[Webkit-unassigned] [Bug 272289] New: nullderef in RenderLayerCompositor
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Apr 6 20:05:25 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=272289
Bug ID: 272289
Summary: nullderef in RenderLayerCompositor
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: macOS 14
Status: NEW
Severity: Normal
Priority: P2
Component: Compositing
Assignee: webkit-unassigned at lists.webkit.org
Reporter: bin7o8v at gmail.com
CC: simon.fraser at apple.com
Created attachment 470795
--> https://bugs.webkit.org/attachment.cgi?id=470795&action=review
PoC
Version:
- macOS: 14.4.1 (23E224)
- WebKit: WebKit-7618.1.15.14.7
How to reproduce:
1. Compile WebKit from source
2. Serve poc.html on 127.0.0.1:8080
3. Run Tools/Scripts/run-minibrowser --url 127.0.0.1:8080/poc.html
If no crash occurs, please set the browser to windowed mode and resize the window to make it smaller.
Crash log:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==42799==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000d8 (pc 0x0005ea27d347 bp 0x7ff7b39fb230 sp 0x7ff7b39fb0a0 T0)
==42799==The signal is caused by a READ memory access.
==42799==Hint: address points to the zero page.
==42799==WARNING: invalid path to external symbolizer!
==42799==WARNING: Failed to use and restart external symbolizer!
#0 0x5ea27d347 in WebCore::RenderLayerCompositor::updateScrollingNodeForPositioningRole(WebCore::RenderLayer&, WebCore::RenderLayer const*, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::ScrollingNodeChangeFlags>)+0xab7 (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8a66347)
#1 0x5ea255faf in WebCore::RenderLayerCompositor::updateScrollCoordinationForLayer(WebCore::RenderLayer&, WebCore::RenderLayer const*, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::ScrollingNodeChangeFlags>)+0x37f (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8a3efaf)
#2 0x5ea24a871 in WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>)+0x561 (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8a33871)
#3 0x5ea24aded in WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>)+0xadd (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8a33ded)
#4 0x5ea24aded in WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>)+0xadd (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8a33ded)
#5 0x5ea24aded in WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::RawPtrTraits<WebCore::GraphicsLayer>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayerCompositor::UpdateBackingTraversalState&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>)+0xadd (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8a33ded)
#6 0x5ea243ea5 in WebCore::RenderLayerCompositor::updateCompositingLayers(WebCore::CompositingUpdateType, WebCore::RenderLayer*)+0x1745 (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8a2cea5)
#7 0x5e8d85395 in WebCore::LocalFrameView::updateCompositingLayersAfterLayoutIfNeeded()+0xb5 (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x756e395)
#8 0x5e7173b87 in WebCore::Document::implicitClose()+0xf07 (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x595cb87)
#9 0x5e88b9c65 in WebCore::FrameLoader::checkCallImplicitClose()+0x195 (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x70a2c65)
#10 0x5e88b7996 in WebCore::FrameLoader::checkCompleted()+0x496 (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x70a0996)
#11 0x5e88adb88 in WebCore::FrameLoader::finishedParsing()+0x278 (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7096b88)
#12 0x5e71d635e in WebCore::Document::finishedParsing()+0x7ce (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x59bf35e)
#13 0x5e80a5e5f in WebCore::HTMLConstructionSite::finishedParsing()+0xff (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x688ee5f)
#14 0x5e80bad93 in WebCore::HTMLDocumentParser::prepareToStopParsing()+0x383 (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x68a3d93)
#15 0x5e80c0411 in WebCore::HTMLDocumentParser::finish()+0x1a1 (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x68a9411)
#16 0x5e87f092a in WebCore::DocumentWriter::end()+0x34a (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6fd992a)
#17 0x5e87ed00f in WebCore::DocumentLoader::finishedLoading()+0x68f (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6fd600f)
#18 0x5e87ebf74 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&)+0x4d4 (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6fd4f74)
#19 0x5e8b17fa1 in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&)+0x1b1 (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7300fa1)
#20 0x5e8b0d750 in WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&)+0xa70 (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x72f6750)
#21 0x5e8a22010 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&)+0x14f0 (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x720b010)
#22 0x5bbdf1942 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&)+0x692 (/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3587942)
#23 0x5bcd87c1c in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&)+0x24c (/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x451dc1c)
#24 0x5bbdbcaa9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0xae9 (/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x3552aa9)
#25 0x5bcf52601 in IPC::Connection::dispatchMessage(IPC::Decoder&)+0x8a1 (/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x46e8601)
#26 0x5bcf52c4e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder>>)+0x2be (/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x46e8c4e)
#27 0x5bcf5341a in IPC::Connection::dispatchOneIncomingMessage()+0x28a (/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x46e941a)
#28 0x5c8e73559 in WTF::RunLoop::performWork()+0x6b9 (/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x112559)
#29 0x5c8e75e3a in WTF::RunLoop::performWork(void*)+0xba (/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x114e3a)
#30 0x7ff80c4b6aa6 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7baa6)
#31 0x7ff80c4b6a48 in __CFRunLoopDoSource0+0x9c (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7ba48)
#32 0x7ff80c4b6813 in __CFRunLoopDoSources0+0xd6 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7b813)
#33 0x7ff80c4b5490 in __CFRunLoopRun+0x396 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x7a490)
#34 0x7ff80c4b4b31 in CFRunLoopRunSpecific+0x22c (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x79b31)
#35 0x7ff80d466140 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0x5c140)
#36 0x7ff80d4e830a in -[NSRunLoop(NSRunLoop) run]+0x4b (/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation:x86_64+0xde30a)
#37 0x7ff80c0f34d8 in _xpc_objc_main+0x25d (/usr/lib/system/libxpc.dylib:x86_64+0x164d8)
#38 0x7ff80c10004a in _xpc_main+0x102 (/usr/lib/system/libxpc.dylib:x86_64+0x2304a)
#39 0x7ff80c0f30fb in xpc_main+0x37 (/usr/lib/system/libxpc.dylib:x86_64+0x160fb)
#40 0x5b9e89a06 in WebKit::XPCServiceMain(int, char const**)+0xd6 (/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x161fa06)
#41 0x7ff80c04e365 in start+0x795 (/usr/lib/dyld:x86_64+0xfffffffffff5c365)
==42799==Register values:
rax = 0x000010000000001b rbx = 0x0000000000000000 rcx = 0x00001c1e0000c4d1 rdx = 0x0000000000000000
rdi = 0x00000000000000d8 rsi = 0x0000000000000002 rbp = 0x00007ff7b39fb230 rsp = 0x00007ff7b39fb0a0
r8 = 0x0000100000000000 r9 = 0x0000000000000001 r10 = 0x0000612000060f40 r11 = 0x0000000000000000
r12 = 0x0000002200000006 r13 = 0x000061300007af75 r14 = 0x0000612000061240 r15 = 0x00001ffef673f624
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8a66347) in WebCore::RenderLayerCompositor::updateScrollingNodeForPositioningRole(WebCore::RenderLayer&, WebCore::RenderLayer const*, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::ScrollingNodeChangeFlags>)+0xab7
==42799==ABORTING
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240407/c84f69e8/attachment-0001.htm>
More information about the webkit-unassigned
mailing list