[Webkit-unassigned] [Bug 272296] New: nullderef in FloatingObjects::moveAllToFloatInfoMap
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Apr 7 00:01:15 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=272296
Bug ID: 272296
Summary: nullderef in FloatingObjects::moveAllToFloatInfoMap
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: Layout and Rendering
Assignee: webkit-unassigned at lists.webkit.org
Reporter: bin7o8v at gmail.com
CC: bfulgham at webkit.org, simon.fraser at apple.com,
zalan at apple.com
Created attachment 470799
--> https://bugs.webkit.org/attachment.cgi?id=470799&action=review
PoC
Version:
- OS: Ubuntu Desktop 22.04
- WebKit: WebKitGTK 2.43.4
How to reproduce:
1. Compile WebKit from source
2. Serve poc.html on 127.0.0.1:8080
3. Launch MiniBrowser with url 127.0.0.1:8080/poc.html
Crash log:
==1949221==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7fb9750c6c0d bp 0x7fff8d968e10 sp 0x7fff8d968da0 T0)
==1949221==The signal is caused by a READ memory access.
==1949221==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x7fb9750c6c0d in WTF::RefPtr<WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl>, WTF::DefaultRefDerefTraits<WTF::SingleThreadWeakPtrImpl>>::operator bool() const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/RefPtr.h:77:47
#1 0x7fb9750c6c0d in WTF::WeakPtrFactory<WebCore::CachedResourceClient, WTF::SingleThreadWeakPtrImpl>::initializeIfNeeded(WebCore::CachedResourceClient const&) const /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/WeakPtr.h:200:13
#2 0x7fb9782da52e in WTF::SingleThreadWeakPtrImpl& WTF::WeakRef<WebCore::RenderBox, WTF::SingleThreadWeakPtrImpl>::implForObject<WebCore::RenderBox>(WebCore::RenderBox const&) /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/WeakRef.h:121:33
#3 0x7fb9782da52e in WTF::WeakRef<WebCore::RenderBox, WTF::SingleThreadWeakPtrImpl>::WeakRef<void>(WebCore::RenderBox&, WTF::EnableWeakPtrThreadingAssertions) /webkitgtk-2.43.4/build-asan/WTF/Headers/wtf/WeakRef.h:46:18
#4 0x7fb9782da52e in WebCore::FloatingObjects::moveAllToFloatInfoMap(WTF::HashMap<WTF::WeakRef<WebCore::RenderBox, WTF::SingleThreadWeakPtrImpl>, std::unique_ptr<WebCore::FloatingObject, std::default_delete<WebCore::FloatingObject>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderBox, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<WTF::WeakRef<WebCore::RenderBox, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<std::unique_ptr<WebCore::FloatingObject, std::default_delete<WebCore::FloatingObject>>>, WTF::HashTableTraits>&) /webkitgtk-2.43.4/Source/WebCore/rendering/FloatingObjects.cpp:303:17
#5 0x7fb978440857 in WebCore::RenderBlockFlow::rebuildFloatingObjectSetFromIntrudingFloats() /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBlockFlow.cpp:227:32
#6 0x7fb97844a21a in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBlockFlow.cpp:502:5
#7 0x7fb9783f964f in WebCore::RenderBlock::layout() /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBlock.cpp:582:5
#8 0x7fb9784538c7 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBlockFlow.cpp:939:9
#9 0x7fb97844ef0d in WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) /webkitgtk-2.43.4/Source/WebCore/rendering/RenderBlockFlow.cpp:834:9
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/webkitgtk-2.43.4/build-asan/lib/libwebkit2gtk-4.0.so.37+0x58c9c0d)
==1949221==ABORTING
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240407/1532198d/attachment.htm>
More information about the webkit-unassigned
mailing list