[Webkit-unassigned] [Bug 230581] New: [WebCore] NULL ptr deref in updateRenderTree

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 21 16:06:28 PDT 2021


https://bugs.webkit.org/show_bug.cgi?id=230581

            Bug ID: 230581
           Summary: [WebCore] NULL ptr deref in updateRenderTree
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: brandonstewart at apple.com
                CC: bfulgham at webkit.org, simon.fraser at apple.com,
                    zalan at apple.com

This script causes a crash

<script>
  onload = () => {
    let div0 = document.createElement('div');
    div0.style.display = 'contents';
    let div1 = document.createElement('div');
    div1.append('ab');
    div0.appendChild(div1);
    document.body.appendChild(div0);
    document.body.offsetTop;
    div1.innerHTML = 'a';
    new Document().appendChild(div0);
  };
</script>

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                   0x00000001072d946f WebCore::shouldCreateRenderer(WebCore::Element const&, WebCore::RenderElement const&) + 0 (RenderTreeUpdater.cpp:137) [inlined]
1   com.apple.WebCore                   0x00000001072d946f WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) + 2367 (RenderTreeUpdater.cpp:198)
2   com.apple.WebCore                   0x00000001072d8a4b WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 507 (RenderTreeUpdater.cpp:126)
3   com.apple.WebCore                   0x000000010664fe99 WebCore::Document::updateRenderTree(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 105 (Document.cpp:2023)
4   com.apple.WebCore                   0x0000000106650357 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 1127 (Document.cpp:2113)
5   com.apple.WebCore                   0x0000000106650973 WebCore::Document::updateStyleIfNeeded() + 371 (Document.cpp:2205)

<rdar://83101139>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210921/e904cf24/attachment-0001.htm>


More information about the webkit-unassigned mailing list