Created attachment 460850 [details] This file is generated by a browser fuzzer description: a heap-use-after-free occured in WebCore::RenderLayer::updateDescendantDependentFlags(). It affects Safari as well as webkitgtk. versions: safari-613.2.4.1-branch (37edf4fcfaa93501189b8492521eb68198cf9fee) and webkitgtk-2.36.4 asan log: ``` ================================================================= ==11793==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200018c94c at pc 0x7f7bf5498912 bp 0x7ffc5914ea30 sp 0x7ffc5914ea28 READ of size 4 at 0x61200018c94c thread T0 #0 0x7f7bf5498911 in WebCore::RenderLayer::updateDescendantDependentFlags() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:1511:9 #1 0x7f7bf5498207 in WebCore::RenderLayer::updateDescendantDependentFlags() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:1519:20 #2 0x7f7bf54996d6 in WebCore::RenderLayer::removeChild(WebCore::RenderLayer&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:452:14 #3 0x7f7bf53adc67 in WebCore::RenderElement::willBeRemovedFromTree(WebCore::RenderObject::IsInternalMove) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderElement.cpp:1027:9 #4 0x7f7bf5a65fa1 in WebCore::RenderTreeBuilder::detachFromRenderElement(WebCore::RenderElement&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::WillBeDestroyed) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:963:15 #5 0x7f7bf5a72c8a in WebCore::RenderTreeBuilder::Block::detach(WebCore::RenderBlock&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:294:33 #6 0x7f7bf5a74e4a in WebCore::RenderTreeBuilder::Block::detach(WebCore::RenderBlockFlow&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:387:12 #7 0x7f7bf5a60f26 in WebCore::RenderTreeBuilder::detach(WebCore::RenderElement&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:395:31 #8 0x7f7bf5a601f5 in WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:160:22 #9 0x7f7bf5a6bfe9 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:887:5 #10 0x7f7bf5aa3da8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_7::operator()(unsigned int) const /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:608:25 #11 0x7f7bf5aa0248 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:631:5 #12 0x7f7bf5aa3122 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:537:5 #13 0x7f7bf2d02d7f in WebCore::destroyRenderTreeIfNeeded(WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:321:9 #14 0x7f7bf2d02d7f in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:660:5 #15 0x7f7bf2d06a15 in WebCore::ContainerNode::removeAllChildrenWithScriptAssertion(WebCore::ContainerNode::ChildChange::Source, WebCore::ContainerNode::DeferChildrenChanged) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:128:13 #16 0x7f7bf2d06a15 in WebCore::ContainerNode::removeChildren() /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:744:5 #17 0x7f7bf2d97c04 in WebCore::Document::implicitOpen() /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:2988:5 #18 0x7f7bf2d80421 in WebCore::Document::open(WebCore::Document*) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:2938:5 #19 0x7f7bf2d9eb58 in WebCore::Document::write(WebCore::Document*, WebCore::SegmentedString&&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:3292:23 #20 0x7f7bf2d9fbdd in WebCore::Document::writeln(WebCore::Document*, WTF::FixedVector<WTF::String>&&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/Document.cpp:3324:12 #21 0x7f7bf0109b9e in WebCore::jsDocumentPrototypeFunction_writelnBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()::operator()() const /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5915:5 #22 0x7f7bf0109b9e in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsDocumentPrototypeFunction_writelnBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsDocumentPrototypeFunction_writelnBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)::'lambda'()&&) /root/browser/webkit/Safari-branch2/Source/WebCore/bindings/js/JSDOMConvertBase.h:168:27 #23 0x7f7bf0109b9e in WebCore::jsDocumentPrototypeFunction_writelnBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5915:5 #24 0x7f7bf0109b9e in long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_writelnBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) /root/browser/webkit/Safari-branch2/Source/WebCore/bindings/js/JSDOMOperation.h:63:9 #25 0x7f7bf0109b9e in WebCore::jsDocumentPrototypeFunction_writeln(JSC::JSGlobalObject*, JSC::CallFrame*) /root/browser/webkit/Safari-branch2/WebKitBuild_Asan/GTK/Release/WebCore/DerivedSources/JSDocument.cpp:5920:12 #26 0x7f7b9f2eb1d7 (<unknown module>) 0x61200018c94c is located 12 bytes inside of 272-byte region [0x61200018c940,0x61200018ca50) freed by thread T0 here: #0 0x4c3117 in free /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x7f7bf55a5984 in WebCore::RenderLayer::operator delete(void*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.h:150:5 #2 0x7f7bf55a5984 in std::default_delete<WebCore::RenderLayer>::operator()(WebCore::RenderLayer*) const /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:81:2 #3 0x7f7bf55a5984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::reset(WebCore::RenderLayer*) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:402:4 #4 0x7f7bf55a5984 in std::unique_ptr<WebCore::RenderLayer, std::default_delete<WebCore::RenderLayer> >::operator=(std::nullptr_t) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:336:2 #5 0x7f7bf55a5984 in WebCore::RenderLayerModelObject::destroyLayer() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:82:13 #6 0x7f7bf55a5984 in WebCore::RenderLayerModelObject::willBeDestroyed() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayerModelObject.cpp:72:9 #7 0x7f7bf56324b9 in WebCore::RenderObject::destroy() /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderObject.cpp:1620:5 #8 0x7f7bf5a6bfe9 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:887:5 #9 0x7f7bf5aa3da8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_7::operator()(unsigned int) const /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:608:25 #10 0x7f7bf5a9fd1b in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:621:9 #11 0x7f7bf5aa3122 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:537:5 #12 0x7f7bf2d02d7f in WebCore::destroyRenderTreeIfNeeded(WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:321:9 #13 0x7f7bf2d02d7f in WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) /root/browser/webkit/Safari-branch2/Source/WebCore/dom/ContainerNode.cpp:660:5 previously allocated by thread T0 here: #0 0x4c340f in malloc /root/llvm/llvm-12/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7f7beba871da in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) /root/browser/webkit/Safari-branch2/Source/bmalloc/bmalloc/DebugHeap.cpp:102:20 #2 0x7f7bf5229845 in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBox.cpp:306:27 #3 0x7f7bf52280bc in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderBlock.cpp:435:16 SUMMARY: AddressSanitizer: heap-use-after-free /root/browser/webkit/Safari-branch2/Source/WebCore/rendering/RenderLayer.cpp:1511:9 in WebCore::RenderLayer::updateDescendantDependentFlags() Shadow bytes around the buggy address: 0x0c24800298d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c24800298e0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 0x0c24800298f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c2480029900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2480029910: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa =>0x0c2480029920: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fd 0x0c2480029930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2480029940: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c2480029950: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c2480029960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2480029970: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==11793==ABORTING ```
<rdar://problem/96942033>
Hello? It has been 6 months. As I verified, this issue has been addressed in the latest webkit. Can anyone close this issue?
This issue has been fixed on WebKitGTK 2.36.8 or later.
*** This bug has been marked as a duplicate of bug 242683 ***