271849 – nullptr crash in moveOutOfAllShadowRoots

RESOLVED FIXED271849

nullptr crash in moveOutOfAllShadowRoots

https://bugs.webkit.org/show_bug.cgi?id=271849

Summary nullptr crash in moveOutOfAllShadowRoots

Ryosuke Niwa

Reported 2024-03-28 14:52:22 PDT

e.g. Thread[0] EXC_BAD_ACCESS (SIGSEGV) (0x0000000000000001, 0x000000000000001d) [ 0] 0x00000001a8a8dba0 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 36 at EventPath.cpp:294:5 290 291 static Node* moveOutOfAllShadowRoots(Node& startingNode) 292 { 293 Node* node = &startingNode; -> 294 while (node->isInShadowTree()) 295 node = downcast<ShadowRoot>(node->treeScope().rootNode()).host(); 296 return node; 297 } 298 0x00000001a8a8db90: cbz x8, 0x16d9b9c ; <+1992> [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 32 at WeakPtr.h 0x00000001a8a8db94: ldr x9, [x8, #0x8] 0x00000001a8a8db98: b 0x16d9ba0 ; <+1996> [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 36 at EventPath.cpp:294:5 0x00000001a8a8db9c: mov x9, #0x0 -> 0x00000001a8a8dba0: ldrb w8, [x9, #0x1d] 0x00000001a8a8dba4: tbnz w8, #0x3, 0x16d9b84 ; <+1968> [inlined] WebCore::Node::treeScope() const at Node.h:388:17 0x00000001a8a8dba8: ldr w8, [x9, #0x18] 0x00000001a8a8dbac: add w8, w8, #0x2 0x00000001a8a8dbb0: str w8, [x9, #0x18] [ 0] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35 312 return; 313 } 314 if (relatedNode.isConnected() != target.isConnected()) { 315 m_hasDifferentTreeRoot = true; -> 316 m_retargetedRelatedNode = moveOutOfAllShadowRoots(relatedNode); 317 return; 318 } 319 320 collectTreeScopes(); [ 0] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1 298 299 RelatedNodeRetargeter::RelatedNodeRetargeter(Node& relatedNode, Node& target) 300 : m_relatedNode(relatedNode) 301 , m_retargetedRelatedNode(&relatedNode) -> 302 { 303 auto& targetTreeScope = target.treeScope(); 304 TreeScope* currentTreeScope = &m_relatedNode->treeScope(); 305 if (LIKELY(currentTreeScope == &targetTreeScope && target.isConnected() && m_relatedNode->isConnected())) 306 return; [ 0] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27 144 } 145 146 void EventPath::setRelatedTarget(Node& origin, Node& relatedNode) 147 { -> 148 RelatedNodeRetargeter retargeter(relatedNode, *m_path[0].node()); 149 150 bool originIsRelatedTarget = &origin == &relatedNode; 151 Node& rootNodeInOriginTreeScope = origin.treeScope().rootNode(); 152 TreeScope* previousTreeScope = nullptr; [ 1] 0x00000001a8a8db9f WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 35 at WeakPtr.h:0:56 [ 1] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35 [ 1] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1 [ 1] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27 [ 2] 0x00000001a8a8db9f WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 35 at WeakPtr.h:0:56 [ 2] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35 [ 2] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1 [ 2] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27 [ 3] 0x00000001a8a8db9f WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 35 at WeakPtr.h:0:56 [ 3] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35 [ 3] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1 [ 3] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27

Attachments
Add attachment proposed patch, testcase, etc.

Ryosuke Niwa

Comment 1 2024-03-28 14:59:26 PDT

Pull request: https://github.com/WebKit/WebKit/pull/26576

Ryosuke Niwa

Comment 2 2024-03-28 14:59:54 PDT

<rdar://121268633>

EWS

Comment 3 2024-03-28 17:17:51 PDT

Committed 276815@main (26bc2e2bb52f): <https://commits.webkit.org/276815@main> Reviewed commits have been landed. Closing PR #26576 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component DOM

Assignee

Ryosuke Niwa

Reported

2024-03-28 14:52 PDT

Modified

2024-03-28 17:17 PDT History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks