283584 – RenderBox::computeIntrinsicLogicalWidths should not call RenderBox's computePreferredLogicalWidths

RESOLVED FIXED 283584

RenderBox::computeIntrinsicLogicalWidths should not call RenderBox's computePreferredLogicalWidths

https://bugs.webkit.org/show_bug.cgi?id=283584

Summary RenderBox::computeIntrinsicLogicalWidths should not call RenderBox's computeP...

Ali Juma

Reported 2024-11-22 11:25:55 PST

Created attachment 473343 [details] Minimized test case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. This reproduces in an ASan build of WebKitTestRunner at 286930@main Stack: ================================================================= ==44550==ERROR: AddressSanitizer: stack-overflow on address 0x7ff7b31fdfe0 (pc 0x0006f57e5385 bp 0x7ff7b31fe030 sp 0x7ff7b31fdf40 T0) ==44550==WARNING: failed to spawn external symbolizer (errno: 25) ==44550==WARNING: failed to spawn external symbolizer (errno: 25) ==44550==WARNING: failed to spawn external symbolizer (errno: 25) ==44550==WARNING: failed to spawn external symbolizer (errno: 25) ==44550==WARNING: failed to spawn external symbolizer (errno: 25) ==44550==WARNING: Failed to use and restart external symbolizer! #0 0x6f57e5385 in WebCore::RenderBox::shouldComputePreferredLogicalWidthsFromStyle() const+0x25 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9974385) #1 0x6f570be09 in WebCore::RenderBox::computePreferredLogicalWidths(WebCore::Length const&, WebCore::Length const&, WebCore::LayoutUnit)+0xe9 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x989ae09) #2 0x6f57e624f in WebCore::RenderBox::computePreferredLogicalWidths()+0x1df (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x997524f) #3 0x6f579f6e9 in WebCore::RenderBox::minPreferredLogicalWidth() const+0x59 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x992e6e9) #4 0x6f579f2f8 in WebCore::RenderBox::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const+0x58 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x992e2f8) #5 0x6f57cb9af in WebCore::RenderBox::computeIntrinsicLogicalWidthUsing(WebCore::Length, WebCore::LayoutUnit, WebCore::LayoutUnit) const+0x3df (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x995a9af) #6 0x6f570c0b0 in WebCore::RenderBox::computePreferredLogicalWidths(WebCore::Length const&, WebCore::Length const&, WebCore::LayoutUnit)+0x390 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x989b0b0) #7 0x6f57e624f in WebCore::RenderBox::computePreferredLogicalWidths()+0x1df (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x997524f) #8 0x6f579f6e9 in WebCore::RenderBox::minPreferredLogicalWidth() const+0x59 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x992e6e9) #9 0x6f579f2f8 in WebCore::RenderBox::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const+0x58 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x992e2f8) #10 0x6f57cb9af in WebCore::RenderBox::computeIntrinsicLogicalWidthUsing(WebCore::Length, WebCore::LayoutUnit, WebCore::LayoutUnit) const+0x3df (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x995a9af) #11 0x6f570c0b0 in WebCore::RenderBox::computePreferredLogicalWidths(WebCore::Length const&, WebCore::Length const&, WebCore::LayoutUnit)+0x390 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x989b0b0) #12 0x6f57e624f in WebCore::RenderBox::computePreferredLogicalWidths()+0x1df (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x997524f) #13 0x6f579f6e9 in WebCore::RenderBox::minPreferredLogicalWidth() const+0x59 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x992e6e9) #14 0x6f579f2f8 in WebCore::RenderBox::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const+0x58 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x992e2f8) #15 0x6f57cb9af in WebCore::RenderBox::computeIntrinsicLogicalWidthUsing(WebCore::Length, WebCore::LayoutUnit, WebCore::LayoutUnit) const+0x3df (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x995a9af) #16 0x6f570c0b0 in WebCore::RenderBox::computePreferredLogicalWidths(WebCore::Length const&, WebCore::Length const&, WebCore::LayoutUnit)+0x390 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x989b0b0) #17 0x6f57e624f in WebCore::RenderBox::computePreferredLogicalWidths()+0x1df (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x997524f) #18 0x6f579f6e9 in WebCore::RenderBox::minPreferredLogicalWidth() const+0x59 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x992e6e9) ...... #239 0x72c601ff8 in WebCore::RenderBox::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const+0x58 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x97b4ff8) #240 0x72c62ea6f in WebCore::RenderBox::computeIntrinsicLogicalWidthUsing(WebCore::Length, WebCore::LayoutUnit, WebCore::LayoutUnit) const+0x3df (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x97e1a6f) #241 0x72c571b30 in WebCore::RenderBox::computePreferredLogicalWidths(WebCore::Length const&, WebCore::Length const&, WebCore::LayoutUnit)+0x390 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9724b30) #242 0x72c64855f in WebCore::RenderBox::computePreferredLogicalWidths()+0x1df (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x97fb55f) #243 0x72c6023e9 in WebCore::RenderBox::minPreferredLogicalWidth() const+0x59 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x97b53e9) #244 0x72c601ff8 in WebCore::RenderBox::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const+0x58 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x97b4ff8) #245 0x72c62ea6f in WebCore::RenderBox::computeIntrinsicLogicalWidthUsing(WebCore::Length, WebCore::LayoutUnit, WebCore::LayoutUnit) const+0x3df (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x97e1a6f) #246 0x72c571b30 in WebCore::RenderBox::computePreferredLogicalWidths(WebCore::Length const&, WebCore::Length const&, WebCore::LayoutUnit)+0x390 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9724b30) #247 0x72c64855f in WebCore::RenderBox::computePreferredLogicalWidths()+0x1df (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x97fb55f) #248 0x72c6023e9 in WebCore::RenderBox::minPreferredLogicalWidth() const+0x59 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x97b53e9) #249 0x72c601ff8 in WebCore::RenderBox::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const+0x58 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x97b4ff8) #250 0x72c62ea6f in WebCore::RenderBox::computeIntrinsicLogicalWidthUsing(WebCore::Length, WebCore::LayoutUnit, WebCore::LayoutUnit) const+0x3df (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x97e1a6f) #251 0x72c571b30 in WebCore::RenderBox::computePreferredLogicalWidths(WebCore::Length const&, WebCore::Length const&, WebCore::LayoutUnit)+0x390 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9724b30) #252 0x72c64855f in WebCore::RenderBox::computePreferredLogicalWidths()+0x1df (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x97fb55f) #253 0x72c6023e9 in WebCore::RenderBox::minPreferredLogicalWidth() const+0x59 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x97b53e9) #254 0x72c601ff8 in WebCore::RenderBox::computeIntrinsicLogicalWidths(WebCore::LayoutUnit&, WebCore::LayoutUnit&) const+0x58 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x97b4ff8)

Attachments
Minimized test case (2.99 KB, text/html) 2024-11-22 11:25 PST, Ali Juma	no flags	Details
Test reduction (199 bytes, text/html) 2024-11-23 09:28 PST, zalan	no flags	Details
Patch (9.62 KB, patch) 2024-11-23 20:53 PST, zalan	no flags	Details Formatted Diff Diff
[fast-cq]Patch (9.80 KB, patch) 2024-11-24 08:26 PST, zalan	ews-feeder: commit-queue-	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2024-11-22 11:29:20 PST

<rdar://problem/140431613>

zalan

Comment 2 2024-11-23 09:28:04 PST

Created attachment 473358 [details] Test reduction

zalan

Comment 3 2024-11-23 20:53:11 PST

Created attachment 473359 [details] Patch

zalan

Comment 4 2024-11-24 08:26:25 PST

Created attachment 473360 [details] [fast-cq]Patch

EWS

Comment 5 2024-11-24 10:20:49 PST

Committed 287035@main (1a957321ca5f): <https://commits.webkit.org/287035@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 473360 [details].

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

zalan

Reported

2024-11-22 11:25 PST

Modified

2024-11-24 10:32 PST History

CC List

10 users Show

URL

Keywords InRadar

Depends on

Blocks