[Webkit-unassigned] [Bug 228889] New: WTFCrash in libjavascriptcoregtk because of type confusion

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Aug 6 20:33:05 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=228889

            Bug ID: 228889
           Summary: WTFCrash in libjavascriptcoregtk because of type
                    confusion
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: tlock.chijin at gmail.com

Created attachment 435114

  --> https://bugs.webkit.org/attachment.cgi?id=435114&action=review

This file is generated by a browser fuzzer

When the attachment is opened by MiniBrowser, a WTFCrash is raised. 

OS: ubuntu 20.04
WebKit: webkit chunk; commit: bf8523d11fc7a9fd8cbcc6f85dd31df3ceb2b138


Asan message:

```
ASSERTION FAILED: is<Target>(source)
WTF/Headers/wtf/TypeCasts.h(79) : match_constness_t<Source, Target> &WTF::downcast(Source &) [Target = WebCore::RenderBox, Source = WebCore::RenderLayerModelObject]
1   0x7f4e6c9b39e0 WTFReportBacktrace
2   0x7f4e6c9b3ec6 WTFCrash
3   0x7f4e6c9b3edb /path/to/WebKitBuild/GTK/Release/lib/libjavascriptcoregtk-4.0.so.18(+0x4874edb) [0x7f4e6c9b3edb]
4   0x7f4e7662c13e /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x844313e) [0x7f4e7662c13e]
5   0x7f4e766146a9 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x842b6a9) [0x7f4e766146a9]
6   0x7f4e7664f54d /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x846654d) [0x7f4e7664f54d]
7   0x7f4e7664fff7 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x8466ff7) [0x7f4e7664fff7]
8   0x7f4e7664fff7 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x8466ff7) [0x7f4e7664fff7]
9   0x7f4e7664fff7 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x8466ff7) [0x7f4e7664fff7]
10  0x7f4e76648ee5 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x845fee5) [0x7f4e76648ee5]
11  0x7f4e7579ebe9 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x75b5be9) [0x7f4e7579ebe9]
12  0x7f4e7577f5b3 /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x75965b3) [0x7f4e7577f5b3]
13  0x7f4e75b0eb9a /path/to/WebKitBuild/GTK/Release/lib/libwebkit2gtk-4.0.so.37(+0x7925b9a) [0x7f4e75b0eb9a]
14  0x7f4e6cba4795 /path/to/WebKitBuild/GTK/Release/lib/libjavascriptcoregtk-4.0.so.18(+0x4a65795) [0x7f4e6cba4795]
15  0x7f4e6cba1b6d /path/to/WebKitBuild/GTK/Release/lib/libjavascriptcoregtk-4.0.so.18(+0x4a62b6d) [0x7f4e6cba1b6d]
16  0x7f4e65e7f04e g_main_context_dispatch
17  0x7f4e65e7f400 /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0(+0x52400) [0x7f4e65e7f400]
18  0x7f4e65e7f6f3 g_main_loop_run
19  0x7f4e6cba3249 WTF::RunLoop::run()
20  0x7f4e70f2cbbb WebKit::WebProcessMain(int, char**)
21  0x7f4e658130b3 __libc_start_main
22  0x41d3be /root/.cache/ms-playwright/webkit-1516/minibrowser-gtk/bin/WebKitWebProcess() [0x41d3be]
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210807/3ab10f6a/attachment.htm>

More information about the webkit-unassigned mailing list