RESOLVED FIXED 286019
Crash in WebCore::RenderFragmentedFlow::objectShouldFragmentInFlowFragment 
https://bugs.webkit.org/show_bug.cgi?id=286019
Summary Crash in WebCore::RenderFragmentedFlow::objectShouldFragmentInFlowFragment
michaeldo
Reported 2025-01-15 12:55:48 PST
Created attachment 473911 [details] Minimal Test Case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. This reproduces in an ASan build of WebKitTestRunner at 288489@main. Stack: ================================================================= ==8417==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0001540edfb1 bp 0x7ff7bdf290f0 sp 0x7ff7bdf28fc0 T0) ==8417==The signal is caused by a READ memory access. ==8417==Hint: address points to the zero page. ==8417==WARNING: failed to spawn external symbolizer (errno: 25) ==8417==WARNING: failed to spawn external symbolizer (errno: 25) ==8417==WARNING: failed to spawn external symbolizer (errno: 25) ==8417==WARNING: failed to spawn external symbolizer (errno: 25) ==8417==WARNING: failed to spawn external symbolizer (errno: 25) ==8417==WARNING: Failed to use and restart external symbolizer! #0 0x1540edfb1 in WebCore::RenderFragmentedFlow::objectShouldFragmentInFlowFragment(WebCore::RenderObject const*, WebCore::RenderFragmentContainer const*) const+0x131 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9da0fb1) #1 0x153ef09e5 in WebCore::RenderBox::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0x1e95 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9ba39e5) #2 0x153eedcfd in WebCore::RenderBlock::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0xacd (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9ba0cfd) #3 0x153f69980 in WebCore::RenderBlockFlow::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0x10 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9c1c980) #4 0x153ef1b5f in WebCore::RenderBox::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0x300f (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9ba4b5f) #5 0x153eedcfd in WebCore::RenderBlock::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0xacd (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9ba0cfd) #6 0x153f69980 in WebCore::RenderBlockFlow::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0x10 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9c1c980) #7 0x153ef1b5f in WebCore::RenderBox::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0x300f (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9ba4b5f) #8 0x153eedcfd in WebCore::RenderBlock::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0xacd (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9ba0cfd) #9 0x153f69980 in WebCore::RenderBlockFlow::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0x10 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9c1c980) #10 0x153ef1b5f in WebCore::RenderBox::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0x300f (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9ba4b5f) #11 0x153eedcfd in WebCore::RenderBlock::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0xacd (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9ba0cfd) #12 0x153f69980 in WebCore::RenderBlockFlow::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0x10 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9c1c980) #13 0x153ef1b5f in WebCore::RenderBox::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0x300f (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9ba4b5f) #14 0x153eedcfd in WebCore::RenderBlock::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0xacd (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9ba0cfd) #15 0x153f69980 in WebCore::RenderBlockFlow::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource, WebCore::RenderFragmentContainer const*)+0x10 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9c1c980) #16 0x153f69750 in WebCore::RenderBlockFlow::positionForPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource)+0xc0 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x9c1c750) #17 0x15096be0b in WebCore::Document::caretPositionFromPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource)+0x52b (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x661ee0b) #18 0x15096b3fd in WebCore::Document::caretRangeFromPoint(int, int, WebCore::HitTestSource)+0x17d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x661e3fd) #19 0x14b889847 in WebCore::jsDocumentPrototypeFunction_caretRangeFromPoint(JSC::JSGlobalObject*, JSC::CallFrame*)+0x3d7 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x153c847) #20 0x15dfc8037 (<unknown module>) #21 0x1124a2c10 in llint_entry+0x1f1e8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5caec10) #22 0x1124a3d60 in llint_entry+0x20338 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5cafd60) #23 0x1124838c3 in vmEntryToJavaScript+0xbb (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5c8f8c3) #24 0x10fa3bb94 in JSC::Interpreter::executeCall(JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0xaa4 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3247b94) #25 0x11038138f in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xff (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b8d38f) #26 0x1103818f4 in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x124 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b8d8f4) #27 0x14f553b67 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0x1467 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x5206b67) #28 0x150bbbc1d in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener>>, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x72d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x686ec1d) #29 0x150b92db6 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x336 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x6845db6) #30 0x15299e991 in WebCore::LocalDOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)+0x821 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8651991) #31 0x1529db9b8 in WebCore::LocalDOMWindow::dispatchLoadEvent()+0xc58 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x868e9b8) #32 0x150998736 in WebCore::Document::dispatchWindowLoadEvent()+0x126 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x664b736) #33 0x1509967a6 in WebCore::Document::implicitClose()+0xab6 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x66497a6) #34 0x1523df4e7 in WebCore::FrameLoader::checkCallImplicitClose()+0x207 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x80924e7) #35 0x1523dcc38 in WebCore::FrameLoader::checkCompleted()+0x4d8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x808fc38) #36 0x1523d1553 in WebCore::FrameLoader::finishedParsing()+0x1d3 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8084553) #37 0x1509fa8ae in WebCore::Document::finishedParsing()+0xd4e (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x66ad8ae) #38 0x151b23800 in WebCore::HTMLConstructionSite::finishedParsing()+0x110 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77d6800) #39 0x151b3b217 in WebCore::HTMLDocumentParser::prepareToStopParsing()+0x417 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77ee217) #40 0x151b40563 in WebCore::HTMLDocumentParser::finish()+0x163 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x77f3563) #41 0x152309980 in WebCore::DocumentWriter::end()+0x370 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7fbc980) #42 0x1523055fd in WebCore::DocumentLoader::finishedLoading()+0x44d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7fb85fd) #43 0x15230476d in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&, WebCore::LoadWillContinueInAnotherProcess)+0x54d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x7fb776d) #44 0x1526d7a5b in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&, WebCore::LoadWillContinueInAnotherProcess)+0x17b (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x838aa5b) #45 0x1526cf100 in WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&)+0x930 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8382100) #46 0x1525f0e04 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&)+0x1654 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x82a3e04) #47 0x11d2f035f in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&)+0x48f (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x4d6c35f) #48 0x11ab82492 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, IPC::Connection, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&))+0x142 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x25fe492) #49 0x11ab80a88 in WebKit::WebResourceLoader::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x1d8 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x25fca88) #50 0x11d2bd809 in WebKit::NetworkProcessConnection::dispatchMessage(IPC::Connection&, IPC::Decoder&)+0x609 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x4d39809) #51 0x119bafe51 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x3c1 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x162be51) #52 0x11e0dd776 in IPC::Connection::dispatchMessage(IPC::Decoder&)+0x926 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b59776) #53 0x11e0ddcf3 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>)+0x243 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b59cf3) #54 0x11e0de431 in IPC::Connection::dispatchOneIncomingMessage()+0x231 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x5b5a431) #55 0x10c90f312 in WTF::RunLoop::performWork()+0xc42 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11b312) #56 0x10c911efd in WTF::RunLoop::performWork(void*)+0x7d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x11defd) #57 0x7ff8080a3086 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7c086) #58 0x7ff8080a3028 in __CFRunLoopDoSource0+0x9c (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7c028) #59 0x7ff8080a2df3 in __CFRunLoopDoSources0+0xd6 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7bdf3) #60 0x7ff8080a1a70 in __CFRunLoopRun+0x396 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7aa70) #61 0x7ff8080a1111 in CFRunLoopRunSpecific+0x22c (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7a111) #62 0x7ff809052b10 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x5cb10) #63 0x7ff8090d590a in -[NSRunLoop(NSRunLoop) run]+0x4b (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0xdf90a) #64 0x7ff807cdf3f8 in _xpc_objc_main+0x25d (/usr/lib/system/libxpc.dylib:x86_64+0x163f8) #65 0x7ff807cebfa2 in _xpc_main+0x102 (/usr/lib/system/libxpc.dylib:x86_64+0x22fa2) #66 0x7ff807cdf01b in xpc_main+0x37 (/usr/lib/system/libxpc.dylib:x86_64+0x1601b) #67 0x11a15b382 in WebKit::XPCServiceMain(int, char const**)+0x82 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x1bd7382) #68 0x7ff807c3a365 in start+0x795 (/usr/lib/dyld:x86_64+0xfffffffffff5c365) ==8417==Register values: rax = 0x0000100000000001 rbx = 0x00006120000c04c0 rcx = 0xc59efe70b46100bb rdx = 0x0000000000000000 rdi = 0x0000000000000008 rsi = 0x0000100000000000 rbp = 0x00007ff7bdf290f0 rsp = 0x00007ff7bdf28fc0 r8 = 0x000060d000062e40 r9 = 0x0000000000000007 r10 = 0x0000000000000005 r11 = 0x0000000000000000 r12 = 0x0000614000082040 r13 = 0x0000100000000000 r14 = 0x0000000000000000 r15 = 0x00001ffef7be51fc
Attachments
Minimal Test Case (11.57 KB, text/html)
2025-01-15 12:55 PST, michaeldo 		no flags
Details
Patch (4.70 KB, patch)
2025-01-23 07:15 PST, zalan 		no flags
DetailsFormatted DiffDiff
Patch (4.72 KB, patch)
2025-01-23 18:04 PST, zalan 		no flags
DetailsFormatted DiffDiff
[fast-cq]Patch (4.72 KB, patch)
2025-01-23 21:03 PST, zalan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-01-15 12:56:05 PST
<rdar://problem/142992656>
Claudio Saavedra
Comment 2 2025-01-22 07:27:51 PST
Here is a more reduced and readable test case: <style> .class1 { visibility: hidden; } .class2 { columns: 2; } </style> <script> function jsfuzzer() { target.appendChild(document.createElement("div")); document.caretPositionFromPoint(0, 0); } </script> <body onload=jsfuzzer()> <details> <summary class="class1">the summary</summary> <div id="target" class="class2">foo</div> </details> </body>
Claudio Saavedra
Comment 3 2025-01-22 07:31:49 PST
This bug is a regression that started happening after https://commits.webkit.org/286869@main . It is not reproducible with Safari 18.2 in Mac or any currently released WebKitGTK version.
Claudio Saavedra
Comment 4 2025-01-22 08:20:17 PST
In Debug builds, we first hit an assertion that stems from the hit test needed for caretPositionFromPoint(), the assertion is in WebCore::RenderFragmentedFlow::collectLayerFragments() is a result of fragments having been invalidated prior to the hit test: ASSERT(!m_fragmentsInvalidated); Checking when the fragments are invalidated, that happens earlier, during an insertion to a multicolumn flow (since "target" has a multicolumn style): #2 0x00007fdea8249082 in WebCore::RenderFragmentedFlow::invalidateFragments(WebCore::MarkingBehavior) (this=0x7fde05006f10, markingParents=WebCore::MarkContainingBlockChain) at /app/webkit/Source/WebCore/rendering/RenderFragmentedFlow.cpp:94 #3 0x00007fdea85cd5cd in WebCore::RenderTreeBuilder::MultiColumn::processPossibleSpannerDescendant(WebCore::RenderMultiColumnFlow&, WebCore::RenderObject*&, WebCore::RenderObject&) (this=0x7fde7d2ed3e0, flow=..., subtreeRoot=@0x7ffdf3c9bbd8: 0x7fde050068c0, descendant=...) at /app/webkit/Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp:433 #4 0x00007fdea85cc438 in WebCore::RenderTreeBuilder::MultiColumn::multiColumnDescendantInserted(WebCore::RenderMultiColumnFlow&, WebCore::RenderObject&) (this=0x7fde7d2ed3e0, flow=..., newDescendant=...) at /app/webkit/Source/WebCore/rendering/updating/RenderTreeBuilderMultiColumn.cpp:239 During the insertion, a new column set is created, and after that fragments are marked as invalid (RenderTreeBuilderMultiColumn.cpp:433). Now back to the hit test. The hit test at one of the layers needs to collect layer fragments, so it calls collectFragments(), which in turn calls collectLayerFragments() for the enclosing fragmented flow. But this method expects fragments to have been validated, but they are not, hence the assertion. The crash in Release seems to also be a consequence of this. I did a quick test by just forcing a call to ::validateFragments() in ::collectLayerFragments() and with that the hit test is performed succesfully and there's no crash. Obviously this is not a solution. FWIW, I tried to print out the layer tree before the hit test is performed, but calling showLayerTree() from RenderLayer()::hitTest() exhibits the same problem, that while the tree is traversed we end up at a point where fragments need to be collected, but they are invalid, so we hit the same assertion. So I suspect at some point after the insertion that causes them to become invalidated, a validation needs to happen? I need to investigate that further, but I think this is the direction to go to solve this.
Claudio Saavedra
Comment 5 2025-01-22 08:24:58 PST
btw, it would be interesting to confirm whether https://commits.webkit.org/286869@main is in any released product, in case it's not, maybe this doesn't need to be treated as a security bug and can be fixed directly in main.
zalan
Comment 6 2025-01-23 07:15:42 PST
Created attachment 473989 [details] Patch
zalan
Comment 7 2025-01-23 07:26:33 PST
oh, I didn't notice you've been working on this. :( Sorry about it. now I wonder if you've come to the same conclusion.
Claudio Saavedra
Comment 8 2025-01-23 07:36:31 PST
No worries, you were faster anyway. I think it makes sense, from what I gathered so far, fragments are not validated because it's skipped content, but I'll defer to an actual reviewer. Feel free to use the reduced case I pasted above since it's a bit simpler.
zalan
Comment 9 2025-01-23 07:37:42 PST
thank you. I appreciate it!
zalan
Comment 10 2025-01-23 18:04:17 PST
Created attachment 473993 [details] Patch
zalan
Comment 11 2025-01-23 21:03:15 PST
Created attachment 473995 [details] [fast-cq]Patch
EWS
Comment 12 2025-01-24 05:18:55 PST
Committed 289341@main (051d303f45e1): <https://commits.webkit.org/289341@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 473995 [details].
Note You need to log in before you can comment on or make changes to this bug.