[Webkit-unassigned] [Bug 228544] New: Use-after-free of HTMLBodyElement in Document::setBodyOrFrameset

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 28 01:56:23 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=228544

            Bug ID: 228544
           Summary: Use-after-free of HTMLBodyElement in
                    Document::setBodyOrFrameset
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rniwa at webkit.org

e.g.

==49732==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00009a058 at pc 0x00030212bced bp 0x7ffeed3fab10 sp 0x7ffeed3fab08
READ of size 4 at 0x60b00009a058 thread T0

#0 0x30212bcec in WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >::Ref(WebCore::Node&)+0x4c (WebCore.framework/Versions/A/WebCore:x86_64+0x1c9cec)
#1 0x3021237b8 in WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >::Ref(WebCore::Node&)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x1c17b8)
#2 0x305912a44 in WebCore::ContainerNode::replaceChild(WebCore::Node&, WebCore::Node&)+0x4b4 (WebCore.framework/Versions/A/WebCore:x86_64+0x39b0a44)
#3 0x30597e5ea in WebCore::Document::setBodyOrFrameset(WTF::RefPtr<WebCore::HTMLElement, WTF::RawPtrTraits<WebCore::HTMLElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLElement> >&&)+0x31a (WebCore.framework/Versions/A/WebCore:x86_64+0x3a1c5ea)
#4 0x302aaa8b6 in WebCore::setJSDocument_bodySetter(JSC::JSGlobalObject&, WebCore::JSDocument&, JSC::JSValue)::'lambda'()::operator()() const+0x156 (WebCore.framework/Versions/A/WebCore:x86_64+0xb488b6)
#5 0x302aaa346 in void WebCore::invokeFunctorPropagatingExceptionIfNecessary<WebCore::setJSDocument_bodySetter(JSC::JSGlobalObject&, WebCore::JSDocument&, JSC::JSValue)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSDocument_bodySetter(JSC::JSGlobalObject&, WebCore::JSDocument&, JSC::JSValue)::'lambda'()&&)+0xd6 (WebCore.framework/Versions/A/WebCore:x86_64+0xb48346)
#6 0x302aaa09f in WebCore::setJSDocument_bodySetter(JSC::JSGlobalObject&, WebCore::JSDocument&, JSC::JSValue)+0x28f (WebCore.framework/Versions/A/WebCore:x86_64+0xb4809f)
#7 0x30294a8a3 in bool WebCore::IDLAttribute<WebCore::JSDocument>::set<&(WebCore::setJSDocument_bodySetter(JSC::JSGlobalObject&, WebCore::JSDocument&, JSC::JSValue)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, JSC::PropertyName)+0x113 (WebCore.framework/Versions/A/WebCore:x86_64+0x9e88a3)
#8 0x30294a788 in WebCore::setJSDocument_body(JSC::JSGlobalObject*, long long, long long, JSC::PropertyName)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x9e8788)
#9 0x3231fcc41 in JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)+0x801 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3402c41)
#10 0x322abb123 in llint_slow_path_put_by_id+0xd03 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2cc1123)
#11 0x320bbc317 in llint_entry+0xa0f7 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xdc2317)
#12 0x320bb2018 in vmEntryToJavaScript+0xd7 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xdb8018)
#13 0x322593234 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x5e4 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2799234)
#14 0x322ea5c34 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x64 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30abc34)
#15 0x322ea5d2f in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xdf (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30abd2f)
#16 0x322ea60eb in JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0x10b (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x30ac0eb)
#17 0x3050be28f in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xef (WebCore.framework/Versions/A/WebCore:x86_64+0x315c28f)
#18 0x3050eab3d in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xa0d (WebCore.framework/Versions/A/WebCore:x86_64+0x3188b3d)
#19 0x305acaa62 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x522 (WebCore.framework/Versions/A/WebCore:x86_64+0x3b68a62)
#20 0x305aca302 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x1b2 (WebCore.framework/Versions/A/WebCore:x86_64+0x3b68302)
#21 0x306b44c29 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)+0x329 (WebCore.framework/Versions/A/WebCore:x86_64+0x4be2c29)
#22 0x306b5ceb7 in WebCore::DOMWindow::dispatchLoadEvent()+0x237 (WebCore.framework/Versions/A/WebCore:x86_64+0x4bfaeb7)
#23 0x30597f405 in WebCore::Document::dispatchWindowLoadEvent()+0x55 (WebCore.framework/Versions/A/WebCore:x86_64+0x3a1d405)
#24 0x30597ee23 in WebCore::Document::implicitClose()+0x2f3 (WebCore.framework/Versions/A/WebCore:x86_64+0x3a1ce23)
#25 0x30693f428 in WebCore::FrameLoader::checkCallImplicitClose()+0xd8 (WebCore.framework/Versions/A/WebCore:x86_64+0x49dd428)
#26 0x30693e8b2 in WebCore::FrameLoader::checkCompleted()+0x2b2 (WebCore.framework/Versions/A/WebCore:x86_64+0x49dc8b2)
#27 0x30693ae84 in WebCore::FrameLoader::finishedParsing()+0x1c4 (WebCore.framework/Versions/A/WebCore:x86_64+0x49d8e84)
#28 0x3059a03a3 in WebCore::Document::finishedParsing()+0x263 (WebCore.framework/Versions/A/WebCore:x86_64+0x3a3e3a3)

0x60b00009a058 is located 24 bytes inside of 112-byte region [0x60b00009a040,0x60b00009a0b0)
freed by thread T0 here:
#0 0x3000ee6f6 in __sanitizer_mz_free+0x86 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x486f6)
#1 0x31ffef384 in bmalloc::DebugHeap::free(void*)+0x24 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f5384)
#2 0x31ffed452 in bmalloc::Cache::deallocateSlowCaseNullCache(bmalloc::HeapKind, void*)+0x52 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f3452)
#3 0x31fe5562d in bmalloc::Cache::deallocate(bmalloc::HeapKind, void*)+0x7d (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5b62d)
#4 0x320008640 in bmalloc::IsoMallocFallback::tryFree(void*)+0x30 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x20e640)
#5 0x305f6a5d0 in void bmalloc::IsoTLS::deallocateSlow<bmalloc::IsoConfig<112u>, WebCore::HTMLBodyElement>(bmalloc::api::IsoHeap<WebCore::HTMLBodyElement>&, void*)+0xb0 (WebCore.framework/Versions/A/WebCore:x86_64+0x40085d0)
#6 0x305f6a4f2 in void bmalloc::IsoTLS::deallocateImpl<bmalloc::IsoConfig<112u>, WebCore::HTMLBodyElement>(bmalloc::api::IsoHeap<WebCore::HTMLBodyElement>&, void*)+0x62 (WebCore.framework/Versions/A/WebCore:x86_64+0x40084f2)
#7 0x305f6a48d in void bmalloc::IsoTLS::deallocate<WebCore::HTMLBodyElement>(bmalloc::api::IsoHeap<WebCore::HTMLBodyElement>&, void*)+0xd (WebCore.framework/Versions/A/WebCore:x86_64+0x400848d)
#8 0x305f54948 in bmalloc::api::IsoHeap<WebCore::HTMLBodyElement>::deallocate(void*)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x3ff2948)
#9 0x305f54932 in WebCore::HTMLBodyElement::operator delete(void*)+0x12 (WebCore.framework/Versions/A/WebCore:x86_64+0x3ff2932)
#10 0x305f54a85 in WebCore::HTMLBodyElement::~HTMLBodyElement()+0x15 (WebCore.framework/Versions/A/WebCore:x86_64+0x3ff2a85)
#11 0x305b60b43 in WebCore::Node::removedLastRef()+0x73 (WebCore.framework/Versions/A/WebCore:x86_64+0x3bfeb43)
#12 0x30212bc14 in WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >::~Ref()+0x134 (WebCore.framework/Versions/A/WebCore:x86_64+0x1c9c14)
#13 0x3021237c8 in WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >::~Ref()+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x1c17c8)
#14 0x302efbe37 in WTF::VectorDestructor<true, WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> > >::destruct(WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >*, WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >*)+0x27 (WebCore.framework/Versions/A/WebCore:x86_64+0xf99e37)
#15 0x302efbd18 in WTF::VectorTypeOperations<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> > >::destruct(WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >*, WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >*)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0xf99d18)
#16 0x30592d9ba in WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::~Vector()+0x4a (WebCore.framework/Versions/A/WebCore:x86_64+0x39cb9ba)
#17 0x30590e878 in WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::~Vector()+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x39ac878)
#18 0x30591a313 in WebCore::ContainerNode::replaceChildren(WTF::Vector<WTF::Variant<WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >, WTF::String>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&)+0x6f3 (WebCore.framework/Versions/A/WebCore:x86_64+0x39b8313)
#19 0x302a46d16 in WebCore::jsElementPrototypeFunction_replaceChildrenBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::'lambda'()::operator()() const+0x56 (WebCore.framework/Versions/A/WebCore:x86_64+0xae4d16)
#20 0x302a46b32 in JSC::JSValue WebCore::toJS<WebCore::IDLUndefined, WebCore::jsElementPrototypeFunction_replaceChildrenBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsElementPrototypeFunction_replaceChildrenBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::'lambda'()&&)+0xe2 (WebCore.framework/Versions/A/WebCore:x86_64+0xae4b32)
#21 0x302a46834 in WebCore::jsElementPrototypeFunction_replaceChildrenBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)+0x284 (WebCore.framework/Versions/A/WebCore:x86_64+0xae4834)
#22 0x302a46510 in long long WebCore::IDLOperation<WebCore::JSElement>::call<&(WebCore::jsElementPrototypeFunction_replaceChildrenBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0x100 (WebCore.framework/Versions/A/WebCore:x86_64+0xae4510)
#23 0x302a2ac08 in WebCore::jsElementPrototypeFunction_replaceChildren(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0xac8c08)
#24 0x3c08c34011d7  (<unknown module>)

previously allocated by thread T0 here:
#0 0x3000ee2f0 in __sanitizer_mz_malloc+0xa0 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x482f0)
#1 0x7fff203e6fe4 in _malloc_zone_malloc+0x75 (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x1bfe4)
#2 0x31ffef298 in bmalloc::DebugHeap::malloc(unsigned long, bmalloc::FailureAction)+0x28 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f5298)
#3 0x31ffed117 in bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long)+0x57 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f3117)
#4 0x31fe55aed in bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long)+0x7d (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x5baed)
#5 0x320008437 in bmalloc::IsoMallocFallback::tryMalloc(unsigned long)+0xe7 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x20e437)
#6 0x305f69e99 in void* bmalloc::IsoTLS::allocateSlow<bmalloc::IsoConfig<112u>, WebCore::HTMLBodyElement>(bmalloc::api::IsoHeap<WebCore::HTMLBodyElement>&, bool)+0x19 (WebCore.framework/Versions/A/WebCore:x86_64+0x4007e99)
#7 0x305f69e14 in void* bmalloc::IsoTLS::allocateImpl<bmalloc::IsoConfig<112u>, WebCore::HTMLBodyElement>(bmalloc::api::IsoHeap<WebCore::HTMLBodyElement>&, bool)+0x64 (WebCore.framework/Versions/A/WebCore:x86_64+0x4007e14)
#8 0x305f69da8 in void* bmalloc::IsoTLS::allocate<WebCore::HTMLBodyElement>(bmalloc::api::IsoHeap<WebCore::HTMLBodyElement>&, bool)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0x4007da8)
#9 0x305f5491d in bmalloc::api::IsoHeap<WebCore::HTMLBodyElement>::allocate()+0xd (WebCore.framework/Versions/A/WebCore:x86_64+0x3ff291d)
#10 0x305f54905 in WebCore::HTMLBodyElement::operator new(unsigned long)+0x15 (WebCore.framework/Versions/A/WebCore:x86_64+0x3ff2905)
#11 0x305f54a1d in WebCore::HTMLBodyElement::create(WebCore::QualifiedName const&, WebCore::Document&)+0x1d (WebCore.framework/Versions/A/WebCore:x86_64+0x3ff2a1d)
#12 0x3024694dc in WebCore::bodyConstructor(WebCore::QualifiedName const&, WebCore::Document&, WebCore::HTMLFormElement*, bool)+0xbc (WebCore.framework/Versions/A/WebCore:x86_64+0x5074dc)
#13 0x302466741 in WebCore::HTMLElementFactory::createKnownElement(WTF::AtomString const&, WebCore::Document&, WebCore::HTMLFormElement*, bool)+0xe1 (WebCore.framework/Versions/A/WebCore:x86_64+0x504741)
#14 0x30634e2f5 in WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(WebCore::AtomHTMLToken&, WebCore::JSCustomElementInterface**)+0x135 (WebCore.framework/Versions/A/WebCore:x86_64+0x43ec2f5)
#15 0x30634d1fb in WebCore::HTMLConstructionSite::createHTMLElement(WebCore::AtomHTMLToken&)+0xcb (WebCore.framework/Versions/A/WebCore:x86_64+0x43eb1fb)
#16 0x30634d690 in WebCore::HTMLConstructionSite::insertHTMLBodyElement(WebCore::AtomHTMLToken&&)+0xf0 (WebCore.framework/Versions/A/WebCore:x86_64+0x43eb690)
#17 0x3063b0486 in WebCore::HTMLTreeBuilder::processStartTag(WebCore::AtomHTMLToken&&)+0xe76 (WebCore.framework/Versions/A/WebCore:x86_64+0x444e486)
#18 0x3063af31e in WebCore::HTMLTreeBuilder::processToken(WebCore::AtomHTMLToken&&)+0x17e (WebCore.framework/Versions/A/WebCore:x86_64+0x444d31e)
#19 0x3063ae2f2 in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomHTMLToken&&)+0x42 (WebCore.framework/Versions/A/WebCore:x86_64+0x444c2f2)
#20 0x306354475 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&)+0x135 (WebCore.framework/Versions/A/WebCore:x86_64+0x43f2475)
#21 0x306353d06 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&)+0x216 (WebCore.framework/Versions/A/WebCore:x86_64+0x43f1d06)
#22 0x306352dce in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)+0x17e (WebCore.framework/Versions/A/WebCore:x86_64+0x43f0dce)
#23 0x306352948 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)+0x38 (WebCore.framework/Versions/A/WebCore:x86_64+0x43f0948)
#24 0x306354a9e in WebCore::HTMLDocumentParser::insert(WebCore::SegmentedString&&)+0x11e (WebCore.framework/Versions/A/WebCore:x86_64+0x43f2a9e)
#25 0x30597fd8b in WebCore::Document::write(WebCore::Document*, WebCore::SegmentedString&&)+0x27b (WebCore.framework/Versions/A/WebCore:x86_64+0x3a1dd8b)
#26 0x3059802f7 in WebCore::Document::write(WebCore::Document*, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&)+0x2f7 (WebCore.framework/Versions/A/WebCore:x86_64+0x3a1e2f7)
#27 0x305922995 in WebCore::DOMImplementation::createHTMLDocument(WTF::String const&)+0x255 (WebCore.framework/Versions/A/WebCore:x86_64+0x39c0995)

<rdar://80675098>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210728/1e00c2ee/attachment-0001.htm>

More information about the webkit-unassigned mailing list