[Webkit-unassigned] [Bug 205290] New: Null Ptr Deref in WebCore::findPlaceForCounter

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 16 11:26:34 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=205290

            Bug ID: 205290
           Summary: Null Ptr Deref in WebCore::findPlaceForCounter
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: shihchieh_lee at apple.com
                CC: bfulgham at webkit.org, simon.fraser at apple.com,
                    zalan at apple.com

rdar://problem/56730730

: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                   0x00007fff42f1e7dc WebCore::findPlaceForCounter(WebCore::RenderElement&, WTF::AtomString const&, bool) + 1164
1   com.apple.WebCore                   0x00007fff42f00e7b WebCore::makeCounterNode(WebCore::RenderElement&, WTF::AtomString const&, bool) + 1435
2   com.apple.WebCore                   0x00007fff42f1e42f WebCore::findPlaceForCounter(WebCore::RenderElement&, WTF::AtomString const&, bool) + 223
3   com.apple.WebCore                   0x00007fff42f00e7b WebCore::makeCounterNode(WebCore::RenderElement&, WTF::AtomString const&, bool) + 1435
4   com.apple.WebCore                   0x00007fff42f1e42f WebCore::findPlaceForCounter(WebCore::RenderElement&, WTF::AtomString const&, bool) + 223
5   com.apple.WebCore                   0x00007fff42f00e7b WebCore::makeCounterNode(WebCore::RenderElement&, WTF::AtomString const&, bool) + 1435
6   com.apple.WebCore                   0x00007fff42f1e42f WebCore::findPlaceForCounter(WebCore::RenderElement&, WTF::AtomString const&, bool) + 223
7   com.apple.WebCore                   0x00007fff42f00e7b WebCore::makeCounterNode(WebCore::RenderElement&, WTF::AtomString const&, bool) + 1435
8   com.apple.WebCore                   0x00007fff42f08945 WebCore::RenderElement::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 2053
9   com.apple.WebCore                   0x00007fff414aac2f WebCore::RenderLayerModelObject::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 31
10  com.apple.WebCore                   0x00007fff414a9c7a WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 42
11  com.apple.WebCore                   0x00007fff414a972e WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 94
12  com.apple.WebCore                   0x00007fff42ec171c WebCore::RenderBlockFlow::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 28
13  com.apple.WebCore                   0x00007fff42f06a61 WebCore::RenderElement::setStyle(WebCore::RenderStyle&&, WebCore::StyleDifference) + 225
14  com.apple.WebCore                   0x00007fff43093129 WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) + 1609
15  com.apple.WebCore                   0x00007fff43091523 WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 2403
16  com.apple.WebCore                   0x00007fff427044a1 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 1441
17  com.apple.WebCore                   0x00007fff414bdf5a WebCore::Document::updateStyleIfNeeded() + 362
18  com.apple.WebCore                   0x00007fff4153f1a8 WebCore::Document::updateLayout() + 216
19  com.apple.WebCore                   0x00007fff42972365 WebCore::HTMLObjectElement::renderWidgetLoadingPlugin() const + 101
20  com.apple.WebCore                   0x00007fff415c78cf WebCore::pluginScriptObject(JSC::ExecState*, WebCore::JSHTMLElement*) + 255
21  com.apple.WebCore                   0x00007fff4162c839 WebCore::JSHTMLObjectElement::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 41
22  com.apple.JavaScriptCore            0x00007fff36347df9 llint_slow_path_put_by_val + 1417
23  com.apple.JavaScriptCore            0x00007fff364f4838 llint_entry + 45951
24  com.apple.JavaScriptCore            0x00007fff365000e3 llint_entry + 93226
25  com.apple.JavaScriptCore            0x00007fff364e930f vmEntryToJavaScript + 200
26  com.apple.JavaScriptCore            0x00007fff361d6050 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 416
27  com.apple.JavaScriptCore            0x00007fff36c7fc9b JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 187
28  com.apple.WebCore                   0x00007fff42492fc4 WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 100
29  com.apple.WebCore                   0x00007fff424ab29b WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1403
30  com.apple.WebCore                   0x00007fff42757699 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 1113
31  com.apple.WebCore                   0x00007fff427551e3 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 611
32  com.apple.WebCore                   0x00007fff42753d1e WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (.llvm.1484162973191472938) + 206
33  com.apple.WebCore                   0x00007fff42753812 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1090
34  com.apple.WebCore                   0x00007fff41525572 WebCore::HTMLStyleElement::dispatchPendingEvent(WebCore::EventSender<WebCore::HTMLStyleElement>*) + 178
35  com.apple.WebCore                   0x00007fff414facb6 WebCore::EventSender<WebCore::HTMLStyleElement>::dispatchPendingEvents() + 134
36  com.apple.WebCore                   0x00007fff42ceb0f8 WTF::Detail::CallableWrapper<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, void>::call() + 184
37  com.apple.WebCore                   0x00007fff41493b9f WebCore::timerFired(__CFRunLoopTimer*, void*) + 31
38  com.apple.CoreFoundation            0x00007fff328da326 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
39  com.apple.CoreFoundation            0x00007fff328d9ee0 __CFRunLoopDoTimer + 872
40  com.apple.CoreFoundation            0x00007fff328d98f3 __CFRunLoopDoTimers + 317
41  com.apple.CoreFoundation            0x00007fff328baf40 __CFRunLoopRun + 2227
42  com.apple.CoreFoundation            0x00007fff328ba418 CFRunLoopRunSpecific + 503
43  com.apple.Foundation                0x00007fff34ff7e0d -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212
44  parseWebKit                         0x000000010bad6988 main + 4104
45                      0x00007fff69c312f5 start + 1

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191216/98c10ec1/attachment.htm>

More information about the webkit-unassigned mailing list