WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
265802
REGRESSION(
269745@main
): Crash in SVGGeometryElement::isPointInFill
https://bugs.webkit.org/show_bug.cgi?id=265802
Summary
REGRESSION(269745@main): Crash in SVGGeometryElement::isPointInFill
Ali Juma
Reported
2023-12-04 10:49:29 PST
Created
attachment 468867
[details]
Minimized test case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. This reproduces in an ASan build of WebKitTestRunner at
https://commits.webkit.org/271436@main
Stack: ================================================================= ==24409==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x00037dc4a792 bp 0x7ff7bfae3310 sp 0x7ff7bfae3310 T0) ==24409==The signal is caused by a READ memory access. ==24409==Hint: address points to the zero page. #0 0x37dc4a792 in std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, std::__1::monostate, WebCore::PathSegment, WTF::DataRef<WebCore::PathImpl>>::index() const+0x22 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5e53792) #1 0x37dc4ab1c in std::__1::variant<std::__1::monostate, WebCore::PathSegment, WTF::DataRef<WebCore::PathImpl>>::index() const+0xc (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5e53b1c) #2 0x37dc4d098 in bool std::__1::__holds_alternative<0ul, std::__1::monostate, WebCore::PathSegment, WTF::DataRef<WebCore::PathImpl>>(std::__1::variant<std::__1::monostate, WebCore::PathSegment, WTF::DataRef<WebCore::PathImpl>> const&)+0x8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5e56098) #3 0x37dc45cc8 in bool std::__1::holds_alternative<std::__1::monostate, std::__1::monostate, WebCore::PathSegment, WTF::DataRef<WebCore::PathImpl>>(std::__1::variant<std::__1::monostate, WebCore::PathSegment, WTF::DataRef<WebCore::PathImpl>> const&)+0x8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5e4ecc8) #4 0x37dc4123d in WebCore::Path::isEmpty() const+0xd (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5e4a23d) #5 0x37dc46917 in WebCore::Path::contains(WebCore::FloatPoint const&, WebCore::WindRule) const+0x17 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5e4f917) #6 0x37e97bd7f in WebCore::LegacyRenderSVGShape::shapeDependentFillContains(WebCore::FloatPoint const&, WebCore::WindRule) const+0x1f (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x6b84d7f) #7 0x37e9512b5 in WebCore::LegacyRenderSVGRect::shapeDependentFillContains(WebCore::FloatPoint const&, WebCore::WindRule) const+0x75 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x6b5a2b5) #8 0x37e97e61f in WebCore::LegacyRenderSVGShape::isPointInFill(WebCore::FloatPoint const&)+0x5f (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x6b8761f) #9 0x37ecd278b in WebCore::SVGGeometryElement::isPointInFill(WebCore::DOMPointInit&&)+0x1ab (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x6edb78b) #10 0x379ca2e82 in WebCore::jsSVGGeometryElementPrototypeFunction_isPointInFillBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSSVGGeometryElement*)+0x1b2 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x1eabe82) #11 0x379ca2c41 in long long WebCore::IDLOperation<WebCore::JSSVGGeometryElement>::call<&WebCore::jsSVGGeometryElementPrototypeFunction_isPointInFillBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSSVGGeometryElement*), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0x101 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x1eabc41) #12 0x379ca2b08 in WebCore::jsSVGGeometryElementPrototypeFunction_isPointInFill(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x1eabb08) #13 0x403945a0c037 (<unknown module>) #14 0x34c514303 in llint_entry+0x1d5f3 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10ce303) #15 0x34c515083 in llint_entry+0x1e373 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10cf083) #16 0x34c4f6bbc in vmEntryToJavaScript+0xbb (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x10b0bbc) #17 0x34e6c0e8a in JSC::Interpreter::executeCall(JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x67a (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x327ae8a) #18 0x34ed3dc91 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x41 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x38f7c91) #19 0x34ed3dd8f in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xdf (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x38f7d8f) #20 0x34ed3e14b in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10b (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x38f814b) #21 0x37b824ddf in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10f (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3a2dddf) #22 0x37b84f4f6 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xcc6 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x3a584f6) #23 0x37c48caaa in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener>>, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x57a (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4695aaa) #24 0x37c48c371 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x201 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4695371) #25 0x37d5b75f0 in WebCore::LocalDOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)+0x340 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x57c05f0) #26 0x37d5d112b in WebCore::LocalDOMWindow::dispatchLoadEvent()+0x30b (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x57da12b) #27 0x37c30e617 in WebCore::Document::dispatchWindowLoadEvent()+0x107 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4517617) #28 0x37c30dcb5 in WebCore::Document::implicitClose()+0x415 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4516cb5) #29 0x37d2f5b78 in WebCore::FrameLoader::checkCallImplicitClose()+0x1d8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x54feb78) #30 0x37d2f4a42 in WebCore::FrameLoader::checkCompleted()+0x3a2 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x54fda42) #31 0x37d2f0614 in WebCore::FrameLoader::finishedParsing()+0x1e4 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x54f9614) #32 0x37c33970d in WebCore::Document::finishedParsing()+0x3ad (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x454270d) #33 0x37cd04556 in WebCore::HTMLConstructionSite::finishedParsing()+0xc6 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4f0d556) #34 0x37cd883bd in WebCore::HTMLTreeBuilder::finished()+0x1d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4f913bd) #35 0x37cd0d1f7 in WebCore::HTMLDocumentParser::end()+0x17 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4f161f7) #36 0x37cd0aef8 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()+0x38 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4f13ef8) #37 0x37cd0ae10 in WebCore::HTMLDocumentParser::prepareToStopParsing()+0x110 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4f13e10) #38 0x37cd0d23f in WebCore::HTMLDocumentParser::attemptToEnd()+0x3f (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4f1623f) #39 0x37cd0d2dc in WebCore::HTMLDocumentParser::finish()+0x2c (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x4f162dc) #40 0x37d27b8da in WebCore::DocumentWriter::end()+0x20a (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x54848da) #41 0x37d27a1ed in WebCore::DocumentLoader::finishedLoading()+0x2fd (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x54831ed) #42 0x37d279b4b in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&)+0x41b (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5482b4b) #43 0x37d47a31f in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&)+0x17f (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x568331f) #44 0x37d474b36 in WebCore::CachedResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&)+0x56 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x567db36) #45 0x37d4766ed in WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&)+0x26d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x567f6ed) #46 0x37d3dc81f in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&)+0x64f (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x55e581f) #47 0x32af861c7 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&)+0x307 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2f121c7) #48 0x32bcedfff in auto void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...)::operator()<WebCore::NetworkLoadMetrics>(auto&&...) const+0x8f (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x3c79fff) #49 0x32bcedf58 in decltype(static_cast<WebKit::WebResourceLoader>(fp)(static_cast<WebCore::NetworkLoadMetrics>(fp0))) std::__1::__invoke_constexpr<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), WebCore::NetworkLoadMetrics>(WebKit::WebResourceLoader&&, WebCore::NetworkLoadMetrics&&)+0x8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x3c79f58) #50 0x32bcedf3b in decltype(auto) std::__1::__apply_tuple_impl<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&, std::__1::__tuple_indices<0ul>)+0x1b (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x3c79f3b) #51 0x32bcedf18 in decltype(auto) std::__1::apply<void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&)::'lambda'(auto&&...), std::__1::tuple<WebCore::NetworkLoadMetrics>>(WebKit::WebResourceLoader&&, WebKit::WebResourceLoader&&)+0x8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x3c79f18) #52 0x32bcede1c in void IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&)+0x15c (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x3c79e1c) #53 0x32bce6c72 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&))+0x152 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x3c72c72) #54 0x32bce5e79 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&)+0x1f9 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x3c71e79) #55 0x32af6cf85 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x165 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x2ef8f85) #56 0x32be76985 in IPC::Connection::dispatchMessage(IPC::Decoder&)+0x2a5 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x3e02985) #57 0x32be76ec6 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder>>)+0x2e6 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x3e02ec6) #58 0x32be77844 in IPC::Connection::dispatchOneIncomingMessage()+0x184 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x3e03844) #59 0x32be91f50 in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder>>)::$_17::operator()() const+0x10 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x3e1df50) #60 0x32be91edc in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder>>)::$_17, void>::call()+0xc (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x3e1dedc) #61 0x34b48702e in WTF::Function<void ()>::operator()() const+0x3e (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4102e) #62 0x34b55ed57 in WTF::RunLoop::performWork()+0x317 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x118d57) #63 0x34b562aaa in WTF::RunLoop::performWork(void*)+0xba (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11caaa) #64 0x7ff81823ceb9 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7ceb9) #65 0x7ff81823ce5b in __CFRunLoopDoSource0+0x9c (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7ce5b) #66 0x7ff81823cc34 in __CFRunLoopDoSources0+0xd8 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7cc34) #67 0x7ff81823b8be in __CFRunLoopRun+0x393 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7b8be) #68 0x7ff81823aec0 in CFRunLoopRunSpecific+0x22f (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7aec0) #69 0x7ff8190c7272 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x5f272) #70 0x7ff819149c67 in -[NSRunLoop(NSRunLoop) run]+0x4b (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0xe1c67) #71 0x7ff817eb37f2 in _xpc_objc_main+0x304 (/usr/lib/system/libxpc.dylib:x86_64+0x157f2) #72 0x7ff817eb31f6 in xpc_main+0x5f (/usr/lib/system/libxpc.dylib:x86_64+0x151f6) #73 0x3293c6875 in WebKit::XPCServiceMain(int, char const**)+0xf5 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x1352875) #74 0x32be013d8 in WKXPCServiceMain+0x8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x3d8d3d8) #75 0x10041aec8 in main+0x8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x100003ec8) #76 0x7ff817e0741e (<unknown module>) ==24409==Register values: rax = 0x0000000000000000 rbx = 0x0000000000000000 rcx = 0x0000100000000008 rdx = 0x0000000000000000 rdi = 0x0000000000000040 rsi = 0x00007ff7bfae3460 rbp = 0x00007ff7bfae3310 rsp = 0x00007ff7bfae3310 r8 = 0x0000000000000000 r9 = 0x0000000000000000 r10 = 0x00000fffffffffff r11 = 0xffffffffffffffe0 r12 = 0x00007ff7bfae3420 r13 = 0x00001ffef7f5c684 r14 = 0x00007ff7bfae3460 r15 = 0x0000000000000000
Attachments
Minimized test case
(755 bytes, text/html)
2023-12-04 10:49 PST
,
Ali Juma
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2023-12-04 10:49:41 PST
<
rdar://problem/119142303
>
Alex Christensen
Comment 2
2024-01-24 17:50:41 PST
ASSERTION FAILED: m_path /Users/alex/code/OpenSource/Source/WebCore/rendering/svg/legacy/LegacyRenderSVGShape.h(82) : Path &WebCore::LegacyRenderSVGShape::path() const 1 0x300005e8c WTFCrash 2 0x352ba6a98 WTF::Ref<WebCore::AudioProcessingEvent, WTF::RawPtrTraits<WebCore::AudioProcessingEvent>> WTF::adoptRef<WebCore::AudioProcessingEvent, WTF::RawPtrTraits<WebCore::AudioProcessingEvent>>(WebCore::AudioProcessingEvent&) 3 0x35335c528 WebCore::LegacyRenderSVGShape::path() const 4 0x35abb61e4 WebCore::LegacyRenderSVGShape::shapeDependentFillContains(WebCore::FloatPoint const&, WebCore::WindRule) const 5 0x35ab56948 WebCore::LegacyRenderSVGRect::shapeDependentFillContains(WebCore::FloatPoint const&, WebCore::WindRule) const 6 0x35abba99c WebCore::LegacyRenderSVGShape::isPointInFill(WebCore::FloatPoint const&) 7 0x35b315218 WebCore::SVGGeometryElement::isPointInFill(WebCore::DOMPointInit&&) 8 0x34f6b68d4 WebCore::jsSVGGeometryElementPrototypeFunction_isPointInFillBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSSVGGeometryElement*) 9 0x34f6b6210 long long WebCore::IDLOperation<WebCore::JSSVGGeometryElement>::call<&WebCore::jsSVGGeometryElementPrototypeFunction_isPointInFillBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSSVGGeometryElement*), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) 10 0x34f6b5da4 WebCore::jsSVGGeometryElementPrototypeFunction_isPointInFill(JSC::JSGlobalObject*, JSC::CallFrame*) 11 0x143818044 10 ??? 0x0000000143818044 0x0 + 5427527748 12 0x143808008 11 ??? 0x0000000143808008 0x0 + 5427462152 13 0x143808068 12 ??? 0x0000000143808068 0x0 + 5427462248 14 0x143808428 13 ??? 0x0000000143808428 0x0 + 5427463208 15 0x305b73ac4 JSC::Interpreter::executeCallImpl(JSC::VM&, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 16 0x305b740cc JSC::Interpreter::executeCall(JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 17 0x306382604 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 18 0x306382af0 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 19 0x306383670 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 20 0x35394abd8 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 21 0x3539a6fc0 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) 22 0x355719d34 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener>>, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) 23 0x355718f2c WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) 24 0x357cd57d4 WebCore::LocalDOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) 25 0x357cff864 WebCore::LocalDOMWindow::dispatchLoadEvent() 26 0x355391164 WebCore::Document::dispatchWindowLoadEvent() 27 0x355390670 WebCore::Document::implicitClose() 28 0x3576bcb30 WebCore::FrameLoader::checkCallImplicitClose() 29 0x3576bb5a8 WebCore::FrameLoader::checkCompleted() 30 0x3576b5b64 WebCore::FrameLoader::finishedParsing() 31 0x3553d9af8 WebCore::Document::finishedParsing() com.apple.WebKit.WebContent.Development terminated (pid 34715) for reason: crash LEAK: 1 WebPageProxy
Alex Christensen
Comment 3
2024-01-24 17:53:56 PST
Null dereference of a smart pointer. Thank you for reporting. I don't think this is a security issue. Fixing on main...
Alex Christensen
Comment 4
2024-01-24 18:00:35 PST
Pull request:
https://github.com/WebKit/WebKit/pull/23214
Said Abou-Hallawa
Comment 5
2024-01-24 18:36:52 PST
This is a regression of
bug 263430
.
EWS
Comment 6
2024-01-25 04:22:51 PST
Committed
273494@main
(89b5637b58e3): <
https://commits.webkit.org/273494@main
> Reviewed commits have been landed. Closing PR #23214 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug