Bug 220353

Summary: Nullptr crash in Node::isTextNode() via ReplaceSelectionCommand::doApply()
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: HTML EditingAssignee: Rob Buis <rbuis>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: bfulgham, cgarcia, ews-feeder, fred.wang, gpoo, product-security, rbuis, svillar, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test
none
Reduced testcase
none
Patch none

Ryosuke Niwa
Reported 2021-01-05 23:05:52 PST
e.g. ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x00054f60793e bp 0x7ffee3e441f0 sp 0x7ffee3e44140 T0) #0 0x54f60793e in WTF::OptionSet<WebCore::Node::NodeFlag>::containsAny(WTF::OptionSet<WebCore::Node::NodeFlag>) const+0xbe (WebCore.framework/Versions/A/WebCore:x86_64+0x1c593e) #1 0x54f607819 in WTF::OptionSet<WebCore::Node::NodeFlag>::contains(WebCore::Node::NodeFlag) const+0xd9 (WebCore.framework/Versions/A/WebCore:x86_64+0x1c5819) #2 0x54f60773c in WebCore::Node::hasNodeFlag(WebCore::Node::NodeFlag) const+0xc (WebCore.framework/Versions/A/WebCore:x86_64+0x1c573c) #3 0x55038899d in WebCore::Node::isTextNode() const+0xd (WebCore.framework/Versions/A/WebCore:x86_64+0xf4699d) #4 0x55302bce0 in WebCore::ReplaceSelectionCommand::doApply()+0x1640 (WebCore.framework/Versions/A/WebCore:x86_64+0x3be9ce0) #5 0x552f2b656 in WebCore::CompositeEditCommand::apply()+0x216 (WebCore.framework/Versions/A/WebCore:x86_64+0x3ae9656) #6 0x552fede29 in WebCore::executeInsertFragment(WebCore::Frame&, WTF::Ref<WebCore::DocumentFragment, WTF::RawPtrTraits<WebCore::DocumentFragment> >&&)+0x159 (WebCore.framework/Versions/A/WebCore:x86_64+0x3babe29) #7 0x552fe7cdc in WebCore::executeInsertHTML(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)+0xdc (WebCore.framework/Versions/A/WebCore:x86_64+0x3ba5cdc) #8 0x552fad4db in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const+0xdb (WebCore.framework/Versions/A/WebCore:x86_64+0x3b6b4db) #9 0x552c2d413 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)+0xf3 (WebCore.framework/Versions/A/WebCore:x86_64+0x37eb413) #10 0x54ff09079 in WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x469 (WebCore.framework/Versions/A/WebCore:x86_64+0xac7079) #11 0x54ff08b6b in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0xfb (WebCore.framework/Versions/A/WebCore:x86_64+0xac6b6b) #12 0x54fef3448 in WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0xab1448) #13 0x3ba3cfe011d7 (<unknown module>) #14 0x56fe68bce in llint_entry+0x1a8a6 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc2ebce) #15 0x56fe4e128 in vmEntryToJavaScript+0xd7 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc14128) #16 0x571635621 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x611 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x23fb621) #17 0x571d025e4 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x64 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac85e4) #18 0x571d026df in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xdf (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac86df) #19 0x571d02a9b in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10b (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac8a9b) #20 0x5524873b8 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xe8 (WebCore.framework/Versions/A/WebCore:x86_64+0x30453b8) #21 0x5524b394a in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xaaa (WebCore.framework/Versions/A/WebCore:x86_64+0x307194a) #22 0x552d597d2 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x522 (WebCore.framework/Versions/A/WebCore:x86_64+0x39177d2) #23 0x552d54542 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x1b2 (WebCore.framework/Versions/A/WebCore:x86_64+0x3912542) #24 0x552dcde0d in WebCore::Node::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0xed (WebCore.framework/Versions/A/WebCore:x86_64+0x398be0d) #25 0x552d23830 in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const+0x1f0 (WebCore.framework/Versions/A/WebCore:x86_64+0x38e1830) #26 0x552d25249 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&)+0x179 (WebCore.framework/Versions/A/WebCore:x86_64+0x38e3249) #27 0x552d245fc in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&)+0x55c (WebCore.framework/Versions/A/WebCore:x86_64+0x38e25fc) #28 0x552dcde78 in WebCore::Node::dispatchEvent(WebCore::Event&)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x398be78) #29 0x552e38c97 in WebCore::ScopedEventQueue::dispatchEvent(WebCore::ScopedEventQueue::ScopedEvent const&) const+0x57 (WebCore.framework/Versions/A/WebCore:x86_64+0x39f6c97) #30 0x552e38b07 in WebCore::ScopedEventQueue::enqueueEvent(WTF::Ref<WebCore::Event, WTF::RawPtrTraits<WebCore::Event> >&&)+0x187 (WebCore.framework/Versions/A/WebCore:x86_64+0x39f6b07) #31 0x552d23dbe in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&)+0x16e (WebCore.framework/Versions/A/WebCore:x86_64+0x38e1dbe) #32 0x552dcde68 in WebCore::Node::dispatchScopedEvent(WebCore::Event&)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x398be68) #33 0x552dce05f in WebCore::Node::dispatchSubtreeModifiedEvent()+0x1df (WebCore.framework/Versions/A/WebCore:x86_64+0x398c05f) #34 0x552d0fb23 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomString const&)+0x1e3 (WebCore.framework/Versions/A/WebCore:x86_64+0x38cdb23) #35 0x552d0f6ca in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute)+0x16a (WebCore.framework/Versions/A/WebCore:x86_64+0x38cd6ca) #36 0x552d0660c in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute)+0x13c (WebCore.framework/Versions/A/WebCore:x86_64+0x38c460c) #37 0x552d06c7e in WebCore::Element::setAttribute(WTF::AtomString const&, WTF::AtomString const&)+0x4de (WebCore.framework/Versions/A/WebCore:x86_64+0x38c4c7e) #38 0x54ff2193b in WebCore::jsElementPrototypeFunction_setAttributeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)+0x37b (WebCore.framework/Versions/A/WebCore:x86_64+0xadf93b) #39 0x54ff2151b in long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunction_setAttributeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0xfb (WebCore.framework/Versions/A/WebCore:x86_64+0xadf51b) #40 0x54ff1fb48 in WebCore::jsElementPrototypeFunction_setAttribute(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0xaddb48) #41 0x3ba3cfe011d7 (<unknown module>) #42 0x56fe68bce in llint_entry+0x1a8a6 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc2ebce) #43 0x56fe4e128 in vmEntryToJavaScript+0xd7 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc14128) #44 0x571635621 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x611 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x23fb621) #45 0x571d025e4 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x64 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac85e4) #46 0x571d026df in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xdf (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac86df) #47 0x571d02a9b in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10b (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac8a9b) #48 0x5524873b8 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xe8 (WebCore.framework/Versions/A/WebCore:x86_64+0x30453b8) #49 0x55248688f in WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&)+0x34f (WebCore.framework/Versions/A/WebCore:x86_64+0x304488f) #50 0x54f99b54f in WebCore::JSCallbackDataStrong::invokeCallback(JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&)+0xef (WebCore.framework/Versions/A/WebCore:x86_64+0x55954f) #51 0x54fac0af1 in WebCore::JSBlobCallback::handleEvent(WebCore::Blob*)+0x291 (WebCore.framework/Versions/A/WebCore:x86_64+0x67eaf1) #52 0x5530ec918 in WebCore::BlobCallback::scheduleCallback(WebCore::ScriptExecutionContext&, WTF::RefPtr<WebCore::Blob, WTF::RawPtrTraits<WebCore::Blob>, WTF::DefaultRefDerefTraits<WebCore::Blob> >&&)::$_10::operator()(WebCore::ScriptExecutionContext&) const+0x58 (WebCore.framework/Versions/A/WebCore:x86_64+0x3caa918) #53 0x5530ec5ac in WTF::Detail::CallableWrapper<WebCore::BlobCallback::scheduleCallback(WebCore::ScriptExecutionContext&, WTF::RefPtr<WebCore::Blob, WTF::RawPtrTraits<WebCore::Blob>, WTF::DefaultRefDerefTraits<WebCore::Blob> >&&)::$_10, void, WebCore::ScriptExecutionContext&>::call(WebCore::ScriptExecutionContext&)+0x1c (WebCore.framework/Versions/A/WebCore:x86_64+0x3caa5ac) #54 0x5521e6533 in WTF::Function<void (WebCore::ScriptExecutionContext&)>::operator()(WebCore::ScriptExecutionContext&) const+0x53 (WebCore.framework/Versions/A/WebCore:x86_64+0x2da4533) #55 0x5521ccfd8 in WebCore::ScriptExecutionContext::Task::performTask(WebCore::ScriptExecutionContext&)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x2d8afd8) #56 0x552cc3348 in WebCore::Document::postTask(WebCore::ScriptExecutionContext::Task&&)::$_13::operator()()+0x78 (WebCore.framework/Versions/A/WebCore:x86_64+0x3881348) <rdar://problem/72654779>
Attachments
Test (484.01 KB, text/html)
2021-01-05 23:06 PST, Ryosuke Niwa
no flags
Reduced testcase (747 bytes, text/html)
2021-01-11 08:46 PST, Rob Buis
no flags
Patch (5.41 KB, patch)
2021-01-25 05:47 PST, Rob Buis
no flags
Ryosuke Niwa
Comment 1 2021-01-05 23:06:03 PST
Rob Buis
Comment 2 2021-01-11 08:46:21 PST
Created attachment 417383 [details] Reduced testcase
Rob Buis
Comment 3 2021-01-25 05:47:22 PST
Rob Buis
Comment 4 2021-01-25 05:55:35 PST
https://trac.webkit.org/changeset/271787 fixes this one as well. Do we want to do anything with the test case?
Ryosuke Niwa
Comment 5 2021-01-25 17:59:56 PST
(In reply to Rob Buis from comment #4) > https://trac.webkit.org/changeset/271787 fixes this one as well. Do we want > to do anything with the test case? Nice!
Ryosuke Niwa
Comment 6 2021-01-25 18:01:20 PST
(In reply to Ryosuke Niwa from comment #5) > (In reply to Rob Buis from comment #4) > > https://trac.webkit.org/changeset/271787 fixes this one as well. Do we want > > to do anything with the test case? > > Nice! I don't think we need to add a test given we're only fixing it because the fuzzer found it unless we encounter it again in the future.
Note You need to log in before you can comment on or make changes to this bug.