Bug 220353

Summary: Nullptr crash in Node::isTextNode() via ReplaceSelectionCommand::doApply()
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: HTML EditingAssignee: Rob Buis <rbuis>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: bfulgham, cgarcia, ews-feeder, fred.wang, gpoo, product-security, rbuis, svillar, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test
none
Reduced testcase
none
Patch none

Description Ryosuke Niwa 2021-01-05 23:05:52 PST 
e.g.

ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x00054f60793e bp 0x7ffee3e441f0 sp 0x7ffee3e44140 T0)

    #0 0x54f60793e in WTF::OptionSet<WebCore::Node::NodeFlag>::containsAny(WTF::OptionSet<WebCore::Node::NodeFlag>) const+0xbe (WebCore.framework/Versions/A/WebCore:x86_64+0x1c593e)
    #1 0x54f607819 in WTF::OptionSet<WebCore::Node::NodeFlag>::contains(WebCore::Node::NodeFlag) const+0xd9 (WebCore.framework/Versions/A/WebCore:x86_64+0x1c5819)
    #2 0x54f60773c in WebCore::Node::hasNodeFlag(WebCore::Node::NodeFlag) const+0xc (WebCore.framework/Versions/A/WebCore:x86_64+0x1c573c)
    #3 0x55038899d in WebCore::Node::isTextNode() const+0xd (WebCore.framework/Versions/A/WebCore:x86_64+0xf4699d)
    #4 0x55302bce0 in WebCore::ReplaceSelectionCommand::doApply()+0x1640 (WebCore.framework/Versions/A/WebCore:x86_64+0x3be9ce0)
    #5 0x552f2b656 in WebCore::CompositeEditCommand::apply()+0x216 (WebCore.framework/Versions/A/WebCore:x86_64+0x3ae9656)
    #6 0x552fede29 in WebCore::executeInsertFragment(WebCore::Frame&, WTF::Ref<WebCore::DocumentFragment, WTF::RawPtrTraits<WebCore::DocumentFragment> >&&)+0x159 (WebCore.framework/Versions/A/WebCore:x86_64+0x3babe29)
    #7 0x552fe7cdc in WebCore::executeInsertHTML(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)+0xdc (WebCore.framework/Versions/A/WebCore:x86_64+0x3ba5cdc)
    #8 0x552fad4db in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const+0xdb (WebCore.framework/Versions/A/WebCore:x86_64+0x3b6b4db)
    #9 0x552c2d413 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)+0xf3 (WebCore.framework/Versions/A/WebCore:x86_64+0x37eb413)
    #10 0x54ff09079 in WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x469 (WebCore.framework/Versions/A/WebCore:x86_64+0xac7079)
    #11 0x54ff08b6b in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0xfb (WebCore.framework/Versions/A/WebCore:x86_64+0xac6b6b)
    #12 0x54fef3448 in WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0xab1448)
    #13 0x3ba3cfe011d7  (<unknown module>)
    #14 0x56fe68bce in llint_entry+0x1a8a6 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc2ebce)
    #15 0x56fe4e128 in vmEntryToJavaScript+0xd7 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc14128)
    #16 0x571635621 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x611 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x23fb621)
    #17 0x571d025e4 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x64 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac85e4)
    #18 0x571d026df in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xdf (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac86df)
    #19 0x571d02a9b in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10b (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac8a9b)
    #20 0x5524873b8 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xe8 (WebCore.framework/Versions/A/WebCore:x86_64+0x30453b8)
    #21 0x5524b394a in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xaaa (WebCore.framework/Versions/A/WebCore:x86_64+0x307194a)
    #22 0x552d597d2 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x522 (WebCore.framework/Versions/A/WebCore:x86_64+0x39177d2)
    #23 0x552d54542 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x1b2 (WebCore.framework/Versions/A/WebCore:x86_64+0x3912542)
    #24 0x552dcde0d in WebCore::Node::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0xed (WebCore.framework/Versions/A/WebCore:x86_64+0x398be0d)
    #25 0x552d23830 in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const+0x1f0 (WebCore.framework/Versions/A/WebCore:x86_64+0x38e1830)
    #26 0x552d25249 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&)+0x179 (WebCore.framework/Versions/A/WebCore:x86_64+0x38e3249)
    #27 0x552d245fc in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&)+0x55c (WebCore.framework/Versions/A/WebCore:x86_64+0x38e25fc)
    #28 0x552dcde78 in WebCore::Node::dispatchEvent(WebCore::Event&)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x398be78)
    #29 0x552e38c97 in WebCore::ScopedEventQueue::dispatchEvent(WebCore::ScopedEventQueue::ScopedEvent const&) const+0x57 (WebCore.framework/Versions/A/WebCore:x86_64+0x39f6c97)
    #30 0x552e38b07 in WebCore::ScopedEventQueue::enqueueEvent(WTF::Ref<WebCore::Event, WTF::RawPtrTraits<WebCore::Event> >&&)+0x187 (WebCore.framework/Versions/A/WebCore:x86_64+0x39f6b07)
    #31 0x552d23dbe in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&)+0x16e (WebCore.framework/Versions/A/WebCore:x86_64+0x38e1dbe)
    #32 0x552dcde68 in WebCore::Node::dispatchScopedEvent(WebCore::Event&)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x398be68)
    #33 0x552dce05f in WebCore::Node::dispatchSubtreeModifiedEvent()+0x1df (WebCore.framework/Versions/A/WebCore:x86_64+0x398c05f)
    #34 0x552d0fb23 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomString const&)+0x1e3 (WebCore.framework/Versions/A/WebCore:x86_64+0x38cdb23)
    #35 0x552d0f6ca in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute)+0x16a (WebCore.framework/Versions/A/WebCore:x86_64+0x38cd6ca)
    #36 0x552d0660c in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute)+0x13c (WebCore.framework/Versions/A/WebCore:x86_64+0x38c460c)
    #37 0x552d06c7e in WebCore::Element::setAttribute(WTF::AtomString const&, WTF::AtomString const&)+0x4de (WebCore.framework/Versions/A/WebCore:x86_64+0x38c4c7e)
    #38 0x54ff2193b in WebCore::jsElementPrototypeFunction_setAttributeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)+0x37b (WebCore.framework/Versions/A/WebCore:x86_64+0xadf93b)
    #39 0x54ff2151b in long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunction_setAttributeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0xfb (WebCore.framework/Versions/A/WebCore:x86_64+0xadf51b)
    #40 0x54ff1fb48 in WebCore::jsElementPrototypeFunction_setAttribute(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0xaddb48)
    #41 0x3ba3cfe011d7  (<unknown module>)
    #42 0x56fe68bce in llint_entry+0x1a8a6 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc2ebce)
    #43 0x56fe4e128 in vmEntryToJavaScript+0xd7 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc14128)
    #44 0x571635621 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x611 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x23fb621)
    #45 0x571d025e4 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x64 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac85e4)
    #46 0x571d026df in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xdf (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac86df)
    #47 0x571d02a9b in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10b (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac8a9b)
    #48 0x5524873b8 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xe8 (WebCore.framework/Versions/A/WebCore:x86_64+0x30453b8)
    #49 0x55248688f in WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&)+0x34f (WebCore.framework/Versions/A/WebCore:x86_64+0x304488f)
    #50 0x54f99b54f in WebCore::JSCallbackDataStrong::invokeCallback(JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&)+0xef (WebCore.framework/Versions/A/WebCore:x86_64+0x55954f)
    #51 0x54fac0af1 in WebCore::JSBlobCallback::handleEvent(WebCore::Blob*)+0x291 (WebCore.framework/Versions/A/WebCore:x86_64+0x67eaf1)
    #52 0x5530ec918 in WebCore::BlobCallback::scheduleCallback(WebCore::ScriptExecutionContext&, WTF::RefPtr<WebCore::Blob, WTF::RawPtrTraits<WebCore::Blob>, WTF::DefaultRefDerefTraits<WebCore::Blob> >&&)::$_10::operator()(WebCore::ScriptExecutionContext&) const+0x58 (WebCore.framework/Versions/A/WebCore:x86_64+0x3caa918)
    #53 0x5530ec5ac in WTF::Detail::CallableWrapper<WebCore::BlobCallback::scheduleCallback(WebCore::ScriptExecutionContext&, WTF::RefPtr<WebCore::Blob, WTF::RawPtrTraits<WebCore::Blob>, WTF::DefaultRefDerefTraits<WebCore::Blob> >&&)::$_10, void, WebCore::ScriptExecutionContext&>::call(WebCore::ScriptExecutionContext&)+0x1c (WebCore.framework/Versions/A/WebCore:x86_64+0x3caa5ac)
    #54 0x5521e6533 in WTF::Function<void (WebCore::ScriptExecutionContext&)>::operator()(WebCore::ScriptExecutionContext&) const+0x53 (WebCore.framework/Versions/A/WebCore:x86_64+0x2da4533)
    #55 0x5521ccfd8 in WebCore::ScriptExecutionContext::Task::performTask(WebCore::ScriptExecutionContext&)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x2d8afd8)
    #56 0x552cc3348 in WebCore::Document::postTask(WebCore::ScriptExecutionContext::Task&&)::$_13::operator()()+0x78 (WebCore.framework/Versions/A/WebCore:x86_64+0x3881348)

<rdar://problem/72654779>
Comment 1 Ryosuke Niwa 2021-01-05 23:06:03 PST 
Created attachment 417071 [details]
Test
Comment 2 Rob Buis 2021-01-11 08:46:21 PST 
Created attachment 417383 [details]
Reduced testcase
Comment 3 Rob Buis 2021-01-25 05:47:22 PST 
Created attachment 418282 [details]
Patch
Comment 4 Rob Buis 2021-01-25 05:55:35 PST 
https://trac.webkit.org/changeset/271787 fixes this one as well. Do we want to do anything with the test case?
Comment 5 Ryosuke Niwa 2021-01-25 17:59:56 PST 
(In reply to Rob Buis from comment #4)
> https://trac.webkit.org/changeset/271787 fixes this one as well. Do we want
> to do anything with the test case?

Nice!
Comment 6 Ryosuke Niwa 2021-01-25 18:01:20 PST 
(In reply to Ryosuke Niwa from comment #5)
> (In reply to Rob Buis from comment #4)
> > https://trac.webkit.org/changeset/271787 fixes this one as well. Do we want
> > to do anything with the test case?
> 
> Nice!

I don't think we need to add a test given we're only fixing it because the fuzzer found it unless we encounter it again in the future.