Bug 208316 - Crash in CSSPrimitiveValue::cleanup
Summary: Crash in CSSPrimitiveValue::cleanup
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Pinki Gyanchandani
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-02-27 08:31 PST by Ali Juma
Modified: 2020-03-17 22:47 PDT (History)
11 users (show)

See Also:


Attachments
Minimal test case (1.21 KB, text/html)
2020-02-27 08:31 PST, Ali Juma
no flags Details
Patch (2.89 KB, patch)
2020-03-16 15:43 PDT, Pinki Gyanchandani
no flags Details | Formatted Diff | Diff
Patch (3.60 KB, patch)
2020-03-16 16:10 PDT, Pinki Gyanchandani
no flags Details | Formatted Diff | Diff
Patch (4.21 KB, patch)
2020-03-17 14:11 PDT, Pinki Gyanchandani
no flags Details | Formatted Diff | Diff
Patch (4.21 KB, patch)
2020-03-17 14:14 PDT, Pinki Gyanchandani
no flags Details | Formatted Diff | Diff
Patch (3.84 KB, patch)
2020-03-17 20:07 PDT, Pinki Gyanchandani
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ali Juma 2020-02-27 08:31:37 PST
Created attachment 391877 [details]
Minimal test case

Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug.

Crash stack:
=================================================================
==62534==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x0001bbb8ab7d bp 0x7ffeedf5da90 sp 0x7ffeedf5da80 T0)
==62534==The signal is caused by a READ memory access.
==62534==Hint: address points to the zero page.
==62534==WARNING: invalid path to external symbolizer!
==62534==WARNING: Failed to use and restart external symbolizer!
    #0 0x1bbb8ab7c in WTF::RefCountedBase::derefBase() const (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x10b7c)
    #1 0x1bbd0f36d in WebCore::CSSValue::deref() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19536d)
    #2 0x1be814650 in WebCore::CSSPrimitiveValue::cleanup() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c9a650)
    #3 0x1be81445d in WebCore::CSSPrimitiveValue::~CSSPrimitiveValue() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c9a45d)
    #4 0x1be852774 in WebCore::CSSValue::destroy() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cd8774)
    #5 0x1be803a77 in WTF::VectorDestructor<true, WTF::Ref<WebCore::CSSValue, WTF::DumbPtrTraits<WebCore::CSSValue> > >::destruct(WTF::Ref<WebCore::CSSValue, WTF::DumbPtrTraits<WebCore::CSSValue> >*, WTF::Ref<WebCore::CSSValue, WTF::DumbPtrTraits<WebCore::CSSValue> >*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c89a77)
    #6 0x1be8039da in WTF::Vector<WTF::Ref<WebCore::CSSValue, WTF::DumbPtrTraits<WebCore::CSSValue> >, 4ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::~Vector() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c899da)
    #7 0x1be7fc9b1 in WebCore::CSSValueList::~CSSValueList() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c829b1)
    #8 0x1be852c5a in WebCore::CSSValue::destroy() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2cd8c5a)
    #9 0x1be77bff7 in WTF::VectorDestructor<true, WebCore::CSSProperty>::destruct(WebCore::CSSProperty*, WebCore::CSSProperty*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c01ff7)
    #10 0x1be90794a in WTF::Vector<WebCore::CSSProperty, 4ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::~Vector() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d8d94a)
    #11 0x1be8e939a in WebCore::MutableStyleProperties::~MutableStyleProperties() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d6f39a)
    #12 0x1be3d02e9 in WebCore::StylePropertiesBase::deref() const (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28562e9)
    #13 0x1bede2e0e in WebCore::EditingStyle::~EditingStyle() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3268e0e)
    #14 0x1b1b4edf2 in std::__1::default_delete<WebCore::EditingStyle>::operator()(WebCore::EditingStyle*) const (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1b4edf2)
    #15 0x1b1b04435 in WebKit::WebPage::editorState(WebKit::WebPage::IncludePostLayoutDataHint) const (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1b04435)
    #16 0x1b1b27c46 in WebKit::WebPage::sendEditorStateUpdate() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1b27c46)
    #17 0x1b184f824 in WebKit::WebEditorClient::respondToChangedContents() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x184f824)
    #18 0x1bedf7c90 in WebCore::Editor::respondToChangedContents(WebCore::VisibleSelection const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x327dc90)
    #19 0x1bedfd6ef in WebCore::Editor::appliedEditing(WebCore::CompositeEditCommand&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32836ef)
    #20 0x1bed904b9 in WebCore::CompositeEditCommand::apply() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32164b9)
    #21 0x1bee3e1fd in WebCore::executeInsertOrderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32c41fd)
    #22 0x1beacdc91 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f53c91)
    #23 0x1bc587800 in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xa0d800)
    #24 0x1bc444625 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8ca625)
    #25 0x442896c01177  (<unknown module>)
    #26 0x1d66db45b in llint_entry (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa8c45b)
    #27 0x1d66c43d8 in vmEntryToJavaScript (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa753d8)
    #28 0x1d7cec937 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x209d937)
    #29 0x1d8318140 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x26c9140)
    #30 0x1d8318242 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x26c9242)
    #31 0x1d831861f in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x26c961f)
    #32 0x1be41401b in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x289a01b)
    #33 0x1be43d071 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28c3071)
    #34 0x1bebdf35b in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x306535b)
    #35 0x1bebda6f2 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30606f2)
    #36 0x1bf95a69d in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3de069d)
    #37 0x1bf96bfa8 in WebCore::DOMWindow::dispatchLoadEvent() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3df1fa8)
    #38 0x1beab7180 in WebCore::Document::dispatchWindowLoadEvent() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f3d180)
    #39 0x1beab6af0 in WebCore::Document::implicitClose() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f3caf0)
    #40 0x1bf7a4bc2 in WebCore::FrameLoader::checkCompleted() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c2abc2)
    #41 0x1bf7a15de in WebCore::FrameLoader::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c275de)
    #42 0x1bead3af2 in WebCore::Document::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f59af2)
    #43 0x1bf348510 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37ce510)
    #44 0x1bf73890a in WebCore::DocumentWriter::end() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbe90a)
    #45 0x1bf7371a8 in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbd1a8)
    #46 0x1bf736dee in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbcdee)
    #47 0x1bf8c4927 in WebCore::CachedResource::checkNotify() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d4a927)
    #48 0x1bf8c0ac8 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d46ac8)
    #49 0x1bf844cde in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3ccacde)
    #50 0x1b1754ca6 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1754ca6)
    #51 0x1b1e56547 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1e56547)
    #52 0x1b1e55649 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1e55649)
    #53 0x1b1711334 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1711334)
    #54 0x1b008598a in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8598a)
    #55 0x1b008667a in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8667a)
    #56 0x1b00872b8 in IPC::Connection::dispatchOneIncomingMessage() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x872b8)
    #57 0x1d5d0c679 in WTF::RunLoop::performWork() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xbd679)
    #58 0x1d5d0d25a in WTF::RunLoop::performWork(void*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xbe25a)
    #59 0x7fff2c6f631a in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x5731a)
    #60 0x7fff2c6f62c0 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x572c0)
    #61 0x7fff2c6da1ba in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3b1ba)
    #62 0x7fff2c6d9782 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3a782)
    #63 0x7fff2c6d9084 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3a084)
    #64 0x7fff2e94da9e in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1ca9e)
    #65 0x7fff2e94d973 in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1c973)
    #66 0x7fff58dc51d6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x111d6)
    #67 0x7fff58dc4cd8 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10cd8)
    #68 0x1b0904465 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x904465)
    #69 0x7fff58b923d4 in start (/usr/lib/system/libdyld.dylib:x86_64+0x163d4)
==62534==Register values:
rax = 0x0000100000000000  rbx = 0x0000000000000000  rcx = 0x0000100000000000  rdx = 0x0000100000000000
rdi = 0x0000000000000004  rsi = 0x0000606000130620  rbp = 0x00007ffeedf5da90  rsp = 0x00007ffeedf5da80
 r8 = 0x0000000000000018   r9 = 0x00000fffffffffff  r10 = 0x0000000000000000  r11 = 0xffffffffffffffff
r12 = 0x00007ffeedf5dd00  r13 = 0x0000000000000000  r14 = 0x0000100000000000  r15 = 0x000060300012c8b0
Comment 1 Radar WebKit Bug Importer 2020-02-27 08:31:47 PST
<rdar://problem/59848034>
Comment 2 Pinki Gyanchandani 2020-03-16 15:43:38 PDT
Created attachment 393696 [details]
Patch
Comment 3 Pinki Gyanchandani 2020-03-16 16:10:48 PDT
Created attachment 393703 [details]
Patch
Comment 4 Simon Fraser (smfr) 2020-03-16 16:45:00 PDT
Comment on attachment 393703 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393703&action=review

> Source/WebCore/css/CSSPrimitiveValue.cpp:456
> +        if (m_value.calc)
> +            m_value.calc->deref();

Do we understand how we ended up with a type of CSSUnitType::CSS_CALC but no calc value? That suggests a bug elsewhere.
Comment 5 Simon Fraser (smfr) 2020-03-16 16:45:45 PDT
Comment on attachment 393703 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393703&action=review

>> Source/WebCore/css/CSSPrimitiveValue.cpp:456
>> +            m_value.calc->deref();
> 
> Do we understand how we ended up with a type of CSSUnitType::CSS_CALC but no calc value? That suggests a bug elsewhere.

If we do, then the changelog should explain it.
Comment 6 Ryosuke Niwa 2020-03-16 17:09:53 PDT
Comment on attachment 393703 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393703&action=review

> Source/WebCore/ChangeLog:8
> +        Added a NULL check before calling defer() for CSSUnitType :: CSS_CALC.

Please describe why we need this null check as we discussed.
Namely about how WebCore::createCSS can return nullptr.

>>> Source/WebCore/css/CSSPrimitiveValue.cpp:456
>>> +            m_value.calc->deref();
>> 
>> Do we understand how we ended up with a type of CSSUnitType::CSS_CALC but no calc value? That suggests a bug elsewhere.
> 
> If we do, then the changelog should explain it.

Yes, CSSCalcValue::create calls WebCore::createCSS, which returns nullptr in numerous cases.
Comment 7 Pinki Gyanchandani 2020-03-17 14:11:55 PDT
Created attachment 393785 [details]
Patch
Comment 8 Pinki Gyanchandani 2020-03-17 14:14:47 PDT
Created attachment 393786 [details]
Patch
Comment 9 Pinki Gyanchandani 2020-03-17 14:16:42 PDT
(In reply to Simon Fraser (smfr) from comment #5)
> Comment on attachment 393703 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=393703&action=review
> 
> >> Source/WebCore/css/CSSPrimitiveValue.cpp:456
> >> +            m_value.calc->deref();
> > 
> > Do we understand how we ended up with a type of CSSUnitType::CSS_CALC but no calc value? That suggests a bug elsewhere.
> 
> If we do, then the changelog should explain it.


I have updated the changeling, as per suggestion from you and Ryosuke.
Kindly help with review
Comment 10 Pinki Gyanchandani 2020-03-17 14:17:06 PDT
(In reply to Pinki Gyanchandani from comment #9)
> (In reply to Simon Fraser (smfr) from comment #5)
> > Comment on attachment 393703 [details]
> > Patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=393703&action=review
> > 
> > >> Source/WebCore/css/CSSPrimitiveValue.cpp:456
> > >> +            m_value.calc->deref();
> > > 
> > > Do we understand how we ended up with a type of CSSUnitType::CSS_CALC but no calc value? That suggests a bug elsewhere.
> > 
> > If we do, then the changelog should explain it.
> 
> 
> I have updated the changelog, as per suggestion from you and Ryosuke.
> Kindly help with review
Comment 11 Ryosuke Niwa 2020-03-17 17:40:28 PDT
Comment on attachment 393786 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393786&action=review

> Source/WebCore/ChangeLog:11
> +        While initializing CSSPrimitiveValue for type Calculated, CSSCalcValue calls "create". This internally calls
> +        createCSS which return nullptr at multiple places, ends up returning nullptr for "create".

This is very wordy. How about something like this:
Initializing CSSPrimitiveValue for Calculated type calls createCSS,
which return nullptr in multiple circumstances, resulting in m_value.calc to be initialized to nullptr.

All ref counted objects have a pattern where the constructor is private,
and there is a corresponding static create() function so there is no need to explicitly talk about it.

> Source/WebCore/ChangeLog:13
> +        Initially createCSS is called for node type Operation, and in op type Min for operationChildren. CSSCalcOperationNode::createMinOrMaxOrClamp

What is in op type Min?

> Source/WebCore/ChangeLog:14
> +        returns NULL in this case as for one of the children node, category(lenght) and valueCategory(percent) are not same, and doesn't satisfy condition

I don't think we need to go into details like this. It's sufficient to say createCSS returns nullptr in some cases.
Given we've already stated that createCSS is involved, we can just say this here:

As an example, createCSS returns nullptr when processing min() operator
and there is a category mismatch between length and percent for min() operator
as it is the case in the newly added test case.
Comment 12 Pinki Gyanchandani 2020-03-17 20:07:30 PDT
Created attachment 393819 [details]
Patch
Comment 13 Ryosuke Niwa 2020-03-17 22:01:34 PDT
There is no security implication here. Just a null dereferencing.
Comment 14 WebKit Commit Bot 2020-03-17 22:47:19 PDT
Comment on attachment 393819 [details]
Patch

Clearing flags on attachment: 393819

Committed r258625: <https://trac.webkit.org/changeset/258625>
Comment 15 WebKit Commit Bot 2020-03-17 22:47:21 PDT
All reviewed patches have been landed.  Closing bug.