RESOLVED FIXED 208318
Crash in KeyframeEffect::getAnimatedStyle 
https://bugs.webkit.org/show_bug.cgi?id=208318
Summary Crash in KeyframeEffect::getAnimatedStyle
Ali Juma
Reported 2020-02-27 08:38:14 PST
Created attachment 391879 [details] Minimal test case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. Crash stack: ================================================================= ==97462==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x0007607d4d22 bp 0x7ffee4683ed0 sp 0x7ffee4683ec0 T0) ==97462==The signal is caused by a READ memory access. ==97462==Hint: address points to the zero page. ==97462==WARNING: invalid path to external symbolizer! ==97462==WARNING: Failed to use and restart external symbolizer! #0 0x7607d4d21 in WTF::Ref<WebCore::StyleBoxData, WTF::DumbPtrTraits<WebCore::StyleBoxData> >::copyRef() const & (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4c5ad21) #1 0x7607d4cf8 in WebCore::DataRef<WebCore::StyleBoxData>::DataRef(WebCore::DataRef<WebCore::StyleBoxData> const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4c5acf8) #2 0x7607d4b4e in WebCore::RenderStyle::RenderStyle(WebCore::RenderStyle const&, WebCore::RenderStyle::CloneTag) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4c5ab4e) #3 0x7607d3e3d in std::__1::__unique_if<WebCore::RenderStyle>::__unique_single std::__1::make_unique<WebCore::RenderStyle, WebCore::RenderStyle const&, WebCore::RenderStyle::CloneTag>(WebCore::RenderStyle const&&&, WebCore::RenderStyle::CloneTag&&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4c59e3d) #4 0x7607b6d1f in WebCore::RenderStyle::clonePtr(WebCore::RenderStyle const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4c3cd1f) #5 0x75e3a47aa in WebCore::KeyframeEffect::getAnimatedStyle(std::__1::unique_ptr<WebCore::RenderStyle, std::__1::default_delete<WebCore::RenderStyle> >&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x282a7aa) #6 0x75e3a44a9 in WebCore::DocumentTimeline::animatedStyleForRenderer(WebCore::RenderElement&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x282a4a9) #7 0x7604cad15 in WebCore::RenderLayer::currentTransform(WebCore::RenderStyle::ApplyTransformOrigin) const (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4950d15) #8 0x7603a4156 in WebCore::RenderBox::layoutOverflowRectForPropagation(WebCore::RenderStyle const*) const (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x482a156) #9 0x7603a655b in WebCore::RenderBox::logicalLayoutOverflowRectForPropagation(WebCore::RenderStyle const*) const (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x482c55b) #10 0x7602d0d05 in WebCore::InlineFlowBox::addReplacedChildOverflow(WebCore::InlineBox const*, WebCore::LayoutRect&, WebCore::LayoutRect&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4756d05) #11 0x7602cd1cc in WebCore::InlineFlowBox::computeOverflow(WebCore::LayoutUnit, WebCore::LayoutUnit, WTF::HashMap<WebCore::InlineTextBox const*, std::__1::pair<WTF::Vector<WebCore::Font const*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::__1::pair<WTF::Vector<WebCore::Font const*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::GlyphOverflow> > >&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47531cc) #12 0x760227747 in WebCore::ComplexLineLayout::createLineBoxesFromBidiRuns(unsigned int, WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::LineInfo&, WebCore::VerticalPositionCache&, WebCore::BidiRun*, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x46ad747) #13 0x76022a29b in WebCore::ComplexLineLayout::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x46b029b) #14 0x760227eca in WebCore::ComplexLineLayout::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x46adeca) #15 0x76022fafd in WebCore::ComplexLineLayout::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x46b5afd) #16 0x76034494b in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47ca94b) #17 0x760342d60 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47c8d60) #18 0x7603078b9 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x478d8b9) #19 0x760348cf3 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47cecf3) #20 0x760344c92 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47cac92) #21 0x760342d6b in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47c8d6b) #22 0x7603078b9 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x478d8b9) #23 0x760348cf3 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47cecf3) #24 0x760344c92 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47cac92) #25 0x760342d6b in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47c8d6b) #26 0x7603078b9 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x478d8b9) #27 0x760348cf3 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47cecf3) #28 0x760344c92 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47cac92) #29 0x760342d6b in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x47c8d6b) #30 0x7603078b9 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x478d8b9) #31 0x7606a3ea3 in WebCore::RenderView::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4b29ea3) #32 0x75fa4053b in WebCore::FrameViewLayoutContext::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3ec653b) #33 0x75eab6d09 in WebCore::Document::implicitClose() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f3cd09) #34 0x75f7a4bc2 in WebCore::FrameLoader::checkCompleted() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c2abc2) #35 0x75f7a15de in WebCore::FrameLoader::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3c275de) #36 0x75ead3af2 in WebCore::Document::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f59af2) #37 0x75f348510 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37ce510) #38 0x75f73890a in WebCore::DocumentWriter::end() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbe90a) #39 0x75f7371a8 in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbd1a8) #40 0x75f736dee in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbcdee) #41 0x75f8c4927 in WebCore::CachedResource::checkNotify() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d4a927) #42 0x75f8c0ac8 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d46ac8) #43 0x75f844cde in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3ccacde) #44 0x751754ca6 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1754ca6) #45 0x751e56547 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1e56547) #46 0x751e55649 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1e55649) #47 0x751711334 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1711334) #48 0x75008598a in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8598a) #49 0x75008667a in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8667a) #50 0x7500872b8 in IPC::Connection::dispatchOneIncomingMessage() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x872b8) #51 0x775d0c679 in WTF::RunLoop::performWork() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xbd679) #52 0x775d0d25a in WTF::RunLoop::performWork(void*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xbe25a) #53 0x7fff4851dada in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x57ada) #54 0x7fff4851da80 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x57a80) #55 0x7fff4850198a in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3b98a) #56 0x7fff48500f52 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3af52) #57 0x7fff48500854 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3a854) #58 0x7fff4a78332e in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1c32e) #59 0x7fff4a783203 in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1c203) #60 0x7fff74729076 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x11076) #61 0x7fff74728b78 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10b78) #62 0x750904465 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x904465) #63 0x7fff744f03d4 in start (/usr/lib/system/libdyld.dylib:x86_64+0x163d4) ==97462==Register values: rax = 0x0000000000000009 rbx = 0x0000608000096020 rcx = 0x0000100000000009 rdx = 0x0000000000000000 rdi = 0x0000608000096020 rsi = 0x0000000000000048 rbp = 0x00007ffee4683ed0 rsp = 0x00007ffee4683ec0 r8 = 0x0000200000000000 r9 = 0x00000fffffffffff r10 = 0x0000000000000000 r11 = 0xffffffffffffffff r12 = 0x0000608000096020 r13 = 0x00007ffee4683f80 r14 = 0x0000000000000048 r15 = 0x0000100000000000
Attachments
Minimal test case (2.44 KB, text/html)
2020-02-27 08:38 PST, Ali Juma 		no flags
Details
Patch (3.77 KB, patch)
2020-03-11 01:16 PDT, Jack 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-02-27 08:38:24 PST
<rdar://problem/59848234>
Jack
Comment 2 2020-03-11 00:48:46 PDT
Root cause: In this test case, a java script append Q to style so Q becomes a child of head. Since head doesn’t have render style, its descendants’ renderers are also set to null. And in function KeyframeEffect::getAnimatedStyle, render style is needed therefore the code crashes at null deref.
Jack
Comment 3 2020-03-11 01:16:45 PDT
Created attachment 393210 [details] Patch
Jack
Comment 4 2020-03-11 01:23:52 PDT
Reduced test case: <style id=STYLE> MARQUEE { -webkit-transition-duration: 1s; } </style><script> function jsfuzzer() { STYLE.appendChild(Q); MARQUEE.style.setProperty("-webkit-perspective-origin-y", "0px"); MARQUEE.style.setProperty("-webkit-transform", "rotate(48deg)"); var00220 = new KeyframeEffect(Q, [ ], 1); Array(PRE.getRootNode().getAnimations()[0])[0].effect = var00220; } </script> <body onload=jsfuzzer()><pre id=PRE></pre><marquee id=MARQUEE><q id="Q"></q> DOM tree after “ STYLE.appendChild(Q);” #document 0x61f00004a680 (renderer 0x617000100300) (child needs style recalc) HTML 0x60c00010e100 (renderer 0x612000090340) (child needs style recalc) * HEAD 0x60c00010e1c0 (renderer 0x0) STYLE 0x610000047f40 (renderer 0x0) #text 0x608000145f20 "\nMARQUEE { -webkit-transition-duration: 1s; }\n" Q 0x60c00010f300 (renderer 0x0) SCRIPT 0x610000058040 (renderer 0x0) #text 0x608000145fa0 "\nfunction jsfuzzer() {\n STYLE.appendChild(Q);\n MARQUEE.style.setProperty("-webkit-perspective-origin-y", "0px");\n MARQUEE.style.setProperty("-webkit-transform", "rotate(48deg)");\n var00220 = new KeyframeEffect(Q, [ ], 1);\n Array(PRE.getRootNode().getAnimations()[0])[0].effect = var00220;\n}\n" #text 0x608000146120 "\n" BODY 0x60c00010f0c0 (renderer 0x6120000904c0) (child needs style recalc) PRE 0x60c00010f180 (renderer 0x612000090640) MARQUEE 0x60e0000a21c0 (renderer 0x6120000907c0) STYLE=perspective-origin-y: 0px; transform: rotate(48deg); (needs style recalc) #text 0x6080001461a0 "\n" #document 0x61f00004a680 (renderer 0x617000100300) (child needs style recalc) HTML 0x60c00010e100 (renderer 0x612000090340) (child needs style recalc) * HEAD 0x60c00010e1c0 (renderer 0x0) STYLE 0x610000047f40 (renderer 0x0) #text 0x608000145f20 "\nMARQUEE { -webkit-transition-duration: 1s; }\n" Q 0x60c00010f300 (renderer 0x0) SCRIPT 0x610000058040 (renderer 0x0) #text 0x608000145fa0 "\nfunction jsfuzzer() {\n STYLE.appendChild(Q);\n MARQUEE.style.setProperty("-webkit-perspective-origin-y", "0px");\n MARQUEE.style.setProperty("-webkit-transform", "rotate(48deg)");\n var00220 = new KeyframeEffect(Q, [ ], 1);\n Array(PRE.getRootNode().getAnimations()[0])[0].effect = var00220;\n}\n" #text 0x608000146120 "\n" BODY 0x60c00010f0c0 (renderer 0x6120000904c0) (child needs style recalc) PRE 0x60c00010f180 (renderer 0x612000090640) MARQUEE 0x60e0000a21c0 (renderer 0x6120000907c0) STYLE=perspective-origin-y: 0px; transform: rotate(48deg); (needs style recalc) #text 0x6080001461a0 "\n"
EWS
Comment 5 2020-03-11 07:40:35 PDT
Committed r258260: <https://trac.webkit.org/changeset/258260> All reviewed patches have been landed. Closing bug and clearing flags on attachment 393210 [details].
Ryosuke Niwa
Comment 6 2020-03-16 12:32:41 PDT
There is no security implication here.
Note You need to log in before you can comment on or make changes to this bug.