Bug 230581 - [RenderTreeUpdater] NULL ptr deref in updateRenderTree
Summary: [RenderTreeUpdater] NULL ptr deref in updateRenderTree
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: Safari Technology Preview
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Brandon
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-09-21 16:06 PDT by Brandon
Modified: 2021-09-24 03:24 PDT (History)
15 users (show)

See Also:

Attachments
Patch (6.23 KB, patch)
2021-09-21 17:02 PDT, Brandon 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch 2 (159.01 KB, patch)
2021-09-23 10:00 PDT, Brandon 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch3 test (4.41 KB, patch)
2021-09-23 15:54 PDT, Brandon 		no flags Details | Formatted Diff | Diff
Patch (5.16 KB, patch)
2021-09-23 16:31 PDT, Brandon 		koivisto: review+
ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (5.12 KB, patch)
2021-09-23 23:23 PDT, Brandon 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brandon 2021-09-21 16:06:28 PDT 
This script causes a crash

<script>
  onload = () => {
    let div0 = document.createElement('div');
    div0.style.display = 'contents';
    let div1 = document.createElement('div');
    div1.append('ab');
    div0.appendChild(div1);
    document.body.appendChild(div0);
    document.body.offsetTop;
    div1.innerHTML = 'a';
    new Document().appendChild(div0);
  };
</script>

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                   0x00000001072d946f WebCore::shouldCreateRenderer(WebCore::Element const&, WebCore::RenderElement const&) + 0 (RenderTreeUpdater.cpp:137) [inlined]
1   com.apple.WebCore                   0x00000001072d946f WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) + 2367 (RenderTreeUpdater.cpp:198)
2   com.apple.WebCore                   0x00000001072d8a4b WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 507 (RenderTreeUpdater.cpp:126)
3   com.apple.WebCore                   0x000000010664fe99 WebCore::Document::updateRenderTree(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 105 (Document.cpp:2023)
4   com.apple.WebCore                   0x0000000106650357 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 1127 (Document.cpp:2113)
5   com.apple.WebCore                   0x0000000106650973 WebCore::Document::updateStyleIfNeeded() + 371 (Document.cpp:2205)

<rdar://83101139>
Comment 1 Brandon 2021-09-21 17:02:21 PDT 
Created attachment 438889 [details]
Patch
Comment 2 Brandon 2021-09-23 10:00:06 PDT 
Created attachment 439055 [details]
Patch 2
Comment 3 zalan 2021-09-23 11:36:35 PDT 
Let's not try to fix the Changelog formatting in this patch.
Comment 4 Brandon 2021-09-23 15:54:26 PDT 
Created attachment 439102 [details]
Patch3 test
Comment 5 Brandon 2021-09-23 16:31:13 PDT 
Created attachment 439106 [details]
Patch
Comment 6 Antti Koivisto 2021-09-23 22:41:30 PDT 
Good fix.
Comment 7 Antti Koivisto 2021-09-23 22:47:04 PDT 
Comment on attachment 439106 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=439106&action=review

> LayoutTests/fast/dom/Document/clearPendingRenderTreeUpdater.html:15
> +<html>
> +<script>
> +    onload = () => {
> +      let div0 = document.createElement('div');
> +      div0.style.display = 'contents';
> +      let div1 = document.createElement('div');
> +      div1.append('ab');
> +      div0.appendChild(div1);
> +      document.body.appendChild(div0);
> +      document.body.offsetTop;
> +      div1.innerHTML = 'a';
> +      new Document().appendChild(div0);
> +    };
> +</script>
> +</html>

Please add

if (window.testRunner)
   testRunner.dumpAsText()

in the beginning.

> LayoutTests/platform/mac/fast/dom/Document/clearPendingRenderTreeUpdater-expected.txt:5
> +layer at (0,0) size 800x600
> +  RenderView at (0,0) size 800x600
> +layer at (0,0) size 800x600
> +  RenderBlock {HTML} at (0,0) size 800x600
> +    RenderBody {BODY} at (8,8) size 784x584

...and avoid getting an unnecessary render tree dump.
Comment 8 Brandon 2021-09-23 23:23:18 PDT 
Created attachment 439127 [details]
Patch
Comment 9 EWS 2021-09-24 00:22:58 PDT 
Committed r283030 (242090@main): <https://commits.webkit.org/242090@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 439127 [details].