Bug 222670 - Crash in RenderListItem::computeMarkerStyle
Summary: Crash in RenderListItem::computeMarkerStyle
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Rob Buis
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-03-03 11:22 PST by Ali Juma
Modified: 2021-03-28 22:52 PDT (History)
14 users (show)

See Also:

Attachments
Minimal test case (488 bytes, application/xhtml+xml)
2021-03-03 11:22 PST, Ali Juma 		no flags Details
Patch (3.67 KB, patch)
2021-03-25 04:00 PDT, Rob Buis 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ali Juma 2021-03-03 11:22:54 PST 
Created attachment 422127 [details]
Minimal test case

Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug.

This also reproduces as a crash in STP 121.

Stacks:
=================================================================
==84974==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000624e180f2 bp 0x7ffeeb5ea370 sp 0x7ffeeb5ea360 T0)
==84974==The signal is caused by a READ memory access.
==84974==Hint: address points to the zero page.
==84974==WARNING: invalid path to external symbolizer!
==84974==WARNING: Failed to use and restart external symbolizer!
    #0 0x624e180f1 in WTF::Ref<WebCore::StyleBoxData, WTF::RawPtrTraits<WebCore::StyleBoxData> >::copyRef() const & (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x551a0f1)
    #1 0x624e180c8 in WTF::DataRef<WebCore::StyleBoxData>::DataRef(WTF::DataRef<WebCore::StyleBoxData> const&) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x551a0c8)
    #2 0x624e17f1e in WebCore::RenderStyle::RenderStyle(WebCore::RenderStyle const&, WebCore::RenderStyle::CloneTag) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5519f1e)
    #3 0x624dfab7f in WebCore::RenderStyle::clone(WebCore::RenderStyle const&) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x54fcb7f)
    #4 0x624c0a903 in WebCore::RenderListItem::computeMarkerStyle() const (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x530c903)
    #5 0x624f11e35 in WebCore::RenderTreeBuilder::List::updateItemMarker(WebCore::RenderListItem&) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5613e35)
    #6 0x624f03493 in WebCore::RenderTreeBuilder::updateAfterDescendants(WebCore::RenderElement&) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5605493)
    #7 0x624f229ae in WebCore::RenderTreeUpdater::updateAfterDescendants(WebCore::Element&, WebCore::Style::ElementUpdates const*) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x56249ae)
    #8 0x624f22937 in WebCore::RenderTreeUpdater::popParent() (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5624937)
    #9 0x624f21ae7 in WebCore::RenderTreeUpdater::popParentsToDepth(unsigned int) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5623ae7)
    #10 0x624f218f7 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x56238f7)
    #11 0x624f20e3f in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5622e3f)
    #12 0x622e1b5d2 in WebCore::Document::updateRenderTree(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x351d5d2)
    #13 0x622e1bd0a in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x351dd0a)
    #14 0x622e1cbab in WebCore::Document::updateStyleIfNeeded() (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x351ebab)
    #15 0x622e2522b in WebCore::Document::implicitClose() (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x352722b)
    #16 0x623ca1cd2 in WebCore::FrameLoader::checkCompleted() (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x43a3cd2)
    #17 0x623c9e2c0 in WebCore::FrameLoader::finishedParsing() (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x43a02c0)
    #18 0x622e441f2 in WebCore::Document::finishedParsing() (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x35461f2)
    #19 0x6256e9fef in WebCore::XMLDocumentParser::finish() (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5debfef)
    #20 0x623c6f8c0 in WebCore::DocumentWriter::end() (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x43718c0)
    #21 0x623c20a6c in WebCore::DocumentLoader::finishedLoading() (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4322a6c)
    #22 0x623c203e9 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x43223e9)
    #23 0x623dde41f in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x44e041f)
    #24 0x623dda2db in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x44dc2db)
    #25 0x623d559e7 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/ajuma/Downloads/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x44579e7)
    #26 0x612119866 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/ajuma/Downloads/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2119866)
    #27 0x6127e7ec6 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/ajuma/Downloads/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x27e7ec6)
    #28 0x6127e74d3 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/ajuma/Downloads/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x27e74d3)
    #29 0x6120d9faa in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/ajuma/Downloads/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x20d9faa)
    #30 0x61008c8c9 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/ajuma/Downloads/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8c8c9)
    #31 0x61008d326 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/ajuma/Downloads/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8d326)
    #32 0x61008deeb in IPC::Connection::dispatchOneIncomingMessage() (/Users/ajuma/Downloads/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8deeb)
    #33 0x63f13a1ac in WTF::RunLoop::performWork() (/Users/ajuma/Downloads/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xcb1ac)
    #34 0x63f13d6f5 in WTF::RunLoop::performWork(void*) (/Users/ajuma/Downloads/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xce6f5)
    #35 0x7fff3651fd51 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83d51)
    #36 0x7fff3651fcf0 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83cf0)
    #37 0x7fff3651fb0a in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x83b0a)
    #38 0x7fff3651e839 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x82839)
    #39 0x7fff3651de3d in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x81e3d)
    #40 0x7fff38bb91d7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601d7)
    #41 0x7fff38c6bc7e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c7e)
    #42 0x7fff708544e9 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x164e9)
    #43 0x7fff7085442f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1642f)
    #44 0x7fff70853f62 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f62)
    #45 0x610ea8f59 in WebKit::XPCServiceMain(int, char const**) (/Users/ajuma/Downloads/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0xea8f59)
    #46 0x7fff70606cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)

==84974==Register values:
rax = 0x0000000000000000  rbx = 0x00007ffeeb5ea5e0  rcx = 0x0000100000000000  rdx = 0x0000000000000000
rdi = 0x00007ffeeb5ea5e0  rsi = 0x0000000000000000  rbp = 0x00007ffeeb5ea370  rsp = 0x00007ffeeb5ea360
 r8 = 0x0000612000053637   r9 = 0x00000fffffffffff  r10 = 0x0000000000000000  r11 = 0x0000000000000108
r12 = 0x00001fffdd6bd47c  r13 = 0x00006120000535c0  r14 = 0x0000000000000000  r15 = 0x0000100000000000
Comment 1 Radar WebKit Bug Importer 2021-03-03 11:23:06 PST 
<rdar://problem/74994617>
Comment 2 Ryosuke Niwa 2021-03-16 16:19:52 PDT 
I can't reproduce this crash on trunk. Maybe a duplicate of the bug 223196.
Comment 3 Rob Buis 2021-03-17 09:49:45 PDT 
(In reply to Ryosuke Niwa from comment #2)
> I can't reproduce this crash on trunk. Maybe a duplicate of the bug 223196.

This is still easy to repro on current GTK builds.
Comment 4 zalan 2021-03-17 10:52:56 PDT 
https://trac.webkit.org/changeset/269774/webkit looks like a strong candidate.
Comment 5 Ryosuke Niwa 2021-03-17 18:04:02 PDT 
(In reply to Rob Buis from comment #3)
> (In reply to Ryosuke Niwa from comment #2)
> > I can't reproduce this crash on trunk. Maybe a duplicate of the bug 223196.
> 
> This is still easy to repro on current GTK builds.

Yeah, it looks like this bug requires full safari, not WebKitTestRunner/DumpRenderTree. With that, I can reproduce this.
Comment 6 Rob Buis 2021-03-25 04:00:09 PDT 
Created attachment 424232 [details]
Patch
Comment 7 EWS 2021-03-26 03:16:54 PDT 
Committed r275087: <https://commits.webkit.org/r275087>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 424232 [details].