Bug 208309 - Crash in CSSValue::isPrimitiveValue
Summary: Crash in CSSValue::isPrimitiveValue
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML Editing (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-02-27 07:34 PST by Ali Juma
Modified: 2020-03-16 15:10 PDT (History)
11 users (show)

See Also:

Attachments
Minimal test case (431 bytes, text/html)
2020-02-27 07:34 PST, Ali Juma 		no flags Details
Patch (3.50 KB, patch)
2020-03-16 10:54 PDT, Pinki Gyanchandani 		no flags Details | Formatted Diff | Diff
Patch (3.50 KB, patch)
2020-03-16 13:14 PDT, Pinki Gyanchandani 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ali Juma 2020-02-27 07:34:25 PST 
Created attachment 391864 [details]
Minimal test case

Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug.

Crash stack:
=================================================================
==37021==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x00047109ce22 bp 0x7ffeef071510 sp 0x7ffeef071510 T0)
==37021==The signal is caused by a READ memory access.
==37021==Hint: address points to the zero page.
==37021==WARNING: invalid path to external symbolizer!
==37021==WARNING: Failed to use and restart external symbolizer!
    #0 0x47109ce21 in WebCore::CSSValue::isPrimitiveValue() const (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x196e21)
    #1 0x47108032d in WTF::match_constness<WebCore::CSSValue, WebCore::CSSPrimitiveValue>::type& WTF::downcast<WebCore::CSSPrimitiveValue, WebCore::CSSValue>(WebCore::CSSValue&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x17a32d)
    #2 0x47412a086 in WebCore::ApplyStyleCommand::computedFontSize(WebCore::Node*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3224086)
    #3 0x474126a8b in WebCore::ApplyStyleCommand::applyRelativeFontStyleChange(WebCore::EditingStyle*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3220a8b)
    #4 0x474125246 in WebCore::ApplyStyleCommand::doApply() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x321f246)
    #5 0x47411c476 in WebCore::CompositeEditCommand::apply() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3216476)
    #6 0x47418658c in WebCore::Editor::applyStyle(WTF::RefPtr<WebCore::EditingStyle, WTF::DumbPtrTraits<WebCore::EditingStyle> >&&, WebCore::EditAction, WebCore::Editor::ColorFilterMode) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x328058c)
    #7 0x4741ce885 in WebCore::applyCommandToFrame(WebCore::Frame&, WebCore::EditorCommandSource, WebCore::EditAction, WTF::Ref<WebCore::EditingStyle, WTF::DumbPtrTraits<WebCore::EditingStyle> >&&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32c8885)
    #8 0x4741ce72b in WebCore::executeApplyStyle(WebCore::Frame&, WebCore::EditorCommandSource, WebCore::EditAction, WebCore::CSSPropertyID, WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x32c872b)
    #9 0x473e59c91 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f53c91)
    #10 0x471913800 in WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xa0d800)
    #11 0x4717d0625 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8ca625)
    #12 0x2a06fda01177  (<unknown module>)
    #13 0x48ba6745b in llint_entry (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa8c45b)
    #14 0x48ba503d8 in vmEntryToJavaScript (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa753d8)
    #15 0x48d07440d in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x209940d)
    #16 0x48d7263fb in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x274b3fb)
    #17 0x48d7266cc in JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x274b6cc)
    #18 0x47386dcd3 in WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2967cd3)
    #19 0x47386d4fb in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29674fb)
    #20 0x47386d10c in WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x296710c)
    #21 0x474049481 in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3143481)
    #22 0x474046490 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3140490)
    #23 0x4746f528e in WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37ef28e)
    #24 0x4746f4f64 in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::DumbPtrTraits<WebCore::ScriptElement> >&&, WTF::TextPosition const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37eef64)
    #25 0x4746d535c in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37cf35c)
    #26 0x4746d59f4 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37cf9f4)
    #27 0x4746d49dd in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37ce9dd)
    #28 0x4746d6859 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::DumbPtrTraits<WTF::StringImpl> >&&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37d0859)
    #29 0x473e1985a in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2f1385a)
    #30 0x474ac48b4 in WebCore::DocumentWriter::end() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbe8b4)
    #31 0x474ac31a8 in WebCore::DocumentLoader::finishedLoading() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbd1a8)
    #32 0x474ac2dee in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3bbcdee)
    #33 0x474c50927 in WebCore::CachedResource::checkNotify() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d4a927)
    #34 0x474c4cac8 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3d46ac8)
    #35 0x474bd0cde in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3ccacde)
    #36 0x1022e7ca6 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1754ca6)
    #37 0x1029e9547 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1e56547)
    #38 0x1029e8649 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1e55649)
    #39 0x1022a4334 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x1711334)
    #40 0x100c1898a in IPC::Connection::dispatchMessage(IPC::Decoder&) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8598a)
    #41 0x100c1967a in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x8667a)
    #42 0x100c1a2b8 in IPC::Connection::dispatchOneIncomingMessage() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x872b8)
    #43 0x48b098679 in WTF::RunLoop::performWork() (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xbd679)
    #44 0x48b09925a in WTF::RunLoop::performWork(void*) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xbe25a)
    #45 0x7fff338f631a in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x5731a)
    #46 0x7fff338f62c0 in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x572c0)
    #47 0x7fff338da1ba in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3b1ba)
    #48 0x7fff338d9782 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3a782)
    #49 0x7fff338d9084 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x3a084)
    #50 0x7fff35b4da9e in -[NSRunLoop(NSRunLoop) runMode:beforeDate:] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1ca9e)
    #51 0x7fff35b4d973 in -[NSRunLoop(NSRunLoop) run] (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x1c973)
    #52 0x7fff5ffc51d6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x111d6)
    #53 0x7fff5ffc4cd8 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0x10cd8)
    #54 0x101497465 in WebKit::XPCServiceMain(int, char const**) (/Users/chrome-bot/clusterfuzz/bot/builds/mac_asan_webkit/custom/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x904465)
    #55 0x7fff5fd923d4 in start (/usr/lib/system/libdyld.dylib:x86_64+0x163d4)
==37021==Register values:
rax = 0x0000000000000000  rbx = 0x0000000000000000  rcx = 0x0000100000000001  rdx = 0x0000000000000009
rdi = 0x0000000000000008  rsi = 0x00007ffeef071580  rbp = 0x00007ffeef071510  rsp = 0x00007ffeef071510
 r8 = 0x0000100000000000   r9 = 0x0000000000000000  r10 = 0xffffffffffffffff  r11 = 0x00000fffffffffff
r12 = 0x00007ffeef071560  r13 = 0x00007ffeef071580  r14 = 0x00007ffeef071540  r15 = 0x00001fffdde0e2a8
Comment 1 Radar WebKit Bug Importer 2020-02-27 07:34:37 PST 
<rdar://problem/59846646>
Comment 2 Eugene But 2020-03-13 10:49:12 PDT 
Ali helped to debug this issue. Crash happens inside ApplyStyleCommand::computedFontSize, because |value| variable is null:

float ApplyStyleCommand::computedFontSize(Node* node)
{
    if (!node)
        return 0;

    auto value = ComputedStyleExtractor(node).propertyValue(CSSPropertyFontSize);
    return downcast<CSSPrimitiveValue>(*value).floatValue(CSSPrimitiveValue::CSS_PX);
}

|node| is WebCoreText with whitespace value (" "), but the browser also crashes with non-whitespace text. |node| has a parent (HTMLTextAreaElement), and that parent has shadow root, but shadow root does not have an assigned slot:


inline ComposedTreeAncestorIterator& ComposedTreeAncestorIterator::traverseParent()
{
    auto* parent = m_current->parentNode();
    ...
    if (auto* shadowRoot = parent->shadowRoot()) {
        m_current = shadowRoot->findAssignedSlot(*m_current);
        return *this;
    }

The fact that HTMLTextAreaElement has shadow root seems correct:

Ref<HTMLTextAreaElement> HTMLTextAreaElement::create(const QualifiedName& tagName, Document& document, HTMLFormElement* form)
{
    auto textArea = adoptRef(*new HTMLTextAreaElement(tagName, document, form));
    textArea->ensureUserAgentShadowRoot();

Does it mean that root cause of this crash is the absence of assigned slot for |node|?
Comment 3 Ryosuke Niwa 2020-03-14 23:42:59 PDT 
(In reply to Eugene But from comment #2)
>
> |node| is WebCoreText with whitespace value (" "), but the browser also
> crashes with non-whitespace text. |node| has a parent (HTMLTextAreaElement),
> and that parent has shadow root, but shadow root does not have an assigned
> slot:
> 
> 
> inline ComposedTreeAncestorIterator&
> ComposedTreeAncestorIterator::traverseParent()
> {
>     auto* parent = m_current->parentNode();
>     ...
>     if (auto* shadowRoot = parent->shadowRoot()) {
>         m_current = shadowRoot->findAssignedSlot(*m_current);
>         return *this;
>     }
> 
> The fact that HTMLTextAreaElement has shadow root seems correct:

Yes, that's expected.

> Ref<HTMLTextAreaElement> HTMLTextAreaElement::create(const QualifiedName&
> tagName, Document& document, HTMLFormElement* form)
> {
>     auto textArea = adoptRef(*new HTMLTextAreaElement(tagName, document,
> form));
>     textArea->ensureUserAgentShadowRoot();
> 
> Does it mean that root cause of this crash is the absence of assigned slot
> for |node|?

No, that on its own is not an issue. In fact, some shadow trees would never have a slot. The bug here is that we're missing nullptr check of value in ApplyStyleCommand::computedFontSize. Pinki (cc'ed) and I were investigating investigating this bug yesterday, and we concluded that we want to add a null check here.
Comment 4 Eugene But 2020-03-16 09:38:43 PDT 
Thanks for the update. I'm trying to learn more about WebKit and information like this is very useful.
Comment 5 Pinki Gyanchandani 2020-03-16 10:54:49 PDT 
Created attachment 393663 [details]
Patch
Comment 6 Pinki Gyanchandani 2020-03-16 13:14:41 PDT 
Created attachment 393677 [details]
Patch
Comment 7 Pinki Gyanchandani 2020-03-16 13:16:10 PDT 
Comment on attachment 393677 [details]
Patch

Updated Reviewed By section in Change log.

Kindly commit the patch
Comment 8 Ryosuke Niwa 2020-03-16 14:14:00 PDT 
Comment on attachment 393677 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393677&action=review

> Source/WebCore/ChangeLog:6
> +        Reviewed by Alex Christensen.

You need to revert this.

> LayoutTests/ChangeLog:6
> +        Reviewed by Alex Christensen.

Ditto.
Comment 9 Alex Christensen 2020-03-16 14:17:04 PDT 
Comment on attachment 393677 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=393677&action=review

>> Source/WebCore/ChangeLog:6
>> +        Reviewed by Alex Christensen.
> 
> You need to revert this.

Why?  I did review it.
Comment 10 Ryosuke Niwa 2020-03-16 14:24:07 PDT 
This is not a security bug.
Comment 11 WebKit Commit Bot 2020-03-16 15:10:39 PDT 
Comment on attachment 393663 [details]
Patch

Clearing flags on attachment: 393663

Committed r258522: <https://trac.webkit.org/changeset/258522>
Comment 12 WebKit Commit Bot 2020-03-16 15:10:41 PDT 
All reviewed patches have been landed.  Closing bug.