[Webkit-unassigned] [Bug 272294] New: nullderef in LayoutIntegration::BoxTree::layoutBoxForRenderer

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Apr 6 22:59:14 PDT 2024


https://bugs.webkit.org/show_bug.cgi?id=272294

            Bug ID: 272294
           Summary: nullderef in
                    LayoutIntegration::BoxTree::layoutBoxForRenderer
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bin7o8v at gmail.com
                CC: bfulgham at webkit.org, simon.fraser at apple.com,
                    zalan at apple.com

Created attachment 470798

  --> https://bugs.webkit.org/attachment.cgi?id=470798&action=review

PoC

Version:
 - OS: Ubuntu Desktop 22.04
 - WebKit: WebKitGTK 2.43.4

How to reproduce:
1. Compile WebKit from source
2. Serve poc.html on 127.0.0.1:8080
3. Launch MiniBrowser with url 127.0.0.1:8080/poc.html

Crash log:
==2710716==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c (pc 0x7fa8af3d08be bp 0x7ffc9fcc7c80 sp 0x7ffc9fcc7b50 T0)
==2710716==The signal is caused by a READ memory access.
==2710716==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
  #0 0x7fa8af3d08be in WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>::isEmpty() const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/OptionSet.h:106:46
  #1 0x7fa8af3d08be in WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>::operator bool() const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/OptionSet.h:111:56
  #2 0x7fa8af3d08be in WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>::containsAny(WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>) const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/OptionSet.h:120:18
  #3 0x7fa8af3d08be in WTF::OptionSet<WebCore::Layout::Box::BaseTypeFlag>::contains(WebCore::Layout::Box::BaseTypeFlag) const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/OptionSet.h:115:16
  #4 0x7fa8af3d08be in WebCore::Layout::Box::isElementBox() const /webkitgtk-2.43.4/Source/WebCore/layout/layouttree/LayoutBox.h:164:56
  #5 0x7fa8af3d08be in WTF::TypeCastTraits<WebCore::Layout::ElementBox const, WebCore::Layout::Box const, false>::isType(WebCore::Layout::Box const&) /webkitgtk-2.43.4/Source/WebCore/layout/layouttree/LayoutElementBox.h:119:1
  #6 0x7fa8af3d08be in WTF::TypeCastTraits<WebCore::Layout::ElementBox const, WebCore::Layout::Box const, false>::isOfType(WebCore::Layout::Box const&) /webkitgtk-2.43.4/Source/WebCore/layout/layouttree/LayoutElementBox.h:119:1
  #7 0x7fa8af3d08be in bool WTF::is<WebCore::Layout::ElementBox, WebCore::Layout::Box>(WebCore::Layout::Box const&) /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/TypeCasts.h:58:12
  #8 0x7fa8af3d08be in std::conditional<std::is_const_v<WebCore::Layout::Box const>, std::add_const<WebCore::Layout::ElementBox>::type, std::remove_const<WebCore::Layout::ElementBox>::type>::type& WTF::downcast<WebCore::Layout::ElementBox, WebCore::Layout::Box const>(WebCore::Layout::Box const&) /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/TypeCasts.h:120:5
  #9 0x7fa8af3d08be in WebCore::LayoutIntegration::BoxTree::layoutBoxForRenderer(WebCore::RenderElement const&) const /webkitgtk-2.43.4/Source/WebCore/layout/integration/LayoutIntegrationBoxTree.cpp:356:12
  #10 0x7fa8b0903a75 in WebCore::RenderInline::frameRectForStickyPositioning() const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderInline.h:133:69
  #11 0x7fa8b06baf19 in WebCore::RenderBoxModelObject::stickyPositionOffset() const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBoxModelObject.cpp:630:5
  #12 0x7fa8b06baf19 in WebCore::RenderBoxModelObject::offsetForInFlowPosition() const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBoxModelObject.cpp:642:16
  #13 0x7fa8b08ad3fe in WebCore::RenderInline::offsetFromContainer(WebCore::RenderElement&, WebCore::LayoutPoint const&, bool*) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderInline.cpp:771:19
  #14 0x7fa8b074d666 in WebCore::RenderBox::computeVisibleRectsInContainer(WebCore::RenderObject::RepaintRects const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBox.cpp:2669:49
  #15 0x7fa8b0a1c112 in WebCore::RenderObject::computeRects(WebCore::RenderObject::RepaintRects const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1132:19
  #16 0x7fa8b0a1c112 in WebCore::RenderObject::clippedOverflowRect(WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1127:12
  #17 0x7fa8b0a1a511 in WebCore::RenderObject::clippedOverflowRectForRepaint(WebCore::RenderLayerModelObject const*) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.h:1016:109
  #18 0x7fa8b0a1a511 in WebCore::RenderObject::issueRepaint(std::optional<WebCore::LayoutRect>, WebCore::RenderObject::ClipRepaintToLayer, WebCore::RenderObject::ForceRepaint, std::optional<WebCore::RectEdges<WebCore::LayoutUnit>>) const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1035:23
  #19 0x7fa8b0a1a933 in WebCore::RenderObject::repaint() const /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1045:5
  #20 0x7fa8b0a21e56 in WebCore::invalidateLineLayoutAfterTreeMutationIfNeeded(WebCore::RenderObject&, WebCore::IsRemoval) /webkitgtk-2.43.4/Source/WebCore/rendering/RenderObject.cpp:1806:20

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/webkitgtk-2.43.4/build-asan/lib/libwebkit2gtk-4.0.so.37+0x79358be)
==2710716==ABORTING

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240407/0aa05a70/attachment.htm>


More information about the webkit-unassigned mailing list