213514 – Crash in InsertTextCommand::doApply

Bug 213514 - Crash in InsertTextCommand::doApply

Summary: Crash in InsertTextCommand::doApply

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	HTML Editing (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Sergio Villar Senin

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-06-23 07:19 PDT by Ali Juma
Modified:	2021-03-30 20:01 PDT (History)
CC List:	15 users (show)

See Also:	223980

Attachments
Minimal test case (1.28 KB, text/html) 2020-06-23 07:19 PDT, Ali Juma	no flags	Details
More reduced testcase (402 bytes, text/html) 2021-01-15 07:14 PST, Rob Buis	no flags	Details
Patch (2.01 KB, patch) 2021-02-03 02:21 PST, Sergio Villar Senin	no flags	Details \| Formatted Diff \| Diff
Test case (526 bytes, text/html) 2021-02-03 02:24 PST, Sergio Villar Senin	no flags	Details
Patch (4.14 KB, patch) 2021-02-08 07:52 PST, Sergio Villar Senin	no flags	Details \| Formatted Diff \| Diff
Patch (4.15 KB, patch) 2021-02-08 10:47 PST, Sergio Villar Senin	no flags	Details \| Formatted Diff \| Diff
Patch (4.41 KB, patch) 2021-02-10 12:09 PST, Sergio Villar Senin	rniwa: review+	Details \| Formatted Diff \| Diff
Patch for landing (4.51 KB, patch) 2021-02-11 05:10 PST, Sergio Villar Senin	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ali Juma 2020-06-23 07:19:56 PDT

Created attachment 402555 [details]
Minimal test case

Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug.

Crash stack:
=================================================================
==13664==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00022018c591 bp 0x7ffee5b12160 sp 0x7ffee5b12160 T0)
==13664==The signal is caused by a READ memory access.
==13664==Hint: address points to the zero page.
==13664==WARNING: invalid path to external symbolizer!
==13664==WARNING: Failed to use and restart external symbolizer!
    #0 0x22018c590 in WebCore::Node::parentNode() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x18c590)
    #1 0x22340f0ca in WebCore::positionInParentBeforeNode(WebCore::Node*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x340f0ca)
    #2 0x2235ea4af in WebCore::InsertTextCommand::doApply() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x35ea4af)
    #3 0x223534c12 in WebCore::CompositeEditCommand::applyCommandToComposite(WTF::Ref<WebCore::CompositeEditCommand, WTF::DumbPtrTraits<WebCore::CompositeEditCommand> >&&, WebCore::VisibleSelection const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3534c12)
    #4 0x22364848f in WebCore::TypingCommand::insertTextRunWithoutNewlines(WTF::String const&, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x364848f)
    #5 0x22366fedd in WebCore::TypingCommandLineOperation::operator()(unsigned long, unsigned long, bool) const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x366fedd)
    #6 0x2236481a0 in WebCore::TypingCommand::insertText(WTF::String const&, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x36481a0)
    #7 0x22364596c in WebCore::TypingCommand::insertTextAndNotifyAccessibility(WTF::String const&, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x364596c)
    #8 0x223519bb6 in WebCore::CompositeEditCommand::apply() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3519bb6)
    #9 0x223629249 in WebCore::TextInsertionBaseCommand::applyTextInsertionCommand(WebCore::Frame*, WebCore::TextInsertionBaseCommand&, WebCore::VisibleSelection const&, WebCore::VisibleSelection const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3629249)
    #10 0x22364570c in WebCore::TypingCommand::insertText(WebCore::Document&, WTF::String const&, WebCore::VisibleSelection const&, unsigned int, WebCore::TypingCommand::TextCompositionType) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x364570c)
    #11 0x2235ce1ec in WebCore::executeInsertText(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x35ce1ec)
    #12 0x223244328 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3244328)
    #13 0x2209ea44b in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9ea44b)
    #14 0x220892095 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x892095)
    #15 0x50e466401177  (<unknown module>)
    #16 0x23cc00a3b in llint_entry (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xb32a3b)
    #17 0x23cbe6f88 in vmEntryToJavaScript (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xb18f88)
    #18 0x23e2a2d20 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x21d4d20)
    #19 0x23e95a4bf in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x288c4bf)
    #20 0x23e95a87b in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x288c87b)
    #21 0x222b66fb3 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2b66fb3)
    #22 0x222b90a89 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2b90a89)
    #23 0x223365bb2 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3365bb2)
    #24 0x22336070e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x336070e)
    #25 0x22334d71d in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x334d71d)
    #26 0x22334e5e9 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x334e5e9)
    #27 0x22334e06d in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x334e06d)
    #28 0x22343edb7 in WebCore::ScopedEventQueue::dispatchAllEvents() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x343edb7)
    #29 0x223244343 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3244343)
    #30 0x2209ea44b in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9ea44b)
    #31 0x220892095 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x892095)
    #32 0x50e466401177  (<unknown module>)
    #33 0x23cc00a3b in llint_entry (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xb32a3b)
    #34 0x23cbe6f88 in vmEntryToJavaScript (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xb18f88)
    #35 0x23e2a2d20 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x21d4d20)
    #36 0x23e95a4bf in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x288c4bf)
    #37 0x23e95a87b in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x288c87b)
    #38 0x222b66fb3 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2b66fb3)
    #39 0x222b90a89 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2b90a89)
    #40 0x223365bb2 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3365bb2)
    #41 0x22336070e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x336070e)
    #42 0x22334d71d in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x334d71d)
    #43 0x22334e5e9 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x334e5e9)
    #44 0x22334e06d in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x334e06d)
    #45 0x22343eadf in WebCore::ScopedEventQueue::enqueueEvent(WTF::Ref<WebCore::Event, WTF::DumbPtrTraits<WebCore::Event> >&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x343eadf)
    #46 0x22334db2d in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x334db2d)
    #47 0x2231d0f13 in WebCore::dispatchChildRemovalEvents(WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x31d0f13)
    #48 0x2231c29e5 in WebCore::ContainerNode::removeChild(WebCore::Node&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x31c29e5)
    #49 0x2231c1f4f in WebCore::ContainerNode::replaceChild(WebCore::Node&, WebCore::Node&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x31c1f4f)
    #50 0x22330d178 in WebCore::Element::setOuterHTML(WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x330d178)
    #51 0x220ad6c76 in WebCore::setJSElementOuterHTMLSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()::operator()() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0xad6c76)
    #52 0x220ad6b3b in std::__1::enable_if<!(std::is_same<void, decltype(fp1())>::value), void>::type WebCore::AttributeSetter::call<WebCore::setJSElementOuterHTMLSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSElementOuterHTMLSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()&&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0xad6b3b)
    #53 0x220ad68d0 in WebCore::setJSElementOuterHTMLSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue, JSC::ThrowScope&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0xad68d0)
    #54 0x220a214c7 in bool WebCore::IDLAttribute<WebCore::JSElement>::set<&(WebCore::setJSElementOuterHTMLSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, char const*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0xa214c7)
    #55 0x23e9c5108 in JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x28f7108)
    #56 0x23e9c5245 in JSC::callCustomSetter(JSC::JSGlobalObject*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x28f7245)
    #57 0x23ec15ae8 in JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2b47ae8)
    #58 0x23e5682fc in llint_slow_path_put_by_id (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x249a2fc)
    #59 0x23cbf0ac2 in llint_entry (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xb22ac2)
    #60 0x23cbe6f88 in vmEntryToJavaScript (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xb18f88)
    #61 0x23e2a2d20 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x21d4d20)
    #62 0x23e95a4bf in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x288c4bf)
    #63 0x23e95a87b in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x288c87b)
    #64 0x222b66fb3 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2b66fb3)
    #65 0x222b90a89 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2b90a89)
    #66 0x223365bb2 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3365bb2)
    #67 0x22336070e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x336070e)
    #68 0x2241aa31d in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x41aa31d)
    #69 0x2241bba08 in WebCore::DOMWindow::dispatchLoadEvent() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x41bba08)
    #70 0x22322cf40 in WebCore::Document::dispatchWindowLoadEvent() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x322cf40)
    #71 0x22322c9df in WebCore::Document::implicitClose() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x322c9df)
    #72 0x223fdf2e2 in WebCore::FrameLoader::checkCompleted() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3fdf2e2)
    #73 0x223fdbb90 in WebCore::FrameLoader::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3fdbb90)
    #74 0x22324a1b2 in WebCore::Document::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x324a1b2)
    #75 0x223ae24e0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3ae24e0)
    #76 0x223f6c70a in WebCore::DocumentWriter::end() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3f6c70a)
    #77 0x223f6b1f2 in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3f6b1f2)
    #78 0x223f6ab53 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3f6ab53)
    #79 0x22411137b in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x411137b)
    #80 0x22410d22f in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x410d22f)
    #81 0x22408b757 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x408b757)
    #82 0x10ba5f6c6 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x19726c6)
    #83 0x10c12f896 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2042896)
    #84 0x10c12ed0a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2041d0a)
    #85 0x10ba22ada in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x1935ada)
    #86 0x10a172bce in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x85bce)
    #87 0x10a173898 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x86898)
    #88 0x10a174408 in IPC::Connection::dispatchOneIncomingMessage() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x87408)
    #89 0x23c19426a in WTF::RunLoop::performWork() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc626a)
    #90 0x23c194eaa in WTF::RunLoop::performWork(void*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc6eaa)
    #91 0x7fff3ca6c31a in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x5731a)
    #92 0x7fff3ca6c2c0 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x572c0)
    #93 0x7fff3ca501ba in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3b1ba)
    #94 0x7fff3ca4f782 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3a782)
    #95 0x7fff3ca4f084 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3a084)
    #96 0x7fff3ecc3a9e in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1ca9e)
    #97 0x7fff3ecc3973 in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1c973)
    #98 0x7fff6913b1d6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x111d6)
    #99 0x7fff6913acd8 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10cd8)
    #100 0x10aa2649d in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x93949d)
    #101 0x7fff68f083d4 in start (/usr/lib/system/libdyld.dylib:x86_64+0x163d4)
==13664==Register values:
rax = 0x0000000000000003  rbx = 0x00007ffee5b124a0  rcx = 0x0000100000000003  rdx = 0x0000000000000000
rdi = 0x0000000000000018  rsi = 0x0000000000000000  rbp = 0x00007ffee5b12160  rsp = 0x00007ffee5b12160
 r8 = 0x0000100000000000   r9 = 0x0000000000000000  r10 = 0xffffffffffffffff  r11 = 0xffffffffffffff60
r12 = 0x00007ffee5b121c0  r13 = 0x000061100010ddc0  r14 = 0x00007ffee5b12280  r15 = 0x0000000000000000

Comment 1 Radar WebKit Bug Importer 2020-06-23 07:20:15 PDT

<rdar://problem/64642628>

Comment 2 Darin Adler 2020-06-23 09:59:09 PDT

Proximate cause of the crash is calling positionInParentBeforeNode on nullptr in InsertTextCommand::doApply. Side comment not really about the bug: If positionInParentBeforeNode can’t handle nullptr, then it should take a Node&, not a Node*.

Comment 3 Rob Buis 2021-01-15 07:14:49 PST

Created attachment 417697 [details]
More reduced testcase

Comment 4 Sergio Villar Senin 2021-01-20 09:03:00 PST

(In reply to Darin Adler from comment #2)
> Proximate cause of the crash is calling positionInParentBeforeNode on
> nullptr in InsertTextCommand::doApply. Side comment not really about the
> bug: If positionInParentBeforeNode can’t handle nullptr, then it should take
> a Node&, not a Node*.

That's right. I have inspected the callers and most of them do a null check before calling that method, but there are a few cases (like this one) that do not. We should indeed use a reference instead of a pointer here.

Comment 5 Sergio Villar Senin 2021-02-03 02:21:45 PST

Created attachment 419117 [details]
Patch

Comment 6 Sergio Villar Senin 2021-02-03 02:24:37 PST

Created attachment 419118 [details]
Test case

This is the reduced and polished test case for the bug. I think we should land it later as this seems a security issue.

Comment 7 Ryosuke Niwa 2021-02-03 22:24:40 PST

Comment on attachment 419117 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=419117&action=review

> Source/WebCore/editing/InsertTextCommand.cpp:147
> -        if (endingSelection().isNone())
> +        if (endingSelection().isNoneOrOrphaned())

This ain't right. deleteSelection tries to adjust its ending selection so that it stays in the document.
Why are we getting an orphaned selection?
Also, this doesn't seem like a security bug? Please add a test.
r- due to the lack of a test.

Comment 8 Sergio Villar Senin 2021-02-08 07:43:57 PST

Comment on attachment 419117 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=419117&action=review

>> Source/WebCore/editing/InsertTextCommand.cpp:147
>> +        if (endingSelection().isNoneOrOrphaned())
> 
> This ain't right. deleteSelection tries to adjust its ending selection so that it stays in the document.
> Why are we getting an orphaned selection?
> Also, this doesn't seem like a security bug? Please add a test.
> r- due to the lack of a test.

The selection is orphaned because deleting the selection might delete nodes. In particular the selection becomes orphaned in this loop https://webkit-search.igalia.com/webkit/source/Source/WebCore/editing/DeleteSelectionCommand.cpp#602. In the test case I'm attaching the final document does only have a body and no other element.

I didn't upload a test because we were accessing an already deleted node. I thought invalid memory accesses were considered as security issues but I don't mind adding the test to the patch.

Comment 9 Sergio Villar Senin 2021-02-08 07:52:01 PST

Created attachment 419593 [details]
Patch

Comment 10 Sergio Villar Senin 2021-02-08 10:47:40 PST

Created attachment 419604 [details]
Patch

Comment 11 Ryosuke Niwa 2021-02-08 13:44:21 PST

(In reply to Sergio Villar Senin from comment #8)
> Comment on attachment 419117 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=419117&action=review
> 
> >> Source/WebCore/editing/InsertTextCommand.cpp:147
> >> +        if (endingSelection().isNoneOrOrphaned())
> > 
> > This ain't right. deleteSelection tries to adjust its ending selection so that it stays in the document.
> > Why are we getting an orphaned selection?
> > Also, this doesn't seem like a security bug? Please add a test.
> > r- due to the lack of a test.
> 
> The selection is orphaned because deleting the selection might delete nodes.
> In particular the selection becomes orphaned in this loop
> https://webkit-search.igalia.com/webkit/source/Source/WebCore/editing/
> DeleteSelectionCommand.cpp#602. In the test case I'm attaching the final
> document does only have a body and no other element.

That shouldn't be happening. removeNode uses removeNodeUpdatingStates to update the endingSelection.

Comment 12 Sergio Villar Senin 2021-02-09 09:43:50 PST

(In reply to Ryosuke Niwa from comment #11)
> (In reply to Sergio Villar Senin from comment #8)
> > Comment on attachment 419117 [details]
> > Patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=419117&action=review
> > 
> > >> Source/WebCore/editing/InsertTextCommand.cpp:147
> > >> +        if (endingSelection().isNoneOrOrphaned())
> > > 
> > > This ain't right. deleteSelection tries to adjust its ending selection so that it stays in the document.
> > > Why are we getting an orphaned selection?
> > > Also, this doesn't seem like a security bug? Please add a test.
> > > r- due to the lack of a test.
> > 
> > The selection is orphaned because deleting the selection might delete nodes.
> > In particular the selection becomes orphaned in this loop
> > https://webkit-search.igalia.com/webkit/source/Source/WebCore/editing/
> > DeleteSelectionCommand.cpp#602. In the test case I'm attaching the final
> > document does only have a body and no other element.
> 
> That shouldn't be happening. removeNode uses removeNodeUpdatingStates to
> update the endingSelection.

Well I'll try to describe what's going on. I think there is nothing wrong but you're the editing expert here :).

So the deleteSelection() call triggers a node removal:

(lldb) bt 10
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
  * frame #0: 0x00000002feeab53c WebCore`WebCore::RemoveNodeCommand::doApply(this=0x000061200004a2c0) at RemoveNodeCommand.cpp:54:5
    frame #1: 0x00000002fed26e4d WebCore`WebCore::CompositeEditCommand::applyCommandToComposite(this=0x000061600012c080, command=0x00007ffeed945360) at CompositeEditCommand.cpp:466:14
    frame #2: 0x00000002fed22acd WebCore`WebCore::CompositeEditCommand::removeNode(this=0x000061600012c080, node=0x000061100010bd40, shouldAssumeContentIsAlwaysEditable=DoNotAssumeContentIsAlwaysEditable) at CompositeEditCommand.cpp:602:5
    frame #3: 0x00000002fed6844c WebCore`WebCore::DeleteSelectionCommand::removeNodeUpdatingStates(this=0x000061600012c080, node=0x000061100010bd40, shouldAssumeContentIsAlwaysEditable=DoNotAssumeContentIsAlwaysEditable) at DeleteSelectionCommand.cpp:425:27
    frame #4: 0x00000002fed69005 WebCore`WebCore::DeleteSelectionCommand::removeNode(this=0x000061600012c080, node=0x000061100010bd40, shouldAssumeContentIsAlwaysEditable=DoNotAssumeContentIsAlwaysEditable) at DeleteSelectionCommand.cpp:485:5
    frame #5: 0x00000002fed6a4d6 WebCore`WebCore::DeleteSelectionCommand::handleGeneralDelete(this=0x000061600012c080) at DeleteSelectionCommand.cpp:611:17
    frame #6: 0x00000002fed6fe2e WebCore`WebCore::DeleteSelectionCommand::doApply(this=0x000061600012c080) at DeleteSelectionCommand.cpp:939:5
    
That node removal, as you mentioned triggers a visible selection recalc:

(lldb) bt 10
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 6.1
  * frame #0: 0x00000002fef97a5f WebCore`WebCore::VisibleSelection::setWithoutValidation(this=0x0000613000080c30, anchor=0x00007ffeed944400, focus=0x00007ffeed944420) at VisibleSelection.cpp:434:5
    frame #1: 0x00000002fee0f3b4 WebCore`WebCore::FrameSelection::respondToNodeModification(this=0x0000613000080c00, node=0x000061100010bd40, baseRemoved=true, extentRemoved=false, startRemoved=true, endRemoved=false) at FrameSelection.cpp:541:29
    frame #2: 0x00000002fee0eeb8 WebCore`WebCore::FrameSelection::nodeWillBeRemoved(this=0x0000613000080c00, node=0x000061100010bd40) at FrameSelection.cpp:522:5
    frame #3: 0x00000002fe633467 WebCore`WebCore::Document::nodeWillBeRemoved(this=0x000061f000069080, node=0x000061100010bd40) at Document.cpp:4761:28
    frame #4: 0x00000002fe50d818 WebCore`WebCore::ContainerNode::removeNodeWithScriptAssertion(this=0x000060c0000e5d80, childToRemove=0x000061100010bd40, source=API) at ContainerNode.cpp:159:20
    frame #5: 0x00000002fe50c78e WebCore`WebCore::ContainerNode::removeChild(this=0x000060c0000e5d80, oldChild=0x000061100010bd40) at ContainerNode.cpp:585:10
    frame #6: 0x00000002fe9d18ea WebCore`WebCore::Node::remove(this=0x000061100010bd40) at Node.cpp:642:20
    frame #7: 0x00000002feeab55b WebCore`WebCore::RemoveNodeCommand::doApply(this=0x000061200004a2c0) at RemoveNodeCommand.cpp:54:13
    frame #8: 0x00000002fed26e4d WebCore`WebCore::CompositeEditCommand::applyCommandToComposite(this=0x000061600012c080, command=0x00007ffeed945360) at CompositeEditCommand.cpp:466:14
    frame #9: 0x00000002fed22acd WebCore`WebCore::CompositeEditCommand::removeNode(this=0x000061600012c080, node=0x000061100010bd40, shouldAssumeContentIsAlwaysEditable=DoNotAssumeContentIsAlwaysEditable) at CompositeEditCommand.cpp:602:5

but as it can be seen the code is updating the FrameSelection::m_selection. The CompositeEditCommand::m_endingSelection is left untouched. So why the selection becomes orphan at that point? Basically because the anchorNode for the start position was removed from the tree by the deleteSelection() call above. So endingSelection().start().isOrphan() becomes true and thus endingSelection.isNoneOrOrphaned() becomes true too.

I guess the question is now, is that behaviour correct, or should editor commands be notified about node removals as frame selection is?

Comment 13 Ryosuke Niwa 2021-02-10 00:50:29 PST

(In reply to Sergio Villar Senin from comment #12)
>
> but as it can be seen the code is updating the FrameSelection::m_selection.
> The CompositeEditCommand::m_endingSelection is left untouched. So why the
> selection becomes orphan at that point? Basically because the anchorNode for
> the start position was removed from the tree by the deleteSelection() call
> above. So endingSelection().start().isOrphan() becomes true and thus
> endingSelection.isNoneOrOrphaned() becomes true too.
> 
> I guess the question is now, is that behaviour correct, or should editor
> commands be notified about node removals as frame selection is?

No, DeleteSelectionCommand::removeNode is supposed to be updating m_endingPosition not to be orphaned prior to deleting the node. See its definition:

void DeleteSelectionCommand::removeNodeUpdatingStates(Node& node, ShouldAssumeContentIsAlwaysEditable shouldAssumeContentIsAlwaysEditable)
{
    if (&node == m_startBlock && !isEndOfBlock(VisiblePosition(firstPositionInNode(m_startBlock.get())).previous()))
        m_needPlaceholder = true;
    else if (&node == m_endBlock && !isStartOfBlock(VisiblePosition(lastPositionInNode(m_startBlock.get())).next()))
        m_needPlaceholder = true;
    
    // FIXME: Update the endpoints of the range being deleted.
    updatePositionForNodeRemoval(m_endingPosition, node); // <- This is supposed to be adjusting m_endingPosition
    updatePositionForNodeRemoval(m_leadingWhitespace, node);
    updatePositionForNodeRemoval(m_trailingWhitespace, node);
    
    CompositeEditCommand::removeNode(node, shouldAssumeContentIsAlwaysEditable);
}

Comment 14 Sergio Villar Senin 2021-02-10 12:09:58 PST

Created attachment 419885 [details]
Patch

Comment 15 Sergio Villar Senin 2021-02-10 12:12:36 PST

Thanks for the good pointers Ryosuke, I think we're going now in the right direction because I can explain now why the test required a table with an empty row to reproduce the crash.

There are another 2 raw calls to CompositeEditCommand::removeNode() in the same method. We'd likely want to replace them as well but the test case was not catching them.

Comment 16 Ryosuke Niwa 2021-02-10 18:28:26 PST

Comment on attachment 419885 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=419885&action=review

> LayoutTests/ChangeLog:9
> +        * editing/selection/insert-in-orphaned-selection-crash-expected.txt: Added.
> +        * editing/selection/insert-in-orphaned-selection-crash.html: Added.

Please put this under editing/deleting.

> LayoutTests/editing/selection/insert-in-orphaned-selection-crash-expected.txt:1
> +CONSOLE MESSAGE: NotFoundError: The object can not be found here.

Can we spit out some text at the end of like this?
PASS. WebKit didn't crash.

Comment 17 Ryosuke Niwa 2021-02-10 18:28:54 PST

I don't think there is any security implication here.

Comment 18 Sergio Villar Senin 2021-02-11 00:57:02 PST

Comment on attachment 419885 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=419885&action=review

>> LayoutTests/ChangeLog:9
>> +        * editing/selection/insert-in-orphaned-selection-crash.html: Added.
> 
> Please put this under editing/deleting.

OK

>> LayoutTests/editing/selection/insert-in-orphaned-selection-crash-expected.txt:1
>> +CONSOLE MESSAGE: NotFoundError: The object can not be found here.
> 
> Can we spit out some text at the end of like this?
> PASS. WebKit didn't crash.

I tried but the problem is that the test selects and deletes all the nodes of the sample. I can try to inject some test after the deletion happens.

Comment 19 Ryosuke Niwa 2021-02-11 01:11:08 PST

(In reply to Sergio Villar Senin from comment #18)
> Comment on attachment 419885 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=419885&action=review
> 
> >> LayoutTests/ChangeLog:9
> >> +        * editing/selection/insert-in-orphaned-selection-crash.html: Added.
> > 
> > Please put this under editing/deleting.
> 
> OK
> 
> >> LayoutTests/editing/selection/insert-in-orphaned-selection-crash-expected.txt:1
> >> +CONSOLE MESSAGE: NotFoundError: The object can not be found here.
> > 
> > Can we spit out some text at the end of like this?
> > PASS. WebKit didn't crash.
> 
> I tried but the problem is that the test selects and deletes all the nodes
> of the sample. I can try to inject some test after the deletion happens.

Yes, you can call waitUntilDone and just do: document.open/document.write to start afresh!

Comment 20 Sergio Villar Senin 2021-02-11 05:10:05 PST

Created attachment 419977 [details]
Patch for landing

Comment 21 Sergio Villar Senin 2021-02-11 05:48:39 PST

(In reply to Ryosuke Niwa from comment #19)
> (In reply to Sergio Villar Senin from comment #18)
> > Comment on attachment 419885 [details]
> > Patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=419885&action=review
> > 
> > >> LayoutTests/ChangeLog:9
> > >> +        * editing/selection/insert-in-orphaned-selection-crash.html: Added.
> > > 
> > > Please put this under editing/deleting.
> > 
> > OK
> > 
> > >> LayoutTests/editing/selection/insert-in-orphaned-selection-crash-expected.txt:1
> > >> +CONSOLE MESSAGE: NotFoundError: The object can not be found here.
> > > 
> > > Can we spit out some text at the end of like this?
> > > PASS. WebKit didn't crash.
> > 
> > I tried but the problem is that the test selects and deletes all the nodes
> > of the sample. I can try to inject some test after the deletion happens.
> 
> Yes, you can call waitUntilDone and just do: document.open/document.write to
> start afresh!

Ah that's a good suggestion. I ended up doing a console.log(), would you like me to replace it?

Comment 22 Ryosuke Niwa 2021-02-12 01:32:07 PST

(In reply to Sergio Villar Senin from comment #21)
> (In reply to Ryosuke Niwa from comment #19)
> > (In reply to Sergio Villar Senin from comment #18)
> > > Comment on attachment 419885 [details]
> > > Patch
> > > 
> > > View in context:
> > > https://bugs.webkit.org/attachment.cgi?id=419885&action=review
> > > 
> > > >> LayoutTests/ChangeLog:9
> > > >> +        * editing/selection/insert-in-orphaned-selection-crash.html: Added.
> > > > 
> > > > Please put this under editing/deleting.
> > > 
> > > OK
> > > 
> > > >> LayoutTests/editing/selection/insert-in-orphaned-selection-crash-expected.txt:1
> > > >> +CONSOLE MESSAGE: NotFoundError: The object can not be found here.
> > > > 
> > > > Can we spit out some text at the end of like this?
> > > > PASS. WebKit didn't crash.
> > > 
> > > I tried but the problem is that the test selects and deletes all the nodes
> > > of the sample. I can try to inject some test after the deletion happens.
> > 
> > Yes, you can call waitUntilDone and just do: document.open/document.write to
> > start afresh!
> 
> Ah that's a good suggestion. I ended up doing a console.log(), would you
> like me to replace it?

console.log is okay too.

Comment 23 Sergio Villar Senin 2021-02-12 03:29:40 PST

Committed r272779: <https://commits.webkit.org/r272779>