[Webkit-unassigned] [Bug 205128] New: use-after-free READ @ WebCore::EventHandler::focusDocumentView
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Dec 11 11:24:49 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=205128
Bug ID: 205128
Summary: use-after-free READ @
WebCore::EventHandler::focusDocumentView
Product: WebKit
Version: WebKit Local Build
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: DOM
Assignee: webkit-unassigned at lists.webkit.org
Reporter: shihchieh_lee at apple.com
Created attachment 385415
--> https://bugs.webkit.org/attachment.cgi?id=385415&action=review
HTML that causes the crash
#---------------
DumpRenderTree repro_input--19C47--51302970-0..html
# CRASH here
#---------------
==9814==ERROR: AddressSanitizer: heap-use-after-free on address 0x61700011a000 at pc 0x00011de32d74 bp 0x7ffeed816a50 sp 0x7ffeed816a48
READ of size 8 at 0x61700011a000 thread T0
#0 0x11de32d73 in WebCore::EventHandler::focusDocumentView() (WebCore:x86_64+0x14f1d73)
#1 0x11d350a58 in WebCore::jsDOMWindowInstanceFunctionFocusBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMWindow*, JSC::ThrowScope&) (WebCore:x86_64+0xa0fa58)
#2 0x11d2201eb in long long WebCore::IDLOperation<WebCore::JSDOMWindow>::call<&(WebCore::jsDOMWindowInstanceFunctionFocusBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMWindow*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (WebCore:x86_64+0x8df1eb)
#3 0x368451a0116a
#4 0x109002613 in llint_entry (JavaScriptCore:x86_64+0xa3a613)
#5 0x109002613 in llint_entry (JavaScriptCore:x86_64+0xa3a613)
#6 0x108febc38 in vmEntryToJavaScript (JavaScriptCore:x86_64+0xa23c38)
#7 0x10a6098db in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (JavaScriptCore:x86_64+0x20418db)
#8 0x10ac04f70 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (JavaScriptCore:x86_64+0x263cf70)
#9 0x10ac05071 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (JavaScriptCore:x86_64+0x263d071)
#10 0x10ac0544f in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (JavaScriptCore:x86_64+0x263d44f)
#11 0x11f38eb34 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (WebCore:x86_64+0x2a4db34)
#12 0x11f3b737c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (WebCore:x86_64+0x2a7637c)
#13 0x11fb7de44 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) (WebCore:x86_64+0x323ce44)
#14 0x11fb79117 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) (WebCore:x86_64+0x3238117)
#15 0x1209138a7 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (WebCore:x86_64+0x3fd28a7)
#16 0x12092608f in WebCore::DOMWindow::dispatchLoadEvent() (WebCore:x86_64+0x3fe508f)
#17 0x11fa538bf in WebCore::Document::dispatchWindowLoadEvent() (WebCore:x86_64+0x31128bf)
#18 0x11fa53270 in WebCore::Document::implicitClose() (WebCore:x86_64+0x3112270)
#19 0x12074d5a2 in WebCore::FrameLoader::checkCompleted() (WebCore:x86_64+0x3e0c5a2)
#20 0x12074e229 in WebCore::FrameLoader::completed() (WebCore:x86_64+0x3e0d229)
#21 0x12074d5c5 in WebCore::FrameLoader::checkCompleted() (WebCore:x86_64+0x3e0c5c5)
#22 0x120766ef6 in WebCore::FrameLoader::receivedMainResourceError(WebCore::ResourceError const&) (WebCore:x86_64+0x3e25ef6)
#23 0x1206e0740 in WebCore::DocumentLoader::mainReceivedError(WebCore::ResourceError const&) (WebCore:x86_64+0x3d9f740)
#24 0x1206e2064 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (WebCore:x86_64+0x3da1064)
#25 0x12087b52b in WebCore::CachedResource::checkNotify() (WebCore:x86_64+0x3f3a52b)
#26 0x12087b82f in WebCore::CachedResource::cancelLoad() (WebCore:x86_64+0x3f3a82f)
#27 0x1207fa368 in WebCore::SubresourceLoader::didCancel(WebCore::ResourceError const&) (WebCore:x86_64+0x3eb9368)
#28 0x1207d8d6b in WebCore::ResourceLoader::cancel(WebCore::ResourceError const&) (WebCore:x86_64+0x3e97d6b)
#29 0x1206e1cae in WebCore::DocumentLoader::cancelMainResourceLoad(WebCore::ResourceError const&) (WebCore:x86_64+0x3da0cae)
#30 0x1206e89df in WebCore::DocumentLoader::stopLoadingForPolicyChange() (WebCore:x86_64+0x3da79df)
#31 0x1206e7c9b in WebCore::DocumentLoader::continueAfterContentPolicy(WebCore::PolicyAction) (WebCore:x86_64+0x3da6c9b)
#32 0x120725455 in WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&)::$_3::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) (WebCore:x86_64+0x3de4455)
#33 0x12072510c in WTF::Detail::CallableWrapper<WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&)::$_3, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) (WebCore:x86_64+0x3de410c)
#34 0x106f114df in WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const (WebKitLegacy:x86_64+0x20e4df)
#35 0x106f11caa in -[WebFramePolicyListener receivedPolicyDecision:] (WebKitLegacy:x86_64+0x20ecaa)
#36 0x107053b57 in -[WebDefaultPolicyDelegate webView:decidePolicyForMIMEType:request:frame:decisionListener:] (WebKitLegacy:x86_64+0x350b57)
#37 0x7fff3045defb in __invoking___ (CoreFoundation:x86_64+0x65efb)
#38 0x7fff3045dd97 in -[NSInvocation invoke] (CoreFoundation:x86_64+0x65d97)
#39 0x7fff30491a02 in -[NSInvocation invokeWithTarget:] (CoreFoundation:x86_64+0x99a02)
#40 0x106fd6cf3 in -[_WebSafeForwarder forwardInvocation:] (WebKitLegacy:x86_64+0x2d3cf3)
#41 0x7fff3045c79d in ___forwarding___ (CoreFoundation:x86_64+0x6479d)
#42 0x7fff3045c3d7 in _CF_forwarding_prep_0 (CoreFoundation:x86_64+0x643d7)
#43 0x106f04122 in WebFrameLoaderClient::dispatchDecidePolicyForResponse(WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, WebCore::PolicyCheckIdentifier, WTF::String const&, WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>&&) (WebKitLegacy:x86_64+0x201122)
#44 0x120746892 in WebCore::FrameLoader::checkContentPolicy(WebCore::ResourceResponse const&, WebCore::PolicyCheckIdentifier, WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>&&) (WebCore:x86_64+0x3e05892)
#45 0x1206e497d in WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&) (WebCore:x86_64+0x3da397d)
#46 0x1206e75c2 in WebCore::DocumentLoader::responseReceived(WebCore::CachedResource&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&) (WebCore:x86_64+0x3da65c2)
#47 0x1208790d0 in WebCore::CachedRawResource::responseReceived(WebCore::ResourceResponse const&) (WebCore:x86_64+0x3f380d0)
#48 0x1207f75bf in WebCore::SubresourceLoader::didReceiveResponse(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&) (WebCore:x86_64+0x3eb65bf)
#49 0x1207eb48b in auto WebCore::ResourceLoader::loadDataURL()::$_2::operator()<WTF::Optional<WebCore::DataURLDecoder::Result> >(WTF::Optional<WebCore::DataURLDecoder::Result>) (WebCore:x86_64+0x3eaa48b)
#50 0x1207eacad in WTF::Detail::CallableWrapper<WebCore::ResourceLoader::loadDataURL()::$_2, void, WTF::Optional<WebCore::DataURLDecoder::Result> >::call(WTF::Optional<WebCore::DataURLDecoder::Result>) (WebCore:x86_64+0x3ea9cad)
#51 0x121112c03 in WTF::Function<void (WTF::Optional<WebCore::DataURLDecoder::Result>)>::operator()(WTF::Optional<WebCore::DataURLDecoder::Result>) const (WebCore:x86_64+0x47d1c03)
#52 0x121112a3e in WebCore::DataURLDecoder::DecodingResultDispatcher::timerFired() (WebCore:x86_64+0x47d1a3e)
#53 0x108685ca1 in WTF::timerFired(__CFRunLoopTimer*, void*) (JavaScriptCore:x86_64+0xbdca1)
#54 0x7fff30497455 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (CoreFoundation:x86_64+0x9f455)
#55 0x7fff3049700f in __CFRunLoopDoTimer (CoreFoundation:x86_64+0x9f00f)
#56 0x7fff30496ae2 in __CFRunLoopDoTimers (CoreFoundation:x86_64+0x9eae2)
#57 0x7fff3047b65f in __CFRunLoopRun (CoreFoundation:x86_64+0x8365f)
#58 0x7fff3047a737 in CFRunLoopRunSpecific (CoreFoundation:x86_64+0x82737)
#59 0x102415591 in runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) DumpRenderTree.mm:2104
#60 0x1024138c2 in dumpRenderTree(int, char const**) DumpRenderTree.mm:1334
#61 0x10241614f in DumpRenderTreeMain(int, char const**) DumpRenderTree.mm:1443
#62 0x7fff67b287fc+0x1a7fc)
0x61700011a000 is located 0 bytes inside of 728-byte region [0x61700011a000,0x61700011a2d8)
freed by thread T0 here:
#0 0x1030b75d6 in __sanitizer_mz_free (:x86_64+0x435d6)
#1 0x120992b2f in WebCore::Frame::~Frame() (WebCore:x86_64+0x4051b2f)
#2 0x12099327d in WebCore::Frame::~Frame() (WebCore:x86_64+0x405227d)
#3 0x11d872d49 in WTF::ThreadSafeRefCounted<WebCore::AbstractFrame, (WTF::DestructionThread)0>::deref() const (WebCore:x86_64+0xf31d49)
#4 0x12099e898 in WebCore::FrameView::~FrameView() (WebCore:x86_64+0x405d898)
#5 0x12099eb2d in WebCore::FrameView::~FrameView() (WebCore:x86_64+0x405db2d)
#6 0x11de55994 in WTF::RefCounted<WebCore::Widget, std::__1::default_delete<WebCore::Widget> >::deref() const (WebCore:x86_64+0x1514994)
#7 0x12164a956 in WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::DumbPtrTraits<WebCore::Widget> >, WebCore::FrameView*>::~KeyValuePair() (WebCore:x86_64+0x4d09956)
#8 0x12164a7bc in WTF::HashTable<WTF::RefPtr<WebCore::Widget, WTF::DumbPtrTraits<WebCore::Widget> >, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::DumbPtrTraits<WebCore::Widget> >, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::DumbPtrTraits<WebCore::Widget> >, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget, WTF::DumbPtrTraits<WebCore::Widget> > >, WTF::HashMap<WTF::RefPtr<WebCore::Widget, WTF::DumbPtrTraits<WebCore::Widget> >, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget, WTF::DumbPtrTraits<WebCore::Widget> > >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::DumbPtrTraits<WebCore::Widget> > >, WTF::HashTraits<WebCore::FrameView*> >::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::DumbPtrTraits<WebCore::Widget> > > >::deallocateTable(WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::DumbPtrTraits<WebCore::Widget> >, WebCore::FrameView*>*, unsigned int) (WebCore:x86_64+0x4d097bc)
#9 0x12162f24d in WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets() (WebCore:x86_64+0x4cee24d)
#10 0x11de4f612 in WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope() (WebCore:x86_64+0x150e612)
#11 0x11f9e485e in WebCore::ContainerNode::removeChild(WebCore::Node&) (WebCore:x86_64+0x30a385e)
#12 0x1200f51e7 in WebCore::HTMLTableElement::deleteCaption() (WebCore:x86_64+0x37b41e7)
#13 0x11d80ab2d in WebCore::jsHTMLTableElementPrototypeFunctionDeleteCaptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSHTMLTableElement*, JSC::ThrowScope&) (WebCore:x86_64+0xec9b2d)
#14 0x11d7375d6 in long long WebCore::IDLOperation<WebCore::JSHTMLTableElement>::call<&(WebCore::jsHTMLTableElementPrototypeFunctionDeleteCaptionBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSHTMLTableElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (WebCore:x86_64+0xdf65d6)
#15 0x368451a0116a
#16 0x109002613 in llint_entry (JavaScriptCore:x86_64+0xa3a613)
#17 0x109002613 in llint_entry (JavaScriptCore:x86_64+0xa3a613)
#18 0x108febc38 in vmEntryToJavaScript (JavaScriptCore:x86_64+0xa23c38)
#19 0x10a6098db in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (JavaScriptCore:x86_64+0x20418db)
#20 0x10ac04f70 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (JavaScriptCore:x86_64+0x263cf70)
#21 0x10ac05071 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (JavaScriptCore:x86_64+0x263d071)
#22 0x10ac0544f in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (JavaScriptCore:x86_64+0x263d44f)
#23 0x11f38eb34 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (WebCore:x86_64+0x2a4db34)
#24 0x11f3b737c in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (WebCore:x86_64+0x2a7637c)
#25 0x11fb7de44 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) (WebCore:x86_64+0x323ce44)
#26 0x11fb79117 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) (WebCore:x86_64+0x3238117)
#27 0x11fb55d06 in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const (WebCore:x86_64+0x3214d06)
#28 0x11fb56f09 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (WebCore:x86_64+0x3215f09)
#29 0x11fb56886 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (WebCore:x86_64+0x3215886)
previously allocated by thread T0 here:
#0 0x1030b71cd in __sanitizer_mz_malloc (:x86_64+0x431cd)
#1 0x7fff67ce3069 in malloc_zone_malloc (libsystem_malloc.dylib:x86_64+0x1069)
#2 0x10876de78 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction) (JavaScriptCore:x86_64+0x1a5e78)
#3 0x1209d76f9 in WTF::UniqueRef<WebCore::EventHandler> WTF::makeUniqueRefWithoutFastMallocCheck<WebCore::EventHandler, WebCore::Frame&>(WebCore::Frame&) (WebCore:x86_64+0x40966f9)
#4 0x12099274b in WTF::UniqueRef<WebCore::EventHandler> WTF::makeUniqueRef<WebCore::EventHandler, WebCore::Frame&>(WebCore::Frame&) (WebCore:x86_64+0x405174b)
#5 0x1209923ea in WebCore::Frame::Frame(WebCore::Page&, WebCore::HTMLFrameOwnerElement*, WebCore::FrameLoaderClient&) (WebCore:x86_64+0x40513ea)
#6 0x1209928d7 in WebCore::Frame::create(WebCore::Page*, WebCore::HTMLFrameOwnerElement*, WebCore::FrameLoaderClient*) (WebCore:x86_64+0x40518d7)
#7 0x106f246f5 in +[WebFrame(WebInternal) _createFrameWithPage:frameName:frameView:ownerElement:] (WebKitLegacy:x86_64+0x2216f5)
#8 0x106f24df9 in +[WebFrame(WebInternal) _createSubframeWithOwnerElement:frameName:frameView:] (WebKitLegacy:x86_64+0x221df9)
#9 0x106f0b5ca in WebFrameLoaderClient::createFrame(WTF::URL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement&, WTF::String const&) (WebKitLegacy:x86_64+0x2085ca)
#10 0x1207dfcd3 in WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement&, WTF::URL const&, WTF::String const&, WTF::String const&) (WebCore:x86_64+0x3e9ecd3)
#11 0x1207dd8a3 in WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, WTF::URL const&, WTF::AtomString const&, WebCore::LockHistory, WebCore::LockBackForwardList) (WebCore:x86_64+0x3e9c8a3)
#12 0x1207dd222 in WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement&, WTF::String const&, WTF::AtomString const&, WebCore::LockHistory, WebCore::LockBackForwardList) (WebCore:x86_64+0x3e9c222)
#13 0x11ffcf8cb in WebCore::HTMLFrameElementBase::openURL(WebCore::LockHistory, WebCore::LockBackForwardList) (WebCore:x
abort() called
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191211/795f9fc1/attachment-0001.htm>
More information about the webkit-unassigned
mailing list