223539 – Crash in RenderBlock::addOverflowFromChildren

Bug 223539 - Crash in RenderBlock::addOverflowFromChildren

Summary: Crash in RenderBlock::addOverflowFromChildren

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	SVG (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Frédéric Wang (:fredw)

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-03-19 14:22 PDT by Ali Juma
Modified:	2021-04-14 12:14 PDT (History)
CC List:	12 users (show)

See Also:

Attachments
Minimal test case (499 bytes, text/html) 2021-03-19 14:22 PDT, Ali Juma	no flags	Details
Patch (5.95 KB, patch) 2021-04-07 06:54 PDT, Frédéric Wang (:fredw)	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
Patch (20.33 KB, patch) 2021-04-12 05:05 PDT, Frédéric Wang (:fredw)	no flags	Details \| Formatted Diff \| Diff
Patch (20.33 KB, patch) 2021-04-12 07:07 PDT, Frédéric Wang (:fredw)	no flags	Details \| Formatted Diff \| Diff
Patch (9.52 KB, patch) 2021-04-13 04:43 PDT, Frédéric Wang (:fredw)	rniwa: review+ ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
Patch for landing (10.74 KB, patch) 2021-04-14 00:35 PDT, Frédéric Wang (:fredw)	no flags	Details \| Formatted Diff \| Diff
Patch for landing (11.31 KB, patch) 2021-04-14 02:00 PDT, Frédéric Wang (:fredw)	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ali Juma 2021-03-19 14:22:28 PDT

Created attachment 423778 [details]
Minimal test case

Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug.

This reproduces in an ASan build of WebKitTestRunner, and also crashes in STP 122.

Stack:
=================================================================
==62931==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00078565bafd bp 0x7ffeef117c90 sp 0x7ffeef117c90 T0)
==62931==The signal is caused by a READ memory access.
==62931==Hint: address points to the zero page.
==62931==WARNING: invalid path to external symbolizer!
==62931==WARNING: Failed to use and restart external symbolizer!
    #0 0x78565bafc in WTF::VectorBufferBase<WebCore::LayoutIntegration::Line, WTF::FastMalloc>::buffer() const (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x38eeafc)
    #1 0x785f43885 in WebCore::LayoutIntegration::LineLayout::collectOverflow() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x41d6885)
    #2 0x786d47e54 in WebCore::RenderBlock::addOverflowFromChildren() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fdae54)
    #3 0x786d4811c in WebCore::RenderBlock::computeOverflow(WebCore::LayoutUnit, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fdb11c)
    #4 0x786d8d653 in WebCore::RenderBlockFlow::computeOverflow(WebCore::LayoutUnit, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5020653)
    #5 0x787207917 in WebCore::RenderSVGBlock::computeOverflow(WebCore::LayoutUnit, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x549a917)
    #6 0x786d76ea7 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5009ea7)
    #7 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674)
    #8 0x78720b560 in WebCore::RenderSVGForeignObject::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x549e560)
    #9 0x78728a812 in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x551d812)
    #10 0x78724d016 in WebCore::RenderSVGRoot::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x54e0016)
    #11 0x786c7f895 in WebCore::ComplexLineLayout::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4f12895)
    #12 0x786d781af in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500b1af)
    #13 0x786d7685e in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500985e)
    #14 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674)
    #15 0x786d7b970 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500e970)
    #16 0x786d784ed in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500b4ed)
    #17 0x786d76869 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5009869)
    #18 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674)
    #19 0x786d7b970 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500e970)
    #20 0x786d784ed in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500b4ed)
    #21 0x786d76869 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5009869)
    #22 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674)
    #23 0x786d7b970 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500e970)
    #24 0x786d784ed in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x500b4ed)
    #25 0x786d76869 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5009869)
    #26 0x786d47674 in WebCore::RenderBlock::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4fda674)
    #27 0x7870de60a in WebCore::RenderView::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x537160a)
    #28 0x7862c1299 in WebCore::FrameViewLayoutContext::layout() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4554299)
    #29 0x7851e3af6 in WebCore::Document::implicitClose() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3476af6)
    #30 0x78604ebb2 in WebCore::FrameLoader::checkCompleted() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42e1bb2)
    #31 0x78604b1a0 in WebCore::FrameLoader::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42de1a0)
    #32 0x785202822 in WebCore::Document::finishedParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3495822)
    #33 0x785b1383a in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3da683a)
    #34 0x78601c7e0 in WebCore::DocumentWriter::end() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42af7e0)
    #35 0x785fcda2c in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4260a2c)
    #36 0x785fcd3a9 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x42603a9)
    #37 0x78618c7ef in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x441f7ef)
    #38 0x7861886ab in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x441b6ab)
    #39 0x786103f07 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4396f07)
    #40 0x102c435c6 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x21535c6)
    #41 0x103300e46 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2810e46)
    #42 0x103300453 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2810453)
    #43 0x102c04a4a in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2114a4a)
    #44 0x100b7c399 in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8c399)
    #45 0x100b7cdf6 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8cdf6)
    #46 0x100b7d9bb in IPC::Connection::dispatchOneIncomingMessage() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x8d9bb)
    #47 0x79fc6b2ec in WTF::RunLoop::performWork() (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xce2ec)
    #48 0x79fc6e995 in WTF::RunLoop::performWork(void*) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xd1995)
    #49 0x7fff35d39883 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84883)
    #50 0x7fff35d39822 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84822)
    #51 0x7fff35d3963c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x8463c)
    #52 0x7fff35d38358 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x83358)
    #53 0x7fff35d37952 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x82952)
    #54 0x7fff383f51c7 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x601c7)
    #55 0x7fff384a7c6e in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x112c6e)
    #56 0x7fff6ff144e9 in _xpc_objc_main.cold.4 (/usr/lib/system/libxpc.dylib:x86_64+0x164e9)
    #57 0x7fff6ff1442f in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1642f)
    #58 0x7fff6ff13f62 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x15f62)
    #59 0x1019e6923 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0xef6923)
    #60 0x7fff6fcc2cc8 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)
==62931==Register values:
rax = 0x0000000000000003  rbx = 0x00007ffeef117d00  rcx = 0x0000100000000003  rdx = 0x0000100000000000
rdi = 0x0000000000000018  rsi = 0x0000000781de3880  rbp = 0x00007ffeef117c90  rsp = 0x00007ffeef117c90
 r8 = 0x0000100000000000   r9 = 0x0000000000000000  r10 = 0xffffffffffffffff  r11 = 0x00000fffffffffff
r12 = 0x0000000000000000  r13 = 0x00001fffdde22f94  r14 = 0x0000000000000018  r15 = 0x00007ffeef117dc0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x38eeafc) in WTF::VectorBufferBase<WebCore::LayoutIntegration::Line, WTF::FastMalloc>::buffer() const

Comment 1 Radar WebKit Bug Importer 2021-03-19 14:22:38 PDT

<rdar://problem/75636310>

Comment 2 Frédéric Wang (:fredw) 2021-04-07 06:25:33 PDT

In release mode, we are dereferencing a nullptr inlineContent() here:

https://webkit-search.igalia.com/webkit/source/Source/WebCore/layout/integration/LayoutIntegrationLineLayout.cpp#345

In debug mode, we are actually first hitting the following assertion failure:

ASSERTION FAILED: formattingContextRoot.establishesInlineFormattingContext()
../../Source/WebCore/layout/LayoutState.cpp(162)

Debugging a bit, we arrive at a weird state where there is no in-flow child. Also, the inner <svg> has a RenderSVGViewportContainer renderer, not an RenderSVGRoot:

(rr) up
(rr) 
https://webkit-search.igalia.com/webkit/rev/c981d4cdcc3401f39ce3157655e0fe7c78afeb0d/Source/WebCore/layout/LayoutState.cpp#162
(rr) bt
#0  0x00007f393ddd19d3 in WebCore::Layout::LayoutState::ensureInlineFormattingState(WebCore::Layout::ContainerBox const&)
    at ../../Source/WebCore/layout/LayoutState.cpp:162
#1  0x00007f393c653e3e in WebCore::LayoutIntegration::LineLayout::LineLayout(WebCore::RenderBlockFlow&)
    at ../../Source/WebCore/layout/integration/LayoutIntegrationLineLayout.cpp:64
#2  0x00007f393cfb3663 in std::make_unique<WebCore::LayoutIntegration::LineLayout, WebCore::RenderBlockFlow&>(WebCore::RenderBlockFlow&) () at /usr/include/c++/10.2.0/bits/unique_ptr.h:962
#3  0x00007f393cfad794 in WTF::makeUnique<WebCore::LayoutIntegration::LineLayout, WebCore::RenderBlockFlow&>(WebCore::RenderBlockFlow&) () at WTF/Headers/wtf/StdLibExtras.h:507
#4  0x00007f393cfa1efb in WebCore::RenderBlockFlow::layoutModernLines(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
    at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:3661
#5  0x00007f393cf935e9 in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
    at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:696
#6  0x00007f393cf92985 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
    at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:523
#7  0x00007f393cf811ff in WebCore::RenderBlock::layout()
    at ../../Source/WebCore/rendering/RenderBlock.cpp:598
#8  0x00007f393d29c6d8 in WebCore::RenderSVGForeignObject::layout()
    at ../../Source/WebCore/rendering/svg/RenderSVGForeignObject.cpp:168
(rr) p formattingContextRoot.firstInFlowChild()
$1 = (const WebCore::Layout::Box *) 0x0
(rr) up
(rr) 
(rr) 
(rr) 
https://webkit-search.igalia.com/webkit/rev/c981d4cdcc3401f39ce3157655e0fe7c78afeb0d/Source/WebCore/rendering/RenderBlockFlow.cpp#3661
(rr) p showRenderTree(this)

(B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, hasLayer(S)crollableArea, (C)omposited, (+)Dirty style, (+)Dirty layout
B---YGLS- -+  RenderView at (0,0) size 785x0 renderer->(0x7f5d1ff79270) layout->[normal child]
B-----LS- -+    HTML RenderBlock at (0,0) size 785x0 renderer->(0x7f5d1ff796e0) node->(0x7f5d1ff7bac0) layout->[self][normal child]
B-------- -+      BODY RenderBody at (0,8) size 769x0 renderer->(0x7f5d1ff79800) node->(0x7f5d1ff7bbe0) layout->[self][normal child]
B-------- -+        DIV RenderBlock at (0,0) size 769x0 renderer->(0x7f5d1ff6c4e0) node->(0x7f5d1ff7bc70) layout->[self][normal child]
I-------- -+          svg RenderSVGRoot at (0,0) size 300x150 renderer->(0x7f5d1ff6c600) node->(0x7f5d1ff6c010) layout->[self][normal child]
B-------- -+*           foreignObject RenderSVGForeignObject at (0,0) size 0x0 renderer->(0x7f5d1ff6c7e0) node->(0x7f5d1ff6c1a0) layout->[self][normal child]
I-------- -+              svg RenderSVGViewportContainer renderer->(0x7f5d1ff6c980) node->(0x7f5d1ff6c2e0) layout->[self]

$2 = void

This RenderSVGViewportContainer is created because the rule "we're living in a shadow tree" wins over the rule "we're a direct child of a <foreignObject> element" here:

https://webkit-search.igalia.com/webkit/rev/c981d4cdcc3401f39ce3157655e0fe7c78afeb0d/Source/WebCore/svg/SVGElement.cpp#203

Tweaking the order of rules, this addresses the debug/release issue. I'll prepare a patch with a test. I'm not sure whether the "we're a <svg> element that got created as replacement for a <symbol> element or a cloned <svg> element in the referenced tree" assumption is always true though.

Comment 3 Frédéric Wang (:fredw) 2021-04-07 06:54:31 PDT

Created attachment 425390 [details]
Patch

Comment 4 Ryosuke Niwa 2021-04-07 16:43:05 PDT

Comment on attachment 425390 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425390&action=review

> Source/WebCore/svg/SVGElement.cpp:216
> +    if (isInShadowTree() && is<SVGElement>(parentOrShadowHostElement()))

This looks wrong.
This isn't necessarily true if we're in a shadow tree created by scripts as is the case in this test case.
We should be checking whether we're inside a shadow tree of an use element or not.

Comment 5 Frédéric Wang (:fredw) 2021-04-08 00:29:15 PDT

Comment on attachment 425390 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425390&action=review

>> Source/WebCore/svg/SVGElement.cpp:216
>> +    if (isInShadowTree() && is<SVGElement>(parentOrShadowHostElement()))
> 
> This looks wrong.
> This isn't necessarily true if we're in a shadow tree created by scripts as is the case in this test case.
> We should be checking whether we're inside a shadow tree of an use element or not.

Right, that's what I meant a the end of comment 2. But that said this was already there before the patch and I didn't want to modify this too much.

@Niko: I think you originally added this code. Can you please check whether it still makes sense?

Comment 6 Nikolas Zimmermann 2021-04-10 14:54:11 PDT

(In reply to Ryosuke Niwa from comment #4)
> Comment on attachment 425390 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=425390&action=review
> 
> > Source/WebCore/svg/SVGElement.cpp:216
> > +    if (isInShadowTree() && is<SVGElement>(parentOrShadowHostElement()))
> 
> This looks wrong.
> This isn't necessarily true if we're in a shadow tree created by scripts as
> is the case in this test case.
> We should be checking whether we're inside a shadow tree of an use element
> or not.

Agreed -- that condition seems is what we aim for.
I'd propose to change it together with the security fix in one patch.

Comment 7 Frédéric Wang (:fredw) 2021-04-12 05:05:33 PDT

Created attachment 425733 [details]
Patch

Comment 8 Frédéric Wang (:fredw) 2021-04-12 05:05:56 PDT

Comment on attachment 425390 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425390&action=review

>>>> Source/WebCore/svg/SVGElement.cpp:216
>>>> +    if (isInShadowTree() && is<SVGElement>(parentOrShadowHostElement()))
>>> 
>>> This looks wrong.
>>> This isn't necessarily true if we're in a shadow tree created by scripts as is the case in this test case.
>>> We should be checking whether we're inside a shadow tree of an use element or not.
>> 
>> Right, that's what I meant a the end of comment 2. But that said this was already there before the patch and I didn't want to modify this too much.
>> 
>> @Niko: I think you originally added this code. Can you please check whether it still makes sense?
> 
> Agreed -- that condition seems is what we aim for.
> I'd propose to change it together with the security fix in one patch.

Thanks, I tried something in the latest version.

Comment 9 Frédéric Wang (:fredw) 2021-04-12 07:07:25 PDT

Created attachment 425742 [details]
Patch

Comment 10 Ryosuke Niwa 2021-04-12 23:25:50 PDT

Comment on attachment 425742 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425742&action=review

> LayoutTests/svg/outermost-svg-root.html:1
> +<!DOCTYPE html>

Please make this a ref test so that the expected result can be shared across platforms.

Comment 11 Frédéric Wang (:fredw) 2021-04-12 23:29:18 PDT

Comment on attachment 425742 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425742&action=review

>> LayoutTests/svg/outermost-svg-root.html:1
>> +<!DOCTYPE html>
> 
> Please make this a ref test so that the expected result can be shared across platforms.

The point of this bug is to check whether a "RenderSVGRoot" or a "RenderSVGViewportContainer" renderer is used for the <svg> element, so dumping the render tree was intentional. Not sure how I can make this a reftest, unless there is a way to visually differentiate the two kind of renderers.

Comment 12 Ryosuke Niwa 2021-04-13 02:05:32 PDT

(In reply to Frédéric Wang (:fredw) from comment #11)
> Comment on attachment 425742 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=425742&action=review
> 
> >> LayoutTests/svg/outermost-svg-root.html:1
> >> +<!DOCTYPE html>
> > 
> > Please make this a ref test so that the expected result can be shared across platforms.
> 
> The point of this bug is to check whether a "RenderSVGRoot" or a
> "RenderSVGViewportContainer" renderer is used for the <svg> element, so
> dumping the render tree was intentional. Not sure how I can make this a
> reftest, unless there is a way to visually differentiate the two kind of
> renderers.

Oh, I see. Can we instead use internals.elementRenderTreeAsText and explicitly check for that? The problem with these render tree dumps is that it's very much unclear when the test is a pass and when it's a fail.

Comment 13 Ryosuke Niwa 2021-04-13 02:11:12 PDT

It also looks like RenderSVGViewportContainer knows how to clip itself when overflow: hidden is appleid but not RenderSVGViewportContainer so maybe you can make a visual difference with overflow: hidden.

Comment 14 Frédéric Wang (:fredw) 2021-04-13 02:59:53 PDT

Comment on attachment 425742 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425742&action=review

>>>> LayoutTests/svg/outermost-svg-root.html:1
>>>> +<!DOCTYPE html>
>>> 
>>> Please make this a ref test so that the expected result can be shared across platforms.
>> 
>> The point of this bug is to check whether a "RenderSVGRoot" or a "RenderSVGViewportContainer" renderer is used for the <svg> element, so dumping the render tree was intentional. Not sure how I can make this a reftest, unless there is a way to visually differentiate the two kind of renderers.
> 
> Oh, I see. Can we instead use internals.elementRenderTreeAsText and explicitly check for that? The problem with these render tree dumps is that it's very much unclear when the test is a pass and when it's a fail.

Yes, I don't like these either... will try to write a better test with your suggestions, thanks!

Comment 15 Frédéric Wang (:fredw) 2021-04-13 04:43:46 PDT

Created attachment 425862 [details]
Patch

Comment 16 Ryosuke Niwa 2021-04-13 17:20:21 PDT

Comment on attachment 425862 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425862&action=review

> Source/WebCore/svg/SVGElement.cpp:213
> +    if (isInShadowTree() && is<SVGUseElement>(parentOrShadowHostElement()))
> +        return false;

Wait, this isn't quite right, right? This node can be a child of use element both of which are a shadow tree?
We want to check is<SVGUseElement>(shadowHost()) instead. Please add a test case for that.

Comment 17 Frédéric Wang (:fredw) 2021-04-14 00:35:30 PDT

Created attachment 425957 [details]
Patch for landing

Comment 18 Frédéric Wang (:fredw) 2021-04-14 00:37:20 PDT

Comment on attachment 425862 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425862&action=review

>> Source/WebCore/svg/SVGElement.cpp:213
>> +        return false;
> 
> Wait, this isn't quite right, right? This node can be a child of use element both of which are a shadow tree?
> We want to check is<SVGUseElement>(shadowHost()) instead. Please add a test case for that.

Done, but actually this does not change behavior since is<SVGUseElement>(*parentNode()) implies !is<SVGElement>(*parentNode()) == false in the statement below.

Comment 19 Ryosuke Niwa 2021-04-14 00:40:46 PDT

Comment on attachment 425862 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425862&action=review

>>> Source/WebCore/svg/SVGElement.cpp:213
>>> +        return false;
>> 
>> Wait, this isn't quite right, right? This node can be a child of use element both of which are a shadow tree?
>> We want to check is<SVGUseElement>(shadowHost()) instead. Please add a test case for that.
> 
> Done, but actually this does not change behavior since is<SVGUseElement>(*parentNode()) implies !is<SVGElement>(*parentNode()) == false in the statement below.

Oh, I see. That makes sense.

Comment 20 Frédéric Wang (:fredw) 2021-04-14 02:00:48 PDT

Created attachment 425961 [details]
Patch for landing

Comment 21 EWS 2021-04-14 08:13:43 PDT

Committed r275944 (236506@main): <https://commits.webkit.org/236506@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 425961 [details].