RESOLVED FIXED300838
[WebKit][Main+SU] [5188345e949abb3d] ASAN_TRAP | LayoutIntegration::LineLayout::hitTest; WebCore::RenderBlock::hitTestContents; WebCore::RenderBlock::hitTestChildren 
https://bugs.webkit.org/show_bug.cgi?id=300838
Summary [WebKit][Main+SU] [5188345e949abb3d] ASAN_TRAP | LayoutIntegration::LineLayou...
Kristian Monsen
Reported 2025-10-15 15:10:35 PDT
<rdar://160119099> This can be landed in main. Reproduced on: WebKit main @ 299458@main Reproduction Command: DYLD_FRAMEWORK_PATH=$PWD DYLD_LIBRARY_PATH=$PWD __XPC_DYLD_FRAMEWORK_PATH=$PWD __XPC_DYLD_LIBRARY_PATH=$PWD ASAN_OPTIONS=handle_segv=2,handle_sigbus=2,handle_sigill=2,handle_abort=2,handle_sigtrap=2,allocator_may_return_null=1 __XPC_ASAN_OPTIONS=handle_segv=2,handle_sigbus=2,handle_sigill=2,handle_abort=2,handle_sigtrap=2,allocator_may_return_null=1 ./WebKitTestRunner --no-enable-all-experimental-feature --no-timeout fuzz-9.html fuzz-9.html ================================================================= ==86290==ERROR: AddressSanitizer: TRAP on unknown address 0x00013f136d4c (pc 0x00013f136d4c bp 0x00016b9ce270 sp 0x00016b9ce250 T0) #0 0x00013f136d4c in WTFCrashWithInfo(int, char const*, char const*, int)+0x24 (WebCore:arm64e+0x2d4c) #1 0x0001453ef72c in WebCore::LayoutIntegration::LineLayout::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::HitTestLocation const&, WebCore::LayoutPoint const&, WebCore::HitTestAction, WebCore::RenderInline const*)+0x1230 (WebCore:arm64e+0x62bb72c) #2 0x0001467361cc in WebCore::RenderBlock::hitTestContents(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::HitTestLocation const&, WebCore::LayoutPoint const&, WebCore::HitTestAction)+0x400 (WebCore:arm64e+0x76021cc) #3 0x000146733570 in WebCore::RenderBlock::hitTestChildren(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::HitTestLocation const&, WebCore::LayoutPoint const&, WebCore::HitTestAction)+0x190 (WebCore:arm64e+0x75ff570) #4 0x000146733e44 in WebCore::RenderBlock::nodeAtPoint(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::HitTestLocation const&, WebCore::LayoutPoint const&, WebCore::HitTestAction)+0x498 (WebCore:arm64e+0x75ffe44) #5 0x000146736038 in WebCore::RenderBlock::hitTestContents(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::HitTestLocation const&, WebCore::LayoutPoint const&, WebCore::HitTestAction)+0x26c (WebCore:arm64e+0x7602038) #6 0x000146733570 in WebCore::RenderBlock::hitTestChildren(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::HitTestLocation const&, WebCore::LayoutPoint const&, WebCore::HitTestAction)+0x190 (WebCore:arm64e+0x75ff570) #7 0x000146733e44 in WebCore::RenderBlock::nodeAtPoint(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::HitTestLocation const&, WebCore::LayoutPoint const&, WebCore::HitTestAction)+0x498 (WebCore:arm64e+0x75ffe44) #8 0x000146a9f204 in WebCore::RenderObject::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::HitTestLocation const&, WebCore::LayoutPoint const&, WebCore::HitTestFilter)+0xac (WebCore:arm64e+0x796b204) #9 0x000146962f68 in WebCore::RenderLayer::hitTestContents(WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, WebCore::HitTestFilter) const+0x154 (WebCore:arm64e+0x782ef68) #10 0x00014695e368 in WebCore::RenderLayer::hitTestLayer(WebCore::RenderLayer*, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, bool, WebCore::HitTestingTransformState const*, double*)+0x798 (WebCore:arm64e+0x782a368) #11 0x000146962520 in WebCore::RenderLayer::hitTestList(WebCore::RenderLayer::LayerList, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, WebCore::HitTestingTransformState const*, double*, bool)+0x2cc (WebCore:arm64e+0x782e520) #12 0x00014695e12c in WebCore::RenderLayer::hitTestLayer(WebCore::RenderLayer*, WebCore::RenderLayer*, WebCore::HitTestRequest const&, WebCore::HitTestResult&, WebCore::LayoutRect const&, WebCore::HitTestLocation const&, bool, WebCore::HitTestingTransformState const*, double*)+0x55c (WebCore:arm64e+0x782a12c) #13 0x00014695d6bc in WebCore::RenderLayer::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&)+0x374 (WebCore:arm64e+0x78296bc) #14 0x000144228a14 in WebCore::Document::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&)+0x1c4 (WebCore:arm64e+0x50f4a14) #15 0x000144537480 in WebCore::TreeScope::nodeFromPoint(WebCore::LayoutPoint const&, WebCore::LayoutPoint*, WebCore::HitTestSource)+0x150 (WebCore:arm64e+0x5403480) #16 0x0001441a28e8 in WebCore::Document::caretPositionFromPoint(WebCore::LayoutPoint const&, WebCore::HitTestSource)+0x158 (WebCore:arm64e+0x506e8e8) #17 0x0001441a24b4 in WebCore::Document::caretRangeFromPoint(int, int, WebCore::HitTestSource)+0xf0 (WebCore:arm64e+0x506e4b4) #18 0x00014047f020 in WebCore::jsDocumentPrototypeFunction_caretRangeFromPointBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x3bc (WebCore:arm64e+0x134b020)
Attachments
Test reduction (541 bytes, text/html)
2025-10-15 15:29 PDT, alan 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
alan
Comment 1 2025-10-15 15:29:33 PDT
Created attachment 477094 [details] Test reduction
Rob Buis
Comment 2 2025-10-16 03:12:38 PDT
Pull request: https://github.com/WebKit/WebKit-security/pull/140
Rob Buis
Comment 3 2025-10-17 00:44:21 PDT
Pull request: https://github.com/WebKit/WebKit/pull/52542
EWS
Comment 4 2025-10-17 07:16:02 PDT
Committed 301710@main (8d66f7338e51): <https://commits.webkit.org/301710@main> Reviewed commits have been landed. Closing PR #52542 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.