223539 – Crash in RenderBlock::addOverflowFromChildren

RESOLVED FIXED Bug 223539

Crash in RenderBlock::addOverflowFromChildren

https://bugs.webkit.org/show_bug.cgi?id=223539

Summary Crash in RenderBlock::addOverflowFromChildren

Ali Juma

Reported 2021-03-19 14:22:28 PDT

Created attachment 423778 [details] Minimal test case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. This reproduces in an ASan build of WebKitTestRunner, and also crashes in STP 122. Stack: ================================================================= ==62931==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00078565bafd bp 0x7ffeef117c90 sp 0x7ffeef117c90 T0) ==62931==The signal is caused by a READ memory access. ==62931==Hint: address points to the zero page. ==62931==WARNING: invalid path to external symbolizer! ==62931==WARNING: Failed to use and restart external symbolizer! #0 0x78565bafc in WTF::VectorBufferBase<WebCore::LayoutIntegration::Line, WTF::FastMalloc>::buffer() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x38eeafc) #1 0x785f43885 in WebCore::LayoutIntegration::LineLayout::collectOverflow() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x41d6885) #2 0x786d47e54 in WebCore::RenderBlock::addOverflowFromChildren() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fdae54) #3 0x786d4811c in WebCore::RenderBlock::computeOverflow(WebCore::LayoutUnit, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fdb11c) #4 0x786d8d653 in WebCore::RenderBlockFlow::computeOverflow(WebCore::LayoutUnit, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5020653) #5 0x787207917 in WebCore::RenderSVGBlock::computeOverflow(WebCore::LayoutUnit, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x549a917) #6 0x786d76ea7 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5009ea7) #7 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674) #8 0x78720b560 in WebCore::RenderSVGForeignObject::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x549e560) #9 0x78728a812 in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x551d812) #10 0x78724d016 in WebCore::RenderSVGRoot::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x54e0016) #11 0x786c7f895 in WebCore::ComplexLineLayout::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4f12895) #12 0x786d781af in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500b1af) #13 0x786d7685e in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500985e) #14 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674) #15 0x786d7b970 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500e970) #16 0x786d784ed in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500b4ed) #17 0x786d76869 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5009869) #18 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674) #19 0x786d7b970 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500e970) #20 0x786d784ed in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500b4ed) #21 0x786d76869 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5009869) #22 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674) #23 0x786d7b970 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500e970) #24 0x786d784ed in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500b4ed) #25 0x786d76869 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5009869) #26 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674) #27 0x7870de60a in WebCore::RenderView::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x537160a) #28 0x7862c1299 in WebCore::FrameViewLayoutContext::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4554299) #29 0x7851e3af6 in WebCore::Document::implicitClose() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3476af6) #30 0x78604ebb2 in WebCore::FrameLoader::checkCompleted() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42e1bb2) #31 0x78604b1a0 in WebCore::FrameLoader::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42de1a0) #32 0x785202822 in WebCore::Document::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3495822) #33 0x785b1383a in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3da683a) #34 0x78601c7e0 in WebCore::DocumentWriter::end() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42af7e0) #35 0x785fcda2c in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4260a2c) #36 0x785fcd3a9 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42603a9) #37 0x78618c7ef in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x441f7ef) #38 0x7861886ab in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x441b6ab) #39 0x786103f07 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4396f07) #40 0x102c435c6 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x21535c6) #41 0x103300e46 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2810e46) #42 0x103300453 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2810453) #43 0x102c04a4a in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2114a4a) #44 0x100b7c399 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8c399) #45 0x100b7cdf6 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8cdf6) #46 0x100b7d9bb in IPC::Connection::dispatchOneIncomingMessage() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8d9bb) #47 0x79fc6b2ec in WTF::RunLoop::performWork() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xce2ec) #48 0x79fc6e995 in WTF::RunLoop::performWork(void*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd1995) #49 0x7fff35d39883 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84883) #50 0x7fff35d39822 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84822) #51 0x7fff35d3963c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x8463c) #52 0x7fff35d38358 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x83358) #53 0x7fff35d37952 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x82952) #54 0x7fff383f51c7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601c7) #55 0x7fff384a7c6e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c6e) #56 0x7fff6ff144e9 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x164e9) #57 0x7fff6ff1442f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1642f) #58 0x7fff6ff13f62 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f62) #59 0x1019e6923 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0xef6923) #60 0x7fff6fcc2cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8) ==62931==Register values: rax = 0x0000000000000003 rbx = 0x00007ffeef117d00 rcx = 0x0000100000000003 rdx = 0x0000100000000000 rdi = 0x0000000000000018 rsi = 0x0000000781de3880 rbp = 0x00007ffeef117c90 rsp = 0x00007ffeef117c90 r8 = 0x0000100000000000 r9 = 0x0000000000000000 r10 = 0xffffffffffffffff r11 = 0x00000fffffffffff r12 = 0x0000000000000000 r13 = 0x00001fffdde22f94 r14 = 0x0000000000000018 r15 = 0x00007ffeef117dc0 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x38eeafc) in WTF::VectorBufferBase<WebCore::LayoutIntegration::Line, WTF::FastMalloc>::buffer() const

Attachments
Minimal test case (499 bytes, text/html) 2021-03-19 14:22 PDT, Ali Juma	no flags	Details
Patch (5.95 KB, patch) 2021-04-07 06:54 PDT, Frédéric Wang (:fredw)	ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch (20.33 KB, patch) 2021-04-12 05:05 PDT, Frédéric Wang (:fredw)	no flags	Details Formatted Diff Diff
Patch (20.33 KB, patch) 2021-04-12 07:07 PDT, Frédéric Wang (:fredw)	no flags	Details Formatted Diff Diff
Patch (9.52 KB, patch) 2021-04-13 04:43 PDT, Frédéric Wang (:fredw)	rniwa: review+ ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch for landing (10.74 KB, patch) 2021-04-14 00:35 PDT, Frédéric Wang (:fredw)	no flags	Details Formatted Diff Diff
Patch for landing (11.31 KB, patch) 2021-04-14 02:00 PDT, Frédéric Wang (:fredw)	no flags	Details Formatted Diff Diff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2021-03-19 14:22:38 PDT

<rdar://problem/75636310>

Frédéric Wang (:fredw)

Comment 2 2021-04-07 06:25:33 PDT

In release mode, we are dereferencing a nullptr inlineContent() here: https://webkit-search.igalia.com/webkit/source/Source/WebCore/layout/integration/LayoutIntegrationLineLayout.cpp#345 In debug mode, we are actually first hitting the following assertion failure: ASSERTION FAILED: formattingContextRoot.establishesInlineFormattingContext() ../../Source/WebCore/layout/LayoutState.cpp(162) Debugging a bit, we arrive at a weird state where there is no in-flow child. Also, the inner <svg> has a RenderSVGViewportContainer renderer, not an RenderSVGRoot: (rr) up (rr) https://webkit-search.igalia.com/webkit/rev/c981d4cdcc3401f39ce3157655e0fe7c78afeb0d/Source/WebCore/layout/LayoutState.cpp#162 (rr) bt #0 0x00007f393ddd19d3 in WebCore::Layout::LayoutState::ensureInlineFormattingState(WebCore::Layout::ContainerBox const&) at ../../Source/WebCore/layout/LayoutState.cpp:162 #1 0x00007f393c653e3e in WebCore::LayoutIntegration::LineLayout::LineLayout(WebCore::RenderBlockFlow&) at ../../Source/WebCore/layout/integration/LayoutIntegrationLineLayout.cpp:64 #2 0x00007f393cfb3663 in std::make_unique<WebCore::LayoutIntegration::LineLayout, WebCore::RenderBlockFlow&>(WebCore::RenderBlockFlow&) () at /usr/include/c++/10.2.0/bits/unique_ptr.h:962 #3 0x00007f393cfad794 in WTF::makeUnique<WebCore::LayoutIntegration::LineLayout, WebCore::RenderBlockFlow&>(WebCore::RenderBlockFlow&) () at WTF/Headers/wtf/StdLibExtras.h:507 #4 0x00007f393cfa1efb in WebCore::RenderBlockFlow::layoutModernLines(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:3661 #5 0x00007f393cf935e9 in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:696 #6 0x00007f393cf92985 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:523 #7 0x00007f393cf811ff in WebCore::RenderBlock::layout() at ../../Source/WebCore/rendering/RenderBlock.cpp:598 #8 0x00007f393d29c6d8 in WebCore::RenderSVGForeignObject::layout() at ../../Source/WebCore/rendering/svg/RenderSVGForeignObject.cpp:168 (rr) p formattingContextRoot.firstInFlowChild() $1 = (const WebCore::Layout::Box *) 0x0 (rr) up (rr) (rr) (rr) https://webkit-search.igalia.com/webkit/rev/c981d4cdcc3401f39ce3157655e0fe7c78afeb0d/Source/WebCore/rendering/RenderBlockFlow.cpp#3661 (rr) p showRenderTree(this) (B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, hasLayer(S)crollableArea, (C)omposited, (+)Dirty style, (+)Dirty layout B---YGLS- -+ RenderView at (0,0) size 785x0 renderer->(0x7f5d1ff79270) layout->[normal child] B-----LS- -+ HTML RenderBlock at (0,0) size 785x0 renderer->(0x7f5d1ff796e0) node->(0x7f5d1ff7bac0) layout->[self][normal child] B-------- -+ BODY RenderBody at (0,8) size 769x0 renderer->(0x7f5d1ff79800) node->(0x7f5d1ff7bbe0) layout->[self][normal child] B-------- -+ DIV RenderBlock at (0,0) size 769x0 renderer->(0x7f5d1ff6c4e0) node->(0x7f5d1ff7bc70) layout->[self][normal child] I-------- -+ svg RenderSVGRoot at (0,0) size 300x150 renderer->(0x7f5d1ff6c600) node->(0x7f5d1ff6c010) layout->[self][normal child] B-------- -+* foreignObject RenderSVGForeignObject at (0,0) size 0x0 renderer->(0x7f5d1ff6c7e0) node->(0x7f5d1ff6c1a0) layout->[self][normal child] I-------- -+ svg RenderSVGViewportContainer renderer->(0x7f5d1ff6c980) node->(0x7f5d1ff6c2e0) layout->[self] $2 = void This RenderSVGViewportContainer is created because the rule "we're living in a shadow tree" wins over the rule "we're a direct child of a <foreignObject> element" here: https://webkit-search.igalia.com/webkit/rev/c981d4cdcc3401f39ce3157655e0fe7c78afeb0d/Source/WebCore/svg/SVGElement.cpp#203 Tweaking the order of rules, this addresses the debug/release issue. I'll prepare a patch with a test. I'm not sure whether the "we're a <svg> element that got created as replacement for a <symbol> element or a cloned <svg> element in the referenced tree" assumption is always true though.

Frédéric Wang (:fredw)

Comment 3 2021-04-07 06:54:31 PDT

Created attachment 425390 [details] Patch

Ryosuke Niwa

Comment 4 2021-04-07 16:43:05 PDT

Comment on attachment 425390 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425390&action=review > Source/WebCore/svg/SVGElement.cpp:216 > + if (isInShadowTree() && is<SVGElement>(parentOrShadowHostElement())) This looks wrong. This isn't necessarily true if we're in a shadow tree created by scripts as is the case in this test case. We should be checking whether we're inside a shadow tree of an use element or not.

Frédéric Wang (:fredw)

Comment 5 2021-04-08 00:29:15 PDT

Comment on attachment 425390 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425390&action=review >> Source/WebCore/svg/SVGElement.cpp:216 >> + if (isInShadowTree() && is<SVGElement>(parentOrShadowHostElement())) > > This looks wrong. > This isn't necessarily true if we're in a shadow tree created by scripts as is the case in this test case. > We should be checking whether we're inside a shadow tree of an use element or not. Right, that's what I meant a the end of comment 2. But that said this was already there before the patch and I didn't want to modify this too much. @Niko: I think you originally added this code. Can you please check whether it still makes sense?

Nikolas Zimmermann

Comment 6 2021-04-10 14:54:11 PDT

(In reply to Ryosuke Niwa from comment #4) > Comment on attachment 425390 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=425390&action=review > > > Source/WebCore/svg/SVGElement.cpp:216 > > + if (isInShadowTree() && is<SVGElement>(parentOrShadowHostElement())) > > This looks wrong. > This isn't necessarily true if we're in a shadow tree created by scripts as > is the case in this test case. > We should be checking whether we're inside a shadow tree of an use element > or not. Agreed -- that condition seems is what we aim for. I'd propose to change it together with the security fix in one patch.

Frédéric Wang (:fredw)

Comment 7 2021-04-12 05:05:33 PDT

Created attachment 425733 [details] Patch

Frédéric Wang (:fredw)

Comment 8 2021-04-12 05:05:56 PDT

Comment on attachment 425390 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425390&action=review >>>> Source/WebCore/svg/SVGElement.cpp:216 >>>> + if (isInShadowTree() && is<SVGElement>(parentOrShadowHostElement())) >>> >>> This looks wrong. >>> This isn't necessarily true if we're in a shadow tree created by scripts as is the case in this test case. >>> We should be checking whether we're inside a shadow tree of an use element or not. >> >> Right, that's what I meant a the end of comment 2. But that said this was already there before the patch and I didn't want to modify this too much. >> >> @Niko: I think you originally added this code. Can you please check whether it still makes sense? > > Agreed -- that condition seems is what we aim for. > I'd propose to change it together with the security fix in one patch. Thanks, I tried something in the latest version.

Frédéric Wang (:fredw)

Comment 9 2021-04-12 07:07:25 PDT

Created attachment 425742 [details] Patch

Ryosuke Niwa

Comment 10 2021-04-12 23:25:50 PDT

Comment on attachment 425742 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425742&action=review > LayoutTests/svg/outermost-svg-root.html:1 > +<!DOCTYPE html> Please make this a ref test so that the expected result can be shared across platforms.

Frédéric Wang (:fredw)

Comment 11 2021-04-12 23:29:18 PDT

Comment on attachment 425742 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425742&action=review >> LayoutTests/svg/outermost-svg-root.html:1 >> +<!DOCTYPE html> > > Please make this a ref test so that the expected result can be shared across platforms. The point of this bug is to check whether a "RenderSVGRoot" or a "RenderSVGViewportContainer" renderer is used for the <svg> element, so dumping the render tree was intentional. Not sure how I can make this a reftest, unless there is a way to visually differentiate the two kind of renderers.

Ryosuke Niwa

Comment 12 2021-04-13 02:05:32 PDT

(In reply to Frédéric Wang (:fredw) from comment #11) > Comment on attachment 425742 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=425742&action=review > > >> LayoutTests/svg/outermost-svg-root.html:1 > >> +<!DOCTYPE html> > > > > Please make this a ref test so that the expected result can be shared across platforms. > > The point of this bug is to check whether a "RenderSVGRoot" or a > "RenderSVGViewportContainer" renderer is used for the <svg> element, so > dumping the render tree was intentional. Not sure how I can make this a > reftest, unless there is a way to visually differentiate the two kind of > renderers. Oh, I see. Can we instead use internals.elementRenderTreeAsText and explicitly check for that? The problem with these render tree dumps is that it's very much unclear when the test is a pass and when it's a fail.

Ryosuke Niwa

Comment 13 2021-04-13 02:11:12 PDT

It also looks like RenderSVGViewportContainer knows how to clip itself when overflow: hidden is appleid but not RenderSVGViewportContainer so maybe you can make a visual difference with overflow: hidden.

Frédéric Wang (:fredw)

Comment 14 2021-04-13 02:59:53 PDT

Comment on attachment 425742 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425742&action=review >>>> LayoutTests/svg/outermost-svg-root.html:1 >>>> +<!DOCTYPE html> >>> >>> Please make this a ref test so that the expected result can be shared across platforms. >> >> The point of this bug is to check whether a "RenderSVGRoot" or a "RenderSVGViewportContainer" renderer is used for the <svg> element, so dumping the render tree was intentional. Not sure how I can make this a reftest, unless there is a way to visually differentiate the two kind of renderers. > > Oh, I see. Can we instead use internals.elementRenderTreeAsText and explicitly check for that? The problem with these render tree dumps is that it's very much unclear when the test is a pass and when it's a fail. Yes, I don't like these either... will try to write a better test with your suggestions, thanks!

Frédéric Wang (:fredw)

Comment 15 2021-04-13 04:43:46 PDT

Created attachment 425862 [details] Patch

Ryosuke Niwa

Comment 16 2021-04-13 17:20:21 PDT

Comment on attachment 425862 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425862&action=review > Source/WebCore/svg/SVGElement.cpp:213 > + if (isInShadowTree() && is<SVGUseElement>(parentOrShadowHostElement())) > + return false; Wait, this isn't quite right, right? This node can be a child of use element both of which are a shadow tree? We want to check is<SVGUseElement>(shadowHost()) instead. Please add a test case for that.

Frédéric Wang (:fredw)

Comment 17 2021-04-14 00:35:30 PDT

Created attachment 425957 [details] Patch for landing

Frédéric Wang (:fredw)

Comment 18 2021-04-14 00:37:20 PDT

Comment on attachment 425862 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425862&action=review >> Source/WebCore/svg/SVGElement.cpp:213 >> + return false; > > Wait, this isn't quite right, right? This node can be a child of use element both of which are a shadow tree? > We want to check is<SVGUseElement>(shadowHost()) instead. Please add a test case for that. Done, but actually this does not change behavior since is<SVGUseElement>(*parentNode()) implies !is<SVGElement>(*parentNode()) == false in the statement below.

Ryosuke Niwa

Comment 19 2021-04-14 00:40:46 PDT

Comment on attachment 425862 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425862&action=review >>> Source/WebCore/svg/SVGElement.cpp:213 >>> + return false; >> >> Wait, this isn't quite right, right? This node can be a child of use element both of which are a shadow tree? >> We want to check is<SVGUseElement>(shadowHost()) instead. Please add a test case for that. > > Done, but actually this does not change behavior since is<SVGUseElement>(*parentNode()) implies !is<SVGElement>(*parentNode()) == false in the statement below. Oh, I see. That makes sense.

Frédéric Wang (:fredw)

Comment 20 2021-04-14 02:00:48 PDT

Created attachment 425961 [details] Patch for landing

EWS

Comment 21 2021-04-14 08:13:43 PDT

Committed r275944 (236506@main): <https://commits.webkit.org/236506@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 425961 [details].

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component SVG

Assignee

Frédéric Wang (:fredw)

Reported

2021-03-19 14:22 PDT

Modified

2021-04-14 12:14 PDT History

CC List

12 users Show

URL

Keywords InRadar

Depends on

Blocks