Created attachment 477374 [details] testcase <rdar://164426979> The attached testcase (fuzz-4.html) crashes a Release ASan build of WebKit Found by fuzzer WebKitTestRunner-h-case This crash was seen 6 times during the past 7 days. Reproduced on: WebKit main @ 302777@main Does not reproduce on the SU branch Reproduction Command: DYLD_FRAMEWORK_PATH=$PWD DYLD_LIBRARY_PATH=$PWD __XPC_DYLD_FRAMEWORK_PATH=$PWD __XPC_DYLD_LIBRARY_PATH=$PWD ASAN_OPTIONS=handle_segv=2,handle_sigbus=2,handle_sigill=2,handle_abort=2,handle_sigtrap=2,allocator_may_return_null=1 __XPC_ASAN_OPTIONS=handle_segv=2,handle_sigbus=2,handle_sigill=2,handle_abort=2,handle_sigtrap=2,allocator_may_return_null=1 ./WebKitTestRunner --no-enable-all-experimental-feature --no-timeout fuzz-4.html fuzz-4.html Crash Log: AddressSanitizer:DEADLYSIGNAL ================================================================= ==53626==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000110 (pc 0x00030c3feac4 bp 0x00016d5f8ad0 sp 0x00016d5f8ac0 T0) ==53626==The signal is caused by a READ memory access. ==53626==Hint: address points to the zero page. #0 0x00030c3feac4 in WebCore::RenderView::zoomFactor() const+0x3c (WebCore:arm64e+0xc3feac4) #1 0x00030cd2ead4 in WebCore::Style::adjustValueForPageZoom(double, WebCore::CSSToLengthConversionData const&)+0x11c (WebCore:arm64e+0xcd2ead4) #2 0x00030cd2d7f4 in WebCore::Style::computeNonCalcLengthDouble(double, WebCore::CSS::LengthUnit, WebCore::CSSToLengthConversionData const&)+0x4f8 (WebCore:arm64e+0xcd2d7f4) #3 0x00030cd2d170 in WebCore::Style::computeCanonicalNonCalcLengthDouble(double, WebCore::CSS::LengthUnit, WebCore::CSSToLengthConversionData const&)+0x38 (WebCore:arm64e+0xcd2d170) #4 0x000307c26530 in WebCore::CSSCalc::canonicalize(WebCore::CSSCalc::NonCanonicalDimension, std::__1::optional<WebCore::CSSToLengthConversionData> const&)+0xf8 (WebCore:arm64e+0x7c26530) #5 0x000307c7448c in WebCore::CSSCalc::evaluate(WebCore::CSSCalc::NonCanonicalDimension const&, WebCore::CSSCalc::EvaluationOptions const&)+0x58 (WebCore:arm64e+0x7c7448c) #6 0x000307c17d00 in WebCore::CSSCalc::evaluate(WebCore::CSSCalc::Child const&, WebCore::CSSCalc::EvaluationOptions const&)+0x194 (WebCore:arm64e+0x7c17d00) #7 0x000307c74720 in double WebCore::CSSCalc::OperatorExecutor<(WebCore::CSSCalc::Operator)43>::operator()<std::__1::ranges::transform_view[abi:llvm18_nua]<std::__1::ranges::ref_view<WTF::Vector<WebCore::CSSCalc::Child, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const>, std::__1::optional<double> WebCore::CSSCalc::executeVariadicMathOperationAfterUnwrapping<WebCore::CSSCalc::Sum>(WebCore::CSSCalc::IndirectNode<WebCore::CSSCalc::Sum> const&, WebCore::CSSCalc::EvaluationOptions const&)::'lambda'(WebCore::CSSCalc::Sum const&)>>(WebCore::CSSCalc::Sum&&)+0xcc (WebCore:arm64e+0x7c74720) #8 0x000307c745d0 in std::__1::optional<double> WebCore::CSSCalc::executeVariadicMathOperationAfterUnwrapping<WebCore::CSSCalc::Sum>(WebCore::CSSCalc::IndirectNode<WebCore::CSSCalc::Sum> const&, WebCore::CSSCalc::EvaluationOptions const&)+0xc0 (WebCore:arm64e+0x7c745d0) #9 0x000307c17db8 in WebCore::CSSCalc::evaluate(WebCore::CSSCalc::Child const&, WebCore::CSSCalc::EvaluationOptions const&)+0x24c (WebCore:arm64e+0x7c17db8) #10 0x000307c17b5c in WebCore::CSSCalc::evaluateDouble(WebCore::CSSCalc::Tree const&, WebCore::CSSCalc::EvaluationOptions const&)+0x1c (WebCore:arm64e+0x7c17b5c) #11 0x000307d35580 in WebCore::CSSCalc::Value::computeLengthPx(WebCore::CSSToLengthConversionData const&, WebCore::CSSCalcSymbolTable const&) const+0x120 (WebCore:arm64e+0x7d35580) #12 0x000307a2d90c in float WebCore::CSSPrimitiveValue::resolveAsLength<float>(WebCore::CSSToLengthConversionData const&) const+0x40c (WebCore:arm64e+0x7a2d90c) #13 0x000305127154 in WebCore::Style::CSSValueConversion<WebCore::Style::Length<WebCore::CSS::Range{0x0p+0, inf, (WebCore::CSS::RangeClampOptions)0, (WebCore::CSS::RangeZoomOptions)1}, float>>::operator()(WebCore::Style::BuilderState&, WebCore::CSSValue const&)+0x17c (WebCore:arm64e+0x5127154) #14 0x00030cb7e768 in WebCore::Style::CSSValueConversion<WebCore::Style::LineWidth>::operator()(WebCore::Style::BuilderState&, WebCore::CSSValue const&)+0x194 (WebCore:arm64e+0xcb7e768) #15 0x000304e9a2c8 in WebCore::Style::BuilderGenerated::applyProperty(WebCore::CSSPropertyID, WebCore::Style::BuilderState&, WebCore::CSSValue&, WebCore::Style::ApplyValueType)+0x32dc (WebCore:arm64e+0x4e9a2c8) #16 0x00030c98a6cc in WebCore::Style::Builder::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue&, WebCore::SelectorChecker::LinkMatchMask, WebCore::Style::PropertyCascade::Origin)+0x3ec (WebCore:arm64e+0xc98a6cc) Reproducibility: Original testcase: 4/6 (66.7%) - Average time: 3.80s Minimized testcase: 29/53 (54.7%) - Average time: 1.19s ------------------------------------- Fuzz-0 Triage: P2. Based on: ----------------- P2 ----------------- NULL pointer derefs (RELEASE_)ASSERTs in the WebContent Process --------------------------------------