242345 – nullptr crash in EventPath::buildPath via FullscreenManager::dispatchFullscreenChangeOrErrorEvent

Bug 242345 - nullptr crash in EventPath::buildPath via FullscreenManager::dispatchFullscreenChangeOrErrorEvent

Summary: nullptr crash in EventPath::buildPath via FullscreenManager::dispatchFullscre...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryosuke Niwa

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-07-05 10:03 PDT by Michael Saboff
Modified:	2022-08-08 12:30 PDT (History)
CC List:	13 users (show)

See Also:

Attachments
repro_972.html (348 bytes, text/html) 2022-07-05 10:03 PDT, Michael Saboff	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2022-07-05 10:03:57 PDT

Created attachment 460685 [details]
repro_972.html

Summary:

this crashes:

<script>
  onload = async () => {
    let shadowRoot = document.createElement('div').attachShadow({mode: 'open'});
    window.r = new WeakRef(shadowRoot.children);
    let div2 = document.createElement('div');
    div2.webkitRequestFullscreen();
    shadowRoot.replaceChildren(div2);
    await undefined;
    GCController.collect();
  };
</script>


Steps To Reproduce:

Does not reproduce in DumpRenderTree.

DYLD_FRAMEWORK_PATH=<WEBKIT_PATH>/WebKitBuild/Release <WEBKIT_PATH>/WebKitBuild/Release/WebKitTestRunner --no-enable-all-experimental-features repro_972.html

Results:

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x000000000000001c
Exception Codes:       0x0000000000000001, 0x000000000000001c

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   WebCore       0x10d9ec6a0 WTF::OptionSet<WebCore::Node::NodeFlag>::containsAny(WTF::OptionSet<WebCore::Node::NodeFlag>) const + 0 (OptionSet.h:179) [inlined]
1   WebCore       0x10d9ec6a0 WTF::OptionSet<WebCore::Node::NodeFlag>::contains(WebCore::Node::NodeFlag) const + 0 (OptionSet.h:174) [inlined]
2   WebCore       0x10d9ec6a0 WebCore::Node::hasNodeFlag(WebCore::Node::NodeFlag) const + 0 (Node.h:611) [inlined]
3   WebCore       0x10d9ec6a0 WebCore::Node::isElementNode() const + 0 (Node.h:198) [inlined]
4   WebCore       0x10d9ec6a0 WebCore::Node::pseudoId() const + 0 (Node.h:213) [inlined]
5   WebCore       0x10d9ec6a0 WebCore::Node::isPseudoElement() const + 0 (Node.h:210) [inlined]
6   WebCore       0x10d9ec6a0 WTF::TypeCastTraits<WebCore::PseudoElement const, WebCore::Node const, false>::isType(WebCore::Node const&) + 0 (PseudoElement.h:62) [inlined]
7   WebCore       0x10d9ec6a0 WTF::TypeCastTraits<WebCore::PseudoElement const, WebCore::Node const, false>::isOfType(WebCore::Node const&) + 0 (PseudoElement.h:61) [inlined]
8   WebCore       0x10d9ec6a0 bool WTF::is<WebCore::PseudoElement, WebCore::Node>(WebCore::Node&) + 0 (TypeCasts.h:58) [inlined]
9   WebCore       0x10d9ec6a0 WebCore::EventPath::eventTargetRespectingTargetRules(WebCore::Node&) + 0 (EventPath.h:63) [inlined]
10  WebCore       0x10d9ec6a0 WebCore::EventPath::buildPath(WebCore::Node&, WebCore::Event&) + 1756 (EventPath.cpp:152)
11  WebCore       0x10d9ec62c WTF::TypeCastTraits<WebCore::Node const, WebCore::EventTarget const, false>::isType(WebCore::EventTarget const&) + 32 (Node.h:950) [inlined]
12  WebCore       0x10d9ec62c WTF::TypeCastTraits<WebCore::Node const, WebCore::EventTarget const, false>::isOfType(WebCore::EventTarget const&) + 32 (Node.h:949) [inlined]
13  WebCore       0x10d9ec62c bool WTF::is<WebCore::Node, WebCore::EventTarget>(WebCore::EventTarget&) + 32 (TypeCasts.h:58) [inlined]
14  WebCore       0x10d9ec62c std::__1::conditional<std::is_const_v<WebCore::EventTarget>, std::__1::add_const<WebCore::Node>::type, std::__1::remove_const<WebCore::Node>::type>::type& WTF::downcast<WebCore::Node, WebCore::EventTarget>(WebCore::EventTarget&) + 32 (TypeCasts.h:79) [inlined]
15  WebCore       0x10d9ec62c WebCore::shouldEventCrossShadowBoundary(WebCore::Event&, WebCore::ShadowRoot&, WebCore::EventTarget&) + 252 (EventPath.cpp:54) [inlined]
16  WebCore       0x10d9ec62c WebCore::EventPath::buildPath(WebCore::Node&, WebCore::Event&) + 1640 (EventPath.cpp:146)
17  WebCore       0x10d9ebeec WebCore::EventPath::EventPath(WebCore::Node&, WebCore::Event&) + 56 (EventPath.cpp:85)
18  WebCore       0x10d9e3dc8 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 124 (EventDispatcher.cpp:155)
19  WebCore       0x10d9f8380 WebCore::FullscreenManager::dispatchFullscreenChangeOrErrorEvent(WTF::Deque<WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >, 0ul>&, WTF::AtomString const&, bool) + 676 (FullscreenManager.cpp:606)

Regression:

I am seeing this on WebKit canonical revision 252021@main
Both asan and non-asan builds crash

Comment 1 Michael Saboff 2022-07-05 10:05:46 PDT

<rdar://96292712>

Comment 2 Ryosuke Niwa 2022-08-06 01:50:03 PDT

The issue is that FullscreenManager doesn't keep JS wrapper of change/error event nodes alive. As a result, GC will happily collect shadow root as well as its host and ancestors.

Comment 3 Ryosuke Niwa 2022-08-06 02:14:08 PDT

Not a security issue.

Comment 4 Ryosuke Niwa 2022-08-06 02:24:53 PDT

Pull request: https://github.com/WebKit/WebKit/pull/3074

Comment 5 EWS 2022-08-08 12:30:31 PDT

Committed 253227@main (29c4919ba55f): <https://commits.webkit.org/253227@main>

Reviewed commits have been landed. Closing PR #3074 and removing active labels.