220353 – Nullptr crash in Node::isTextNode() via ReplaceSelectionCommand::doApply()

Bug 220353 - Nullptr crash in Node::isTextNode() via ReplaceSelectionCommand::doApply()

Summary: Nullptr crash in Node::isTextNode() via ReplaceSelectionCommand::doApply()

Status:	RESOLVED CONFIGURATION CHANGED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	HTML Editing (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Rob Buis

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-01-05 23:05 PST by Ryosuke Niwa
Modified:	2021-01-25 18:01 PST (History)
CC List:	10 users (show)

See Also:

Attachments
Test (484.01 KB, text/html) 2021-01-05 23:06 PST, Ryosuke Niwa	no flags	Details
Reduced testcase (747 bytes, text/html) 2021-01-11 08:46 PST, Rob Buis	no flags	Details
Patch (5.41 KB, patch) 2021-01-25 05:47 PST, Rob Buis	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2021-01-05 23:05:52 PST

e.g.

ERROR: AddressSanitizer: SEGV on unknown address 0x00000000001c (pc 0x00054f60793e bp 0x7ffee3e441f0 sp 0x7ffee3e44140 T0)

    #0 0x54f60793e in WTF::OptionSet<WebCore::Node::NodeFlag>::containsAny(WTF::OptionSet<WebCore::Node::NodeFlag>) const+0xbe (WebCore.framework/Versions/A/WebCore:x86_64+0x1c593e)
    #1 0x54f607819 in WTF::OptionSet<WebCore::Node::NodeFlag>::contains(WebCore::Node::NodeFlag) const+0xd9 (WebCore.framework/Versions/A/WebCore:x86_64+0x1c5819)
    #2 0x54f60773c in WebCore::Node::hasNodeFlag(WebCore::Node::NodeFlag) const+0xc (WebCore.framework/Versions/A/WebCore:x86_64+0x1c573c)
    #3 0x55038899d in WebCore::Node::isTextNode() const+0xd (WebCore.framework/Versions/A/WebCore:x86_64+0xf4699d)
    #4 0x55302bce0 in WebCore::ReplaceSelectionCommand::doApply()+0x1640 (WebCore.framework/Versions/A/WebCore:x86_64+0x3be9ce0)
    #5 0x552f2b656 in WebCore::CompositeEditCommand::apply()+0x216 (WebCore.framework/Versions/A/WebCore:x86_64+0x3ae9656)
    #6 0x552fede29 in WebCore::executeInsertFragment(WebCore::Frame&, WTF::Ref<WebCore::DocumentFragment, WTF::RawPtrTraits<WebCore::DocumentFragment> >&&)+0x159 (WebCore.framework/Versions/A/WebCore:x86_64+0x3babe29)
    #7 0x552fe7cdc in WebCore::executeInsertHTML(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)+0xdc (WebCore.framework/Versions/A/WebCore:x86_64+0x3ba5cdc)
    #8 0x552fad4db in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const+0xdb (WebCore.framework/Versions/A/WebCore:x86_64+0x3b6b4db)
    #9 0x552c2d413 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)+0xf3 (WebCore.framework/Versions/A/WebCore:x86_64+0x37eb413)
    #10 0x54ff09079 in WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x469 (WebCore.framework/Versions/A/WebCore:x86_64+0xac7079)
    #11 0x54ff08b6b in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0xfb (WebCore.framework/Versions/A/WebCore:x86_64+0xac6b6b)
    #12 0x54fef3448 in WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0xab1448)
    #13 0x3ba3cfe011d7  (<unknown module>)
    #14 0x56fe68bce in llint_entry+0x1a8a6 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc2ebce)
    #15 0x56fe4e128 in vmEntryToJavaScript+0xd7 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc14128)
    #16 0x571635621 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x611 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x23fb621)
    #17 0x571d025e4 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x64 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac85e4)
    #18 0x571d026df in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xdf (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac86df)
    #19 0x571d02a9b in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10b (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac8a9b)
    #20 0x5524873b8 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xe8 (WebCore.framework/Versions/A/WebCore:x86_64+0x30453b8)
    #21 0x5524b394a in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xaaa (WebCore.framework/Versions/A/WebCore:x86_64+0x307194a)
    #22 0x552d597d2 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x522 (WebCore.framework/Versions/A/WebCore:x86_64+0x39177d2)
    #23 0x552d54542 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x1b2 (WebCore.framework/Versions/A/WebCore:x86_64+0x3912542)
    #24 0x552dcde0d in WebCore::Node::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0xed (WebCore.framework/Versions/A/WebCore:x86_64+0x398be0d)
    #25 0x552d23830 in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const+0x1f0 (WebCore.framework/Versions/A/WebCore:x86_64+0x38e1830)
    #26 0x552d25249 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&)+0x179 (WebCore.framework/Versions/A/WebCore:x86_64+0x38e3249)
    #27 0x552d245fc in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&)+0x55c (WebCore.framework/Versions/A/WebCore:x86_64+0x38e25fc)
    #28 0x552dcde78 in WebCore::Node::dispatchEvent(WebCore::Event&)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x398be78)
    #29 0x552e38c97 in WebCore::ScopedEventQueue::dispatchEvent(WebCore::ScopedEventQueue::ScopedEvent const&) const+0x57 (WebCore.framework/Versions/A/WebCore:x86_64+0x39f6c97)
    #30 0x552e38b07 in WebCore::ScopedEventQueue::enqueueEvent(WTF::Ref<WebCore::Event, WTF::RawPtrTraits<WebCore::Event> >&&)+0x187 (WebCore.framework/Versions/A/WebCore:x86_64+0x39f6b07)
    #31 0x552d23dbe in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&)+0x16e (WebCore.framework/Versions/A/WebCore:x86_64+0x38e1dbe)
    #32 0x552dcde68 in WebCore::Node::dispatchScopedEvent(WebCore::Event&)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x398be68)
    #33 0x552dce05f in WebCore::Node::dispatchSubtreeModifiedEvent()+0x1df (WebCore.framework/Versions/A/WebCore:x86_64+0x398c05f)
    #34 0x552d0fb23 in WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomString const&)+0x1e3 (WebCore.framework/Versions/A/WebCore:x86_64+0x38cdb23)
    #35 0x552d0f6ca in WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute)+0x16a (WebCore.framework/Versions/A/WebCore:x86_64+0x38cd6ca)
    #36 0x552d0660c in WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute)+0x13c (WebCore.framework/Versions/A/WebCore:x86_64+0x38c460c)
    #37 0x552d06c7e in WebCore::Element::setAttribute(WTF::AtomString const&, WTF::AtomString const&)+0x4de (WebCore.framework/Versions/A/WebCore:x86_64+0x38c4c7e)
    #38 0x54ff2193b in WebCore::jsElementPrototypeFunction_setAttributeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)+0x37b (WebCore.framework/Versions/A/WebCore:x86_64+0xadf93b)
    #39 0x54ff2151b in long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunction_setAttributeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0xfb (WebCore.framework/Versions/A/WebCore:x86_64+0xadf51b)
    #40 0x54ff1fb48 in WebCore::jsElementPrototypeFunction_setAttribute(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0xaddb48)
    #41 0x3ba3cfe011d7  (<unknown module>)
    #42 0x56fe68bce in llint_entry+0x1a8a6 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc2ebce)
    #43 0x56fe4e128 in vmEntryToJavaScript+0xd7 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc14128)
    #44 0x571635621 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x611 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x23fb621)
    #45 0x571d025e4 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x64 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac85e4)
    #46 0x571d026df in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xdf (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac86df)
    #47 0x571d02a9b in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10b (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2ac8a9b)
    #48 0x5524873b8 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xe8 (WebCore.framework/Versions/A/WebCore:x86_64+0x30453b8)
    #49 0x55248688f in WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&)+0x34f (WebCore.framework/Versions/A/WebCore:x86_64+0x304488f)
    #50 0x54f99b54f in WebCore::JSCallbackDataStrong::invokeCallback(JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&)+0xef (WebCore.framework/Versions/A/WebCore:x86_64+0x55954f)
    #51 0x54fac0af1 in WebCore::JSBlobCallback::handleEvent(WebCore::Blob*)+0x291 (WebCore.framework/Versions/A/WebCore:x86_64+0x67eaf1)
    #52 0x5530ec918 in WebCore::BlobCallback::scheduleCallback(WebCore::ScriptExecutionContext&, WTF::RefPtr<WebCore::Blob, WTF::RawPtrTraits<WebCore::Blob>, WTF::DefaultRefDerefTraits<WebCore::Blob> >&&)::$_10::operator()(WebCore::ScriptExecutionContext&) const+0x58 (WebCore.framework/Versions/A/WebCore:x86_64+0x3caa918)
    #53 0x5530ec5ac in WTF::Detail::CallableWrapper<WebCore::BlobCallback::scheduleCallback(WebCore::ScriptExecutionContext&, WTF::RefPtr<WebCore::Blob, WTF::RawPtrTraits<WebCore::Blob>, WTF::DefaultRefDerefTraits<WebCore::Blob> >&&)::$_10, void, WebCore::ScriptExecutionContext&>::call(WebCore::ScriptExecutionContext&)+0x1c (WebCore.framework/Versions/A/WebCore:x86_64+0x3caa5ac)
    #54 0x5521e6533 in WTF::Function<void (WebCore::ScriptExecutionContext&)>::operator()(WebCore::ScriptExecutionContext&) const+0x53 (WebCore.framework/Versions/A/WebCore:x86_64+0x2da4533)
    #55 0x5521ccfd8 in WebCore::ScriptExecutionContext::Task::performTask(WebCore::ScriptExecutionContext&)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x2d8afd8)
    #56 0x552cc3348 in WebCore::Document::postTask(WebCore::ScriptExecutionContext::Task&&)::$_13::operator()()+0x78 (WebCore.framework/Versions/A/WebCore:x86_64+0x3881348)

<rdar://problem/72654779>

Comment 1 Ryosuke Niwa 2021-01-05 23:06:03 PST

Created attachment 417071 [details]
Test

Comment 2 Rob Buis 2021-01-11 08:46:21 PST

Created attachment 417383 [details]
Reduced testcase

Comment 3 Rob Buis 2021-01-25 05:47:22 PST

Created attachment 418282 [details]
Patch

Comment 4 Rob Buis 2021-01-25 05:55:35 PST

https://trac.webkit.org/changeset/271787 fixes this one as well. Do we want to do anything with the test case?

Comment 5 Ryosuke Niwa 2021-01-25 17:59:56 PST

(In reply to Rob Buis from comment #4)
> https://trac.webkit.org/changeset/271787 fixes this one as well. Do we want
> to do anything with the test case?

Nice!

Comment 6 Ryosuke Niwa 2021-01-25 18:01:20 PST

(In reply to Ryosuke Niwa from comment #5)
> (In reply to Rob Buis from comment #4)
> > https://trac.webkit.org/changeset/271787 fixes this one as well. Do we want
> > to do anything with the test case?
> 
> Nice!

I don't think we need to add a test given we're only fixing it because the fuzzer found it unless we encounter it again in the future.