Bug 43722 - cross_fuzz WebCore::RenderBlock::addChild* NULL ptrs
Summary: cross_fuzz WebCore::RenderBlock::addChild* NULL ptrs
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows Vista
: P1 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks: 42959
  Show dependency treegraph
 
Reported: 2010-08-09 08:26 PDT by Berend-Jan Wever
Modified: 2010-09-01 18:58 PDT (History)
6 users (show)

See Also:

Attachments
Repro (190 bytes, text/html)
2010-08-09 08:26 PDT, Berend-Jan Wever 		no flags Details
Patch (review carefully) (3.74 KB, patch)
2010-08-09 11:32 PDT, Adam Barth 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berend-Jan Wever 2010-08-09 08:26:03 PDT 
Created attachment 63895 [details]
Repro

The following code triggers a NULL ptr in Chromium latest:
<html>
  <head>
    <style>
      :before{
        content:""
      };
    </style>
  </head>
  <body onload="document.linkColor=0;">
    <ruby>
      <rt></rt>
    </ruby>
  </body>
</html>

id:             WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks ReadAV@NULL (8861963c2158cde00d41e1ee9baea2f1)
description:    Attempt to read from NULL pointer (+0xC) in WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks
signatures:     Function: WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks
                Basic signature: WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks(...)-2D824F8
stack:          WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks
                WebCore::RenderBlock::addChildIgnoringContinuation
                WebCore::RenderBlock::addChild
                WebCore::RenderRubyRun::addChild
                WebCore::RenderRubyAsInline::addChild
                WebCore::RenderObjectChildList::updateBeforeAfterContent
                WebCore::RenderInline::styleDidChange
                WebCore::RenderObject::setStyle
                WebCore::RenderObject::setAnimatableStyle
                WebCore::Node::setRenderStyle
                WebCore::Element::recalcStyle
                WebCore::Element::recalcStyle
                WebCore::Element::recalcStyle
                WebCore::Document::recalcStyle
                WebCore::StyledElement::attributeChanged
                WebCore::NamedNodeMap::addAttribute
                WebCore::Element::setAttribute
                WebCore::Element::setAttribute
                WebCore::HTMLBodyElement::setLink
                WebCore::HTMLDocument::setLinkColor
                WebCore::HTMLDocumentInternal::linkColorAttrSetter
                v8::internal::JSObject::SetPropertyWithCallback
                v8::internal::JSObject::SetProperty
                v8::internal::JSObject::SetPropertyPostInterceptor
                v8::internal::JSObject::SetPropertyWithInterceptor
                v8::internal::JSObject::SetProperty
                v8::internal::JSObject::SetProperty
                v8::internal::StoreIC::Store
                v8::internal::StoreIC_Miss
                v8::internal::Invoke
                v8::internal::Execution::Call
                ...

During fuzzzing, I have seen NULL ptr crashes two levels up the stack as well, in Renderblock::AddChild. I expect the cause is the same.
Comment 1 Adam Barth 2010-08-09 11:32:58 PDT 
Created attachment 63911 [details]
Patch (review carefully)
Comment 2 Eric Seidel (no email) 2010-08-09 12:14:17 PDT 
I'm not sure who does ruby stuff.
Comment 3 David Levin 2010-08-17 17:58:10 PDT 
Roland, any comments?
Comment 4 WebKit Commit Bot 2010-08-30 00:35:58 PDT 
Comment on attachment 63911 [details]
Patch (review carefully)

Clearing flags on attachment: 63911

Committed r66371: <http://trac.webkit.org/changeset/66371>
Comment 5 WebKit Commit Bot 2010-08-30 00:36:03 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 6 David Kilzer (:ddkilzer) 2010-08-30 21:45:47 PDT 
<rdar://problem/8375382>
Comment 7 Roland Steiner 2010-09-01 18:58:07 PDT 
Whoa, this bug thread completely sneaked by me, sorry about that! :(

FWIW, I think the patch is fine. My recently r+'d patch for https://bugs.webkit.org/show_bug.cgi?id=41040 (not yet landed) also concerns :before/:after content. AFAICT it will subsume this patch once merged and landed.