[Webkit-unassigned] [Bug 271849] New: nullptr crash in moveOutOfAllShadowRoots
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 28 14:52:22 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=271849
Bug ID: 271849
Summary: nullptr crash in moveOutOfAllShadowRoots
Product: WebKit
Version: Other
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: DOM
Assignee: webkit-unassigned at lists.webkit.org
Reporter: rniwa at webkit.org
e.g.
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (0x0000000000000001, 0x000000000000001d)
[ 0] 0x00000001a8a8dba0 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 36 at EventPath.cpp:294:5
290
291 static Node* moveOutOfAllShadowRoots(Node& startingNode)
292 {
293 Node* node = &startingNode;
-> 294 while (node->isInShadowTree())
295 node = downcast<ShadowRoot>(node->treeScope().rootNode()).host();
296 return node;
297 }
298
0x00000001a8a8db90: cbz x8, 0x16d9b9c ; <+1992> [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 32 at WeakPtr.h
0x00000001a8a8db94: ldr x9, [x8, #0x8]
0x00000001a8a8db98: b 0x16d9ba0 ; <+1996> [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 36 at EventPath.cpp:294:5
0x00000001a8a8db9c: mov x9, #0x0
-> 0x00000001a8a8dba0: ldrb w8, [x9, #0x1d]
0x00000001a8a8dba4: tbnz w8, #0x3, 0x16d9b84 ; <+1968> [inlined] WebCore::Node::treeScope() const at Node.h:388:17
0x00000001a8a8dba8: ldr w8, [x9, #0x18]
0x00000001a8a8dbac: add w8, w8, #0x2
0x00000001a8a8dbb0: str w8, [x9, #0x18]
[ 0] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35
312 return;
313 }
314 if (relatedNode.isConnected() != target.isConnected()) {
315 m_hasDifferentTreeRoot = true;
-> 316 m_retargetedRelatedNode = moveOutOfAllShadowRoots(relatedNode);
317 return;
318 }
319
320 collectTreeScopes();
[ 0] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1
298
299 RelatedNodeRetargeter::RelatedNodeRetargeter(Node& relatedNode, Node& target)
300 : m_relatedNode(relatedNode)
301 , m_retargetedRelatedNode(&relatedNode)
-> 302 {
303 auto& targetTreeScope = target.treeScope();
304 TreeScope* currentTreeScope = &m_relatedNode->treeScope();
305 if (LIKELY(currentTreeScope == &targetTreeScope && target.isConnected() && m_relatedNode->isConnected()))
306 return;
[ 0] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27
144 }
145
146 void EventPath::setRelatedTarget(Node& origin, Node& relatedNode)
147 {
-> 148 RelatedNodeRetargeter retargeter(relatedNode, *m_path[0].node());
149
150 bool originIsRelatedTarget = &origin == &relatedNode;
151 Node& rootNodeInOriginTreeScope = origin.treeScope().rootNode();
152 TreeScope* previousTreeScope = nullptr;
[ 1] 0x00000001a8a8db9f WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 35 at WeakPtr.h:0:56
[ 1] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35
[ 1] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1
[ 1] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27
[ 2] 0x00000001a8a8db9f WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 35 at WeakPtr.h:0:56
[ 2] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35
[ 2] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1
[ 2] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27
[ 3] 0x00000001a8a8db9f WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 35 at WeakPtr.h:0:56
[ 3] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35
[ 3] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1
[ 3] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240328/01275564/attachment-0001.htm>
More information about the webkit-unassigned
mailing list