264276 – nullptr crash in EventPath::eventTargetRespectingTargetRules via EventPath::buildPath

Bug 264276 - nullptr crash in EventPath::eventTargetRespectingTargetRules via EventPath::buildPath

Summary: nullptr crash in EventPath::eventTargetRespectingTargetRules via EventPath::b...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryosuke Niwa

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-11-06 12:00 PST by Ryosuke Niwa
Modified:	2023-11-06 15:38 PST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2023-11-06 12:00:26 PST

e.g.
Thread 0 Crashed::   Dispatch queue: com.apple.main-thread
0   WebCore                       	       0x1bab13ba8 WTF::OptionSet<WebCore::Node::NodeFlag>::containsAny(WTF::OptionSet<WebCore::Node::NodeFlag>) const + 0 (/usr/local/include/wtf/OptionSet.h:172) [inlined]
1   WebCore                       	       0x1bab13ba8 WTF::OptionSet<WebCore::Node::NodeFlag>::contains(WebCore::Node::NodeFlag) const + 0 (/usr/local/include/wtf/OptionSet.h:167) [inlined]
2   WebCore                       	       0x1bab13ba8 WebCore::Node::hasNodeFlag(WebCore::Node::NodeFlag) const + 0 (Sources/WebCore/Source/WebCore/dom/Node.h:619) [inlined]
3   WebCore                       	       0x1bab13ba8 WebCore::Node::isElementNode() const + 0 (Sources/WebCore/Source/WebCore/dom/Node.h:199) [inlined]
4   WebCore                       	       0x1bab13ba8 WebCore::Node::pseudoId() const + 0 (Sources/WebCore/Source/WebCore/dom/Node.h:214) [inlined]
5   WebCore                       	       0x1bab13ba8 WebCore::Node::isPseudoElement() const + 0 (Sources/WebCore/Source/WebCore/dom/Node.h:211) [inlined]
6   WebCore                       	       0x1bab13ba8 WTF::TypeCastTraits<WebCore::PseudoElement const, WebCore::Node const, false>::isType(WebCore::Node const&) + 0 (Sources/WebCore/Source/WebCore/dom/PseudoElement.h:62) [inlined]
7   WebCore                       	       0x1bab13ba8 WTF::TypeCastTraits<WebCore::PseudoElement const, WebCore::Node const, false>::isOfType(WebCore::Node const&) + 0 (Sources/WebCore/Source/WebCore/dom/PseudoElement.h:61) [inlined]
8   WebCore                       	       0x1bab13ba8 bool WTF::is<WebCore::PseudoElement, WebCore::Node>(WebCore::Node&) + 0 (/usr/local/include/wtf/TypeCasts.h:58) [inlined]
9   WebCore                       	       0x1bab13ba8 WebCore::EventPath::eventTargetRespectingTargetRules(WebCore::Node&) + 0 (Sources/WebCore/Source/WebCore/dom/EventPath.h:67) [inlined]
10  WebCore                       	       0x1bab13ba8 WebCore::EventPath::buildPath(WebCore::Node&, WebCore::Event&) + 2828 (Sources/WebCore/Source/WebCore/dom/EventPath.cpp:139)
11  WebCore                       	       0x1bab06bd4 WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) + 48 (Sources/WebCore/Source/WebCore/dom/EventPath.cpp:72) [inlined]
12  WebCore                       	       0x1bab06bd4 WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) + 48 (Sources/WebCore/Source/WebCore/dom/EventPath.cpp:71) [inlined]
13  WebCore                       	       0x1bab06bd4 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 152 (Sources/WebCore/Source/WebCore/dom/EventDispatcher.cpp:158)
14  WebCore                       	       0x1baadb6f8 WebCore::Element::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WTF::AtomString const&, int, WebCore::Element*, WebCore::IsSyntheticClick) + 948 (Sources/WebCore/Source/WebCore/dom/Element.cpp:492)
15  WebCore                       	       0x1bb201eec WebCore::EventHandler::updateMouseEventTargetNode(WTF::AtomString const&, WebCore::Node*, WebCore::PlatformMouseEvent const&, WebCore::EventHandler::FireMouseOverOut) + 2504 (Sources/WebCore/Source/WebCore/page/EventHandler.cpp:2735)
16  WebCore                       	       0x1bb1ff93c WebCore::EventHandler::dispatchMouseEvent(WTF::AtomString const&, WebCore::Node*, int, WebCore::PlatformMouseEvent const&, WebCore::EventHandler::FireMouseOverOut) + 80 (Sources/WebCore/Source/WebCore/page/EventHandler.cpp:2834)
17  WebCore                       	       0x1bb201028 WebCore::EventHandler::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::HitTestResult*, bool) + 1460 (Sources/WebCore/Source/WebCore/page/EventHandler.cpp:2149)
18  WebCore                       	       0x1bb200918 WebCore::EventHandler::mouseMoved(WebCore::PlatformMouseEvent const&) + 228 (Sources/WebCore/Source/WebCore/page/EventHandler.cpp:1995)
19  WebKit                        	       0x1bc6bde04 WebKit::dispatchSyntheticMouseMove(WebCore::LocalFrame&, WebCore::FloatPoint const&, WTF::OptionSet<WebKit::WebEventModifier>, unsigned int) + 276 (Sources/WebKit/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm:718)
20  WebKit                        	       0x1bc6bd24c WebKit::WebPage::handleSyntheticClick(WebCore::Node&, WebCore::FloatPoint const&, WTF::OptionSet<WebKit::WebEventModifier>, unsigned int) + 268 (Sources/WebKit/Source/WebKit/WebProcess/WebPage/ios/WebPageIOS.mm:785)

<rdar://117902151>

Comment 1 Ryosuke Niwa 2023-11-06 12:05:59 PST

Pull request: https://github.com/WebKit/WebKit/pull/20051

Comment 2 EWS 2023-11-06 15:38:31 PST

Committed 270295@main (6fa5837d95d9): <https://commits.webkit.org/270295@main>

Reviewed commits have been landed. Closing PR #20051 and removing active labels.