Bug 208314

Summary: Crash in Document::textNodesMerged
Product: WebKit Reporter: Ali Juma <ajuma>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: bfulgham, product-security, rniwa, rohitrao, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Minimal test case none

Description Ali Juma 2020-02-27 08:21:30 PST 
Created attachment 391874 [details]
Minimal test case

Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug.

Crash stack:
=================================================================
==45635==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0003304db9b4 bp 0x7ffee96d9350 sp 0x7ffee96d9350 T0)
==45635==The signal is caused by a WRITE memory access.
==45635==Hint: address points to the zero page.
==45635==WARNING: invalid path to external symbolizer!
==45635==WARNING: Failed to use and restart external symbolizer!
    #0 0x3304db9b3 in WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >::Ref(WebCore::Node&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x4db9b3)
    #1 0x33313af25 in WebCore::boundaryTextNodesMerged(WebCore::RangeBoundaryPoint&, WebCore::NodeWithIndex&, unsigned int) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x313af25)
    #2 0x332f4cb9d in WebCore::Document::textNodesMerged(WebCore::Text&, unsigned int) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f4cb9d)
    #3 0x3330dcbba in WebCore::Node::normalize() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x30dcbba)
    #4 0x33110eafd in WebCore::jsNodePrototypeFunctionNormalizeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSNode*, JSC::ThrowScope&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x110eafd)
    #5 0x33108e94b in long long WebCore::IDLOperation<WebCore::JSNode>::call<&(WebCore::jsNodePrototypeFunctionNormalizeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSNode*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x108e94b)
    #6 0x28fb55c01177  (<unknown module>)
    #7 0x34ab6145b in llint_entry (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa8c45b)
    #8 0x34ab4a3d8 in vmEntryToJavaScript (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa753d8)
    #9 0x34c172937 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x209d937)
    #10 0x34c79e140 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x26c9140)
    #11 0x34c79e242 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x26c9242)
    #12 0x34c79e61f in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x26c961f)
    #13 0x33289a01b in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x289a01b)
    #14 0x332964fa8 in WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2964fa8)
    #15 0x33296495a in WebCore::ScheduledAction::execute(WebCore::Document&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x296495a)
    #16 0x333ddeaaa in WebCore::DOMTimer::fired() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3ddeaaa)
    #17 0x33413cf06 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x413cf06)
    #18 0x3341b440e in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x41b440e)
    #19 0x7fff3d7fee14 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x59e14)
    #20 0x7fff3d7fe9c0 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x599c0)
    #21 0x7fff3d7fe4f9 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x594f9)
    #22 0x7fff3d7dfb33 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3ab33)
    #23 0x7fff3d7df084 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3a084)
    #24 0x7fff3fa53a9e in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1ca9e)
    #25 0x7fff3fa53973 in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1c973)
    #26 0x7fff69ecb1d6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x111d6)
    #27 0x7fff69ecacd8 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10cd8)
    #28 0x106e33465 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x904465)
    #29 0x7fff69c983d4 in start (/usr/lib/system/libdyld.dylib:x86_64+0x163d4)
==45635==Register values:
rax = 0x0000100000000000  rbx = 0x00007ffee96d93c0  rcx = 0x0000100000000002  rdx = 0x00001c0c00032626
rdi = 0x00007ffee96d93a0  rsi = 0x0000000000000010  rbp = 0x00007ffee96d9350  rsp = 0x00007ffee96d9350
 r8 = 0x0000100000000000   r9 = 0x00000fffffffffff  r10 = 0x0000000000000000  r11 = 0x0000000000000128
r12 = 0x00001fffdd2db26c  r13 = 0x00007ffee96d9460  r14 = 0x00007ffee96d9360  r15 = 0x00007ffee96d93a0
Comment 1 Radar WebKit Bug Importer 2020-02-27 08:21:41 PST 
<rdar://problem/59847754>
Comment 2 Ryosuke Niwa 2020-03-04 19:44:31 PST 

*** This bug has been marked as a duplicate of bug 207875 ***