RESOLVED FIXED286018
Crash in WebCore::Internals::compositingPolicyOverride 
https://bugs.webkit.org/show_bug.cgi?id=286018
Summary Crash in WebCore::Internals::compositingPolicyOverride
michaeldo
Reported 2025-01-15 12:50:57 PST
Created attachment 473910 [details] Minimal Test Case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. This reproduces in an ASan build of WebKitTestRunner at 288489@main. Stack: ================================================================= ==12328==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000116f7d3c8 bp 0x7ff7bd5b12d0 sp 0x7ff7bd5b12d0 T0) ==12328==The signal is caused by a READ memory access. ==12328==Hint: address points to the zero page. ==12328==WARNING: failed to spawn external symbolizer (errno: 25) ==12328==WARNING: failed to spawn external symbolizer (errno: 25) ==12328==WARNING: failed to spawn external symbolizer (errno: 25) ==12328==WARNING: failed to spawn external symbolizer (errno: 25) ==12328==WARNING: failed to spawn external symbolizer (errno: 25) ==12328==WARNING: Failed to use and restart external symbolizer! #0 0x116f7d3c8 in WebCore::Internals::compositingPolicyOverride() const+0xb8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/libWebCoreTestSupport.dylib:x86_64+0x453c8) #1 0x117121ac9 in WebCore::jsInternals_compositingPolicyOverride(JSC::JSGlobalObject*, long long, JSC::PropertyName)+0x1c9 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/libWebCoreTestSupport.dylib:x86_64+0x1e9ac9) #2 0x111964805 in JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const+0x265 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x4770805) #3 0x11083ad39 in operationGetByValGaveUp+0x6fd9 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3646d39) #4 0x15e9f4063 (<unknown module>) #5 0x15ea03e20 (<unknown module>) #6 0x112ea3d60 in llint_entry+0x20338 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5cafd60) #7 0x112ea2c10 in llint_entry+0x1f1e8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5caec10) #8 0x112ea2c10 in llint_entry+0x1f1e8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5caec10) #9 0x112e838c3 in vmEntryToJavaScript+0xbb (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5c8f8c3) #10 0x110422514 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)+0x1224 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x322e514) #11 0x110e71b95 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0x405 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c7db95) #12 0x110e71f97 in JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0x107 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3c7df97) #13 0x14ffd94fd in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)+0xa2d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x528c4fd) #14 0x14ffda19a in WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&)+0xaa (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x528d19a) #15 0x1517a1065 in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&)+0x1095 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x6a54065) #16 0x1517960ab in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&)+0x1eeb (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x6a490ab) #17 0x1525c4866 in WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&)+0x1a6 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7877866) #18 0x1525c4556 in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::RawPtrTraits<WebCore::ScriptElement>, WTF::DefaultRefDerefTraits<WebCore::ScriptElement>>&&, WTF::TextPosition const&)+0x96 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7877556) #19 0x15253d608 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder()+0x7b8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77f0608) #20 0x15253e0c8 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&)+0x6a8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77f10c8) #21 0x15253bd26 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)+0x1d6 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77eed26) #22 0x15253fb7b in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl>>&&, WebCore::HTMLDocumentParser::SynchronousMode)+0x99b (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77f2b7b) #23 0x15131bc96 in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, std::__1::span<unsigned char const, 18446744073709551615ul>)+0x186 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x65cec96) #24 0x152d2aae1 in WebCore::DocumentWriter::addData(WebCore::SharedBuffer const&)+0xf1 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7fddae1) #25 0x152d071a2 in WebCore::DocumentLoader::commitData(WebCore::SharedBuffer const&)+0x7c2 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7fba1a2) #26 0x11df5ff71 in WebKit::WebLocalFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, WebCore::SharedBuffer const&)+0xd1 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x4fdbf71) #27 0x152d24940 in WebCore::DocumentLoader::commitLoad(WebCore::SharedBuffer const&)+0x2c0 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7fd7940) #28 0x1530ce391 in WebCore::CachedRawResource::notifyClientsDataWasReceived(WebCore::SharedBuffer const&)+0x121 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8381391) #29 0x1530cdab4 in WebCore::CachedRawResource::updateBuffer(WebCore::FragmentedSharedBuffer const&)+0x354 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8380ab4) #30 0x152ffba3e in WebCore::SubresourceLoader::didReceiveBuffer(WebCore::FragmentedSharedBuffer const&, long long, WebCore::DataPayloadType)+0x27e (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x82aea3e) #31 0x11dcef320 in WebKit::WebResourceLoader::didReceiveData(IPC::SharedBufferReference&&, unsigned long long)+0x580 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x4d6b320) #32 0x11b580ca3 in WebKit::WebResourceLoader::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x3f3 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x25fcca3) #33 0x11dcbd809 in WebKit::NetworkProcessConnection::dispatchMessage(IPC::Connection&, IPC::Decoder&)+0x609 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x4d39809) #34 0x11a5afe51 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x3c1 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x162be51) #35 0x11eadd776 in IPC::Connection::dispatchMessage(IPC::Decoder&)+0x926 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b59776) #36 0x11eaddcf3 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>)+0x243 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b59cf3) #37 0x11eade431 in IPC::Connection::dispatchOneIncomingMessage()+0x231 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b5a431) #38 0x10d30f312 in WTF::RunLoop::performWork()+0xc42 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11b312) #39 0x10d311efd in WTF::RunLoop::performWork(void*)+0x7d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11defd) #40 0x7ff800d03086 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7c086) #41 0x7ff800d03028 in __CFRunLoopDoSource0+0x9c (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7c028) #42 0x7ff800d02df3 in __CFRunLoopDoSources0+0xd6 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7bdf3) #43 0x7ff800d01a70 in __CFRunLoopRun+0x396 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7aa70) #44 0x7ff800d01111 in CFRunLoopRunSpecific+0x22c (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7a111) #45 0x7ff801cb2b10 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x5cb10) #46 0x7ff801d3590a in -[NSRunLoop(NSRunLoop) run]+0x4b (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0xdf90a) #47 0x7ff80093f3f8 in _xpc_objc_main+0x25d (/usr/lib/system/libxpc.dylib:x86_64+0x163f8) #48 0x7ff80094bfa2 in _xpc_main+0x102 (/usr/lib/system/libxpc.dylib:x86_64+0x22fa2) #49 0x7ff80093f01b in xpc_main+0x37 (/usr/lib/system/libxpc.dylib:x86_64+0x1601b) #50 0x11ab5b382 in WebKit::XPCServiceMain(int, char const**)+0x82 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x1bd7382) #51 0x7ff80089a365 in start+0x795 (/usr/lib/dyld:x86_64+0xfffffffffff5c365) ==12328==Register values: rax = 0x0000000000000008 rbx = 0x000060f000070d80 rcx = 0x0000100000000001 rdx = 0x0000100000000000 rdi = 0x00007ff7bd5b1370 rsi = 0x0000000000000000 rbp = 0x00007ff7bd5b12d0 rsp = 0x00007ff7bd5b12d0 r8 = 0x0000000000000000 r9 = 0x00007ff7bd5b19a0 r10 = 0x000060f000070d68 r11 = 0x000060f000070d68 r12 = 0x00007ff7bd5b1370 r13 = 0x00001c4000001828 r14 = 0x00001ffef7ab6260 r15 = 0x00001ffef7ab626a
Attachments
Minimal Test Case (11.35 KB, text/html)
2025-01-15 12:50 PST, michaeldo 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-01-15 12:53:07 PST
<rdar://problem/142992509>
Darin Adler
Comment 2 2025-01-16 19:37:55 PST
I believe that this crash or security bug won’t affect production versions of WebKit or Safari since the issue is in the internals object which is not included.
Frédéric Wang (:fredw)
Comment 3 2025-01-17 08:06:33 PST
Reduced testcase: ``` <iframe id="iframe"></iframe> <script> var win = window.frames[0]; document.adoptNode(iframe); win.internals.compositingPolicyOverride; </script> ``` This is crashing in Internals::compositingPolicyOverride() because document->page() is null (i.e. document's m_frame is null after the adoptNode call) so we just need to do a null-check. Checking Internals.cpp that's what we do in most cases but there are some places like here where we don't. I'll review these places and upload a patch next Monday.
Darin Adler
Comment 4 2025-01-17 11:44:51 PST
I agree that it’s high priority to fix these crashes that get in the way of fuzzing. But there’s nothing security sensitive about this missing null check that I can see; I don’t think we need to treat this as a security bug and fix it on the security branch.
Frédéric Wang (:fredw)
Comment 5 2025-01-20 01:52:04 PST
(In reply to Darin Adler from comment #4) > I agree that it’s high priority to fix these crashes that get in the way of > fuzzing. But there’s nothing security sensitive about this missing null > check that I can see; I don’t think we need to treat this as a security bug > and fix it on the security branch. That makes sense. I opened bug 286252 and submitted https://github.com/WebKit/WebKit/pull/39285 to handle this particular case and many other similar issues. This first patch is probably not exhaustive, but should hopefully cover cases detectable by fuzzers. Trying on Linux GTK debug/release with this patch, attachment 473910 [details] completes without failure.
Ryosuke Niwa
Comment 6 2025-01-21 15:48:15 PST
Changing the categorization.
Frédéric Wang (:fredw)
Comment 7 2025-01-23 12:43:28 PST
Fixed by bug 286252.
Note You need to log in before you can comment on or make changes to this bug.