[Webkit-unassigned] [Bug 205409] New: Null Ptr Deref READ @ WebCore::RenderTreeBuilder::attach
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Dec 18 13:02:47 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=205409
Bug ID: 205409
Summary: Null Ptr Deref READ @
WebCore::RenderTreeBuilder::attach
Product: WebKit
Version: WebKit Local Build
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: Layout and Rendering
Assignee: webkit-unassigned at lists.webkit.org
Reporter: shihchieh_lee at apple.com
CC: bfulgham at webkit.org, simon.fraser at apple.com,
zalan at apple.com
rdar://57213478
==20998==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00030a9964d2 bp 0x7ffee9a542d0 sp 0x7ffee9a542d0 T0)
==20998==The signal is caused by a READ memory access.
==20998==Hint: address points to the zero page.
==20998==WARNING: invalid path to external symbolizer!
==20998==WARNING: Failed to use and restart external symbolizer!
#0 0x30a9964d1 in WTF::TypeCastTraits<WebCore::RenderTableRow const, WebCore::RenderElement const, false>::isType(WebCore::RenderObject const&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x29944d1)
#1 0x30cef1e7a in WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4eefe7a)
#2 0x30cf0dc60 in WebCore::RenderTreeBuilder::Ruby::attach(WebCore::RenderRubyRun&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4f0bc60)
#3 0x30cef21c2 in WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4ef01c2)
#4 0x30cef2a56 in WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*)::$_0::operator()(WebCore::RenderElement&) const (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4ef0a56)
#5 0x30cef2151 in WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4ef0151)
#6 0x30cef4ee3 in WebCore::RenderTreeBuilder::attach(WebCore::RenderTreePosition&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4ef2ee3)
#7 0x30cf169a5 in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4f149a5)
#8 0x30cf14c0b in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4f12c0b)
#9 0x30cf142e1 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4f122e1)
#10 0x30cf138ff in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4f118ff)
#11 0x30b0f8837 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x30f6837)
#12 0x30b0f96bb in WebCore::Document::updateStyleIfNeeded() (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x30f76bb)
#13 0x30b0f2485 in WebCore::Document::updateLayout() (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x30f0485)
#14 0x30b51e8cc in WebCore::VisibleSelection::toNormalizedRange() const (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x351c8cc)
#15 0x30bfbe857 in WebCore::DOMSelection::containsNode(WebCore::Node&, bool) const (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x3fbc857)
#16 0x30898d76a in WebCore::jsDOMSelectionPrototypeFunctionContainsNodeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMSelection*, JSC::ThrowScope&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x98b76a)
#17 0x30880d920 in long long WebCore::IDLOperation<WebCore::JSDOMSelection>::call<&(WebCore::jsDOMSelectionPrototypeFunctionContainsNodeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDOMSelection*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x80b920)
#18 0x28d7bce0116a
#19 0x321d168fa in llint_entry (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa3b8fa)
#20 0x321cffe28 in vmEntryToJavaScript (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa24e28)
#21 0x323310b5b in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2035b5b)
#22 0x32390c690 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2631690)
#23 0x32390c791 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2631791)
#24 0x32390cb6f in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2631b6f)
#25 0x30aa215b4 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x2a1f5b4)
#26 0x30aa49dfc in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x2a47dfc)
#27 0x30b22ade4 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x3228de4)
#28 0x30b2260b7 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x32240b7)
#29 0x30b202ca6 in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x3200ca6)
#30 0x30b203ea9 in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x3201ea9)
#31 0x30b203826 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x3201826)
#32 0x30b20322e in WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x320122e)
#33 0x30b2a92ca in WebCore::Node::dispatchSubtreeModifiedEvent() (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x32a72ca)
#34 0x30b1f0b82 in WebCore::Element::didRemoveAttribute(WebCore::QualifiedName const&, WTF::AtomString const&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x31eeb82)
#35 0x30b1dc10f in WebCore::Element::removeAttributeInternal(unsigned int, WebCore::Element::SynchronizationOfLazyAttribute) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x31da10f)
#36 0x30b1dc2c5 in WebCore::Element::removeAttribute(WebCore::QualifiedName const&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x31da2c5)
#37 0x308d0e1ee in WebCore::setJSHTMLButtonElementAutofocusSetter(JSC::JSGlobalObject&, WebCore::JSHTMLButtonElement&, JSC::JSValue, JSC::ThrowScope&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0xd0c1ee)
#38 0x308c02ea6 in bool WebCore::IDLAttribute<WebCore::JSHTMLButtonElement>::set<&(WebCore::setJSHTMLButtonElementAutofocusSetter(JSC::JSGlobalObject&, WebCore::JSHTMLButtonElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, char const*) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0xc00ea6)
#39 0x3239acd58 in JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long long, long long), bool, JSC::JSValue, JSC::JSValue) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x26d1d58)
#40 0x3239ace95 in JSC::callCustomSetter(JSC::JSGlobalObject*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x26d1e95)
#41 0x323b9ad94 in JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x28bfd94)
#42 0x3235908d0 in llint_slow_path_put_by_id (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x22b58d0)
#43 0x321d08d77 in llint_entry (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa2dd77)
#44 0x321d16803 in llint_entry (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa3b803)
#45 0x321cffe28 in vmEntryToJavaScript (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xa24e28)
#46 0x323310b5b in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2035b5b)
#47 0x32390c690 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2631690)
#48 0x32390c791 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2631791)
#49 0x32390cb6f in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2631b6f)
#50 0x30aa215b4 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x2a1f5b4)
#51 0x30aa49dfc in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x2a47dfc)
#52 0x30b22ade4 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x3228de4)
#53 0x30b2260b7 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) (Safari_ASAN_252435_ec658ce439780404d8d97441fb9d7d819f8d3a0c.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:
abort() called
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191218/dec6f8e4/attachment-0001.htm>
More information about the webkit-unassigned
mailing list