Created attachment 474155 [details] Minimal test case Filing this as a security bug since it was found using a fuzzer; there's no disclosure deadline for this bug. This reproduces in an ASan build of WebKitTestRunner at 289897@main Stack: ================================================================= ==71259==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x000650e07657 bp 0x7ff7b0204710 sp 0x7ff7b02046f0 T0) ==71259==The signal is caused by a READ memory access. ==71259==Hint: address points to the zero page. ==71259==WARNING: failed to spawn external symbolizer (errno: 25) ==71259==WARNING: failed to spawn external symbolizer (errno: 25) ==71259==WARNING: failed to spawn external symbolizer (errno: 25) ==71259==WARNING: failed to spawn external symbolizer (errno: 25) ==71259==WARNING: failed to spawn external symbolizer (errno: 25) ==71259==WARNING: Failed to use and restart external symbolizer! #0 0x650e07657 in WebCore::Path::contains(WebCore::FloatPoint const&, WebCore::WindRule) const+0x37 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x90cf657) #1 0x65280df2c in WebCore::SVGGeometryElement::isPointInFill(WebCore::DOMPointInit&&)+0x2dc (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0xaad5f2c) #2 0x64a8bb781 in WebCore::jsSVGGeometryElementPrototypeFunction_isPointInFill(JSC::JSGlobalObject*, JSC::CallFrame*)+0x281 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x2b83781) #3 0x65b994037 (<unknown module>) #4 0x60ff57534 in llint_entry+0x1f20c (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5c89534) #5 0x60ff58684 in llint_entry+0x2035c (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5c8a684) #6 0x60ff381c3 in vmEntryToJavaScript+0xbb (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5c6a1c3) #7 0x60d4dc864 in JSC::Interpreter::executeCall(JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0xaa4 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x320e864) #8 0x60de23def in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xff (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b55def) #9 0x60de24354 in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x124 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3b56354) #10 0x64d02082b in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0x147b (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x52e882b) #11 0x64e61c773 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener>>, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x6b3 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x68e4773) #12 0x64e5f4516 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x296 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x68bc516) #13 0x64e5f3a45 in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const+0x565 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x68bba45) #14 0x64e5f990e in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&)+0x30e (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x68c190e) #15 0x64e5f7e69 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&)+0x2299 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x68bfe69) #16 0x64e8994e2 in WTF::Detail::CallableWrapper<WebCore::ToggleEventTask::queue(WebCore::ToggleState, WebCore::ToggleState)::$_1, void>::call()+0x612 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x6b614e2) #17 0x64e6044f0 in WebCore::EventLoop::run(std::__1::optional<WTF::ApproximateTime>)+0x450 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x68cc4f0) #18 0x64e91ca2a in WebCore::WindowEventLoop::didReachTimeToRun()+0x11a (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x6be4a2a) #19 0x64e920362 in WTF::Detail::CallableWrapper<WebCore::Timer::Timer<WebCore::WindowEventLoop, WebCore::WindowEventLoop>(WebCore::WindowEventLoop&, void (WebCore::WindowEventLoop::*)())::'lambda'(), void>::call()+0x172 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x6be8362) #20 0x6509161c5 in WebCore::ThreadTimers::sharedTimerFiredInternal()+0x305 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8bde1c5) #21 0x650aa748d in WebCore::timerFired(__CFRunLoopTimer*, void*)+0x7d (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebCore.framework/Versions/A/WebCore:x86_64+0x8d6f48d) #22 0x7ff806e6e44b in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__+0x13 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x9744b) #23 0x7ff806e6dff9 in __CFRunLoopDoTimer+0x310 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x96ff9) #24 0x7ff806e6dc35 in __CFRunLoopDoTimers+0x11c (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x96c35) #25 0x7ff806e51f11 in __CFRunLoopRun+0x837 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7af11) #26 0x7ff806e51111 in CFRunLoopRunSpecific+0x22c (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7a111) #27 0x7ff807e02b10 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x5cb10) #28 0x7ff807e8590a in -[NSRunLoop(NSRunLoop) run]+0x4b (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0xdf90a) #29 0x7ff806a8f3f8 in _xpc_objc_main+0x25d (/usr/lib/system/libxpc.dylib:x86_64+0x163f8) #30 0x7ff806a9bfa2 in _xpc_main+0x102 (/usr/lib/system/libxpc.dylib:x86_64+0x22fa2) #31 0x7ff806a8f01b in xpc_main+0x37 (/usr/lib/system/libxpc.dylib:x86_64+0x1601b) #32 0x617b76162 in WebKit::XPCServiceMain(int, char const**)+0x82 (/Users/chrome-bot/clusterfuzz/bot/builds/chrome-ios-webkit-to-fuzz_ios-webkit-to-fuzz_cb292771138f3c7c4bb12f2df778e2b1c42b4cd7/revisions/WebKitMacOS/WebKit.framework/Versions/A/WebKit:x86_64+0x1b8d162) #33 0x7ff8069ea365 in start+0x795 (/usr/lib/dyld:x86_64+0xfffffffffff5c365) ==71259==Register values: rax = 0x0000000000000000 rbx = 0x00007ff7b0204760 rcx = 0x0000100000000000 rdx = 0x0000000000000000 rdi = 0x0000000000000040 rsi = 0x00007ff7b0204760 rbp = 0x00007ff7b0204710 rsp = 0x00007ff7b02046f0 r8 = 0x00001000ca8e47c9 r9 = 0x00001c34000081b0 r10 = 0x0000000000000000 r11 = 0x00000fffffffffff r12 = 0x00006120000c9640 r13 = 0x00001ffef60408e4 r14 = 0x0000000000000000 r15 = 0x0000000000000000