b27c46 in WebKit::WebPage::sendEditorStateUpdate() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1b27c46) #17 0x1b184f824 in WebKit::WebEditorClient::respondToChangedContents() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x184f824) #18 0x1bedf7c90 in WebCore::Editor::respondToChangedContents(WebCore::VisibleSelection const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x327dc90) #19 0x1bedfd6ef in WebCore::Editor::appliedEditing(WebCore::CompositeEditCommand&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32836ef) #20 0x1bed904b9 in WebCore::CompositeEditCommand::apply() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32164b9) #21 0x1bee3e1fd in WebCore::executeInsertOrderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32c41fd) #22 0x1beacdc91 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f53c91) #23 0x1bc587800 in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xa0d800) #24 0x1bc444625 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8ca625) #25 0x442896c01177 (<unknown module>) #26 0x1d66db45b in llint_entry (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa8c45b) #27 0x1d66c43d8 in vmEntryToJavaScript (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa753d8) #28 0x1d7cec937 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x209d937) #29 0x1d8318140 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x26c9140) #30 0x1d8318242 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x26c9242) #31 0x1d831861f in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x26c961f) #32 0x1be41401b in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x289a01b) #33 0x1be43d071 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28c3071) #34 0x1bebdf35b in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x306535b) #35 0x1bebda6f2 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30606f2) #36 0x1bf95a69d in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3de069d) #37 0x1bf96bfa8 in WebCore::DOMWindow::dispatchLoadEvent() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3df1fa8) #38 0x1beab7180 in WebCore::Document::dispatchWindowLoadEvent() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f3d180) #39 0x1beab6af0 in WebCore::Document::implicitClose() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f3caf0) #40 0x1bf7a4bc2 in WebCore::FrameLoader::checkCompleted() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c2abc2) #41 0x1bf7a15de in WebCore::FrameLoader::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c275de) #42 0x1bead3af2 in WebCore::Document::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f59af2) #43 0x1bf348510 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37ce510) #44 0x1bf73890a in WebCore::DocumentWriter::end() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbe90a) #45 0x1bf7371a8 in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbd1a8) #46 0x1bf736dee in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbcdee) #47 0x1bf8c4927 in WebCore::CachedResource::checkNotify() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d4a927) #48 0x1bf8c0ac8 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d46ac8) #49 0x1bf844cde in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3ccacde) #50 0x1b1754ca6 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1754ca6) #51 0x1b1e56547 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1e56547) #52 0x1b1e55649 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1e55649) #53 0x1b1711334 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1711334) #54 0x1b008598a in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8598a) #55 0x1b008667a in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8667a) #56 0x1b00872b8 in IPC::Connection::dispatchOneIncomingMessage() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x872b8) #57 0x1d5d0c679 in WTF::RunLoop::performWork() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xbd679) #58 0x1d5d0d25a in WTF::RunLoop::performWork(void*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xbe25a) #59 0x7fff2c6f631a in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x5731a) #60 0x7fff2c6f62c0 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x572c0) #61 0x7fff2c6da1ba in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3b1ba) #62 0x7fff2c6d9782 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3a782) #63 0x7fff2c6d9084 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3a084) #64 0x7fff2e94da9e in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1ca9e) #65 0x7fff2e94d973 in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1c973) #66 0x7fff58dc51d6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x111d6) #67 0x7fff58dc4cd8 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10cd8) #68 0x1b0904465 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x904465) #69 0x7fff58b923d4 in start (/usr/lib/system/libdyld.dylib:x86_64+0x163d4) ==62534==Register values: rax = 0x0000100000000000 rbx = 0x0000000000000000 rcx = 0x0000100000000000 rdx = 0x0000100000000000 rdi = 0x0000000000000004 rsi = 0x0000606000130620 rbp = 0x00007ffeedf5da90 rsp = 0x00007ffeedf5da80 r8 = 0x0000000000000018 r9 = 0x00000fffffffffff r10 = 0x0000000000000000 r11 = 0xffffffffffffffff r12 = 0x00007ffeedf5dd00 r13 = 0x0000000000000000 r14 = 0x0000100000000000 r15 = 0x000060300012c8b0
Attachments
Minimal test case
(1.21 KB, text/html)
2020-02-27 08:31 PST
,
Ali Juma
no flags
Details
Patch
(2.89 KB, patch)
2020-03-16 15:43 PDT
,
Pinki Gyanchandani
no flags
Details
Formatted Diff
Diff
Patch
(3.60 KB, patch)
2020-03-16 16:10 PDT
,
Pinki Gyanchandani
no flags
Details
Formatted Diff
Diff
Patch
(4.21 KB, patch)
2020-03-17 14:11 PDT
,
Pinki Gyanchandani
no flags
Details
Formatted Diff
Diff
Patch
(4.21 KB, patch)
2020-03-17 14:14 PDT
,
Pinki Gyanchandani
no flags
Details
Formatted Diff
Diff
Patch
(3.84 KB, patch)
2020-03-17 20:07 PDT
,
Pinki Gyanchandani
no flags
Details
Formatted Diff
Diff
Show Obsolete
(4)
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2020-02-27 08:31:47 PST
<
rdar://problem/59848034
>
Pinki Gyanchandani
Comment 2
2020-03-16 15:43:38 PDT
Created
attachment 393696
[details]
Patch
Pinki Gyanchandani
Comment 3
2020-03-16 16:10:48 PDT
Created
attachment 393703
[details]
Patch
Simon Fraser (smfr)
Comment 4
2020-03-16 16:45:00 PDT
Comment on
attachment 393703
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=393703&action=review
> Source/WebCore/css/CSSPrimitiveValue.cpp:456 > + if (m_value.calc) > + m_value.calc->deref();
Do we understand how we ended up with a type of CSSUnitType::CSS_CALC but no calc value? That suggests a bug elsewhere.
Simon Fraser (smfr)
Comment 5
2020-03-16 16:45:45 PDT
Comment on
attachment 393703
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=393703&action=review
>> Source/WebCore/css/CSSPrimitiveValue.cpp:456 >> + m_value.calc->deref(); > > Do we understand how we ended up with a type of CSSUnitType::CSS_CALC but no calc value? That suggests a bug elsewhere.
If we do, then the changelog should explain it.
Ryosuke Niwa
Comment 6
2020-03-16 17:09:53 PDT
Comment on
attachment 393703
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=393703&action=review
> Source/WebCore/ChangeLog:8 > + Added a NULL check before calling defer() for CSSUnitType :: CSS_CALC.
Please describe why we need this null check as we discussed. Namely about how WebCore::createCSS can return nullptr.
>>> Source/WebCore/css/CSSPrimitiveValue.cpp:456 >>> + m_value.calc->deref(); >> >> Do we understand how we ended up with a type of CSSUnitType::CSS_CALC but no calc value? That suggests a bug elsewhere. > > If we do, then the changelog should explain it.
Yes, CSSCalcValue::create calls WebCore::createCSS, which returns nullptr in numerous cases.
Pinki Gyanchandani
Comment 7
2020-03-17 14:11:55 PDT
Created
attachment 393785
[details]
Patch
Pinki Gyanchandani
Comment 8
2020-03-17 14:14:47 PDT
Created
attachment 393786
[details]
Patch
Pinki Gyanchandani
Comment 9
2020-03-17 14:16:42 PDT
(In reply to Simon Fraser (smfr) from
comment #5
)
> Comment on
attachment 393703
[details]
> Patch > > View in context: >
https://bugs.webkit.org/attachment.cgi?id=393703&action=review
> > >> Source/WebCore/css/CSSPrimitiveValue.cpp:456 > >> + m_value.calc->deref(); > > > > Do we understand how we ended up with a type of CSSUnitType::CSS_CALC but no calc value? That suggests a bug elsewhere. > > If we do, then the changelog should explain it.
I have updated the changeling, as per suggestion from you and Ryosuke. Kindly help with review
Pinki Gyanchandani
Comment 10
2020-03-17 14:17:06 PDT
(In reply to Pinki Gyanchandani from
comment #9
)
> (In reply to Simon Fraser (smfr) from
comment #5
) > > Comment on
attachment 393703
[details]
> > Patch > > > > View in context: > >
https://bugs.webkit.org/attachment.cgi?id=393703&action=review
> > > > >> Source/WebCore/css/CSSPrimitiveValue.cpp:456 > > >> + m_value.calc->deref(); > > > > > > Do we understand how we ended up with a type of CSSUnitType::CSS_CALC but no calc value? That suggests a bug elsewhere. > > > > If we do, then the changelog should explain it. > > > I have updated the changelog, as per suggestion from you and Ryosuke. > Kindly help with review
Ryosuke Niwa
Comment 11
2020-03-17 17:40:28 PDT
Comment on
attachment 393786
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=393786&action=review
> Source/WebCore/ChangeLog:11 > + While initializing CSSPrimitiveValue for type Calculated, CSSCalcValue calls "create". This internally calls > + createCSS which return nullptr at multiple places, ends up returning nullptr for "create".
This is very wordy. How about something like this: Initializing CSSPrimitiveValue for Calculated type calls createCSS, which return nullptr in multiple circumstances, resulting in m_value.calc to be initialized to nullptr. All ref counted objects have a pattern where the constructor is private, and there is a corresponding static create() function so there is no need to explicitly talk about it.
> Source/WebCore/ChangeLog:13 > + Initially createCSS is called for node type Operation, and in op type Min for operationChildren. CSSCalcOperationNode::createMinOrMaxOrClamp
What is in op type Min?
> Source/WebCore/ChangeLog:14 > + returns NULL in this case as for one of the children node, category(lenght) and valueCategory(percent) are not same, and doesn't satisfy condition
I don't think we need to go into details like this. It's sufficient to say createCSS returns nullptr in some cases. Given we've already stated that createCSS is involved, we can just say this here: As an example, createCSS returns nullptr when processing min() operator and there is a category mismatch between length and percent for min() operator as it is the case in the newly added test case.
Pinki Gyanchandani
Comment 12
2020-03-17 20:07:30 PDT
Created
attachment 393819
[details]
Patch
Ryosuke Niwa
Comment 13
2020-03-17 22:01:34 PDT
There is no security implication here. Just a null dereferencing.
WebKit Commit Bot
Comment 14
2020-03-17 22:47:19 PDT
Comment on
attachment 393819
[details]
Patch Clearing flags on attachment: 393819 Committed
r258625
: <
https://trac.webkit.org/changeset/258625
>
WebKit Commit Bot
Comment 15
2020-03-17 22:47:21 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug