[Webkit-unassigned] [Bug 271849] New: nullptr crash in moveOutOfAllShadowRoots

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Mar 28 14:52:22 PDT 2024


https://bugs.webkit.org/show_bug.cgi?id=271849

            Bug ID: 271849
           Summary: nullptr crash in moveOutOfAllShadowRoots
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rniwa at webkit.org

e.g.
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (0x0000000000000001, 0x000000000000001d)
[  0] 0x00000001a8a8dba0 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 36 at EventPath.cpp:294:5

       290      
       291      static Node* moveOutOfAllShadowRoots(Node& startingNode)
       292      {
       293          Node* node = &startingNode;
    -> 294          while (node->isInShadowTree())
       295              node = downcast<ShadowRoot>(node->treeScope().rootNode()).host();
       296          return node;
       297      }
       298      


     0x00000001a8a8db90:      cbz x8, 0x16d9b9c        ; <+1992> [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 32 at WeakPtr.h
     0x00000001a8a8db94:      ldr x9, [x8, #0x8]
     0x00000001a8a8db98:        b 0x16d9ba0            ; <+1996> [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 36 at EventPath.cpp:294:5
     0x00000001a8a8db9c:      mov x9, #0x0
 ->  0x00000001a8a8dba0:     ldrb w8, [x9, #0x1d]
     0x00000001a8a8dba4:     tbnz w8, #0x3, 0x16d9b84  ; <+1968> [inlined] WebCore::Node::treeScope() const at Node.h:388:17
     0x00000001a8a8dba8:      ldr w8, [x9, #0x18]
     0x00000001a8a8dbac:      add w8, w8, #0x2
     0x00000001a8a8dbb0:      str w8, [x9, #0x18]

[  0] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35
       312              return;
       313          }
       314          if (relatedNode.isConnected() != target.isConnected()) {
       315              m_hasDifferentTreeRoot = true;
    -> 316              m_retargetedRelatedNode = moveOutOfAllShadowRoots(relatedNode);
       317              return;
       318          }
       319      
       320          collectTreeScopes();

[  0] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1
       298      
       299      RelatedNodeRetargeter::RelatedNodeRetargeter(Node& relatedNode, Node& target)
       300          : m_relatedNode(relatedNode)
       301          , m_retargetedRelatedNode(&relatedNode)
    -> 302      {
       303          auto& targetTreeScope = target.treeScope();
       304          TreeScope* currentTreeScope = &m_relatedNode->treeScope();
       305          if (LIKELY(currentTreeScope == &targetTreeScope && target.isConnected() && m_relatedNode->isConnected()))
       306              return;

[  0] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27
       144      }
       145      
       146      void EventPath::setRelatedTarget(Node& origin, Node& relatedNode)
       147      {
    -> 148          RelatedNodeRetargeter retargeter(relatedNode, *m_path[0].node());
       149      
       150          bool originIsRelatedTarget = &origin == &relatedNode;
       151          Node& rootNodeInOriginTreeScope = origin.treeScope().rootNode();
       152          TreeScope* previousTreeScope = nullptr;

[  1] 0x00000001a8a8db9f WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 35 at WeakPtr.h:0:56
[  1] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35
[  1] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1
[  1] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27
[  2] 0x00000001a8a8db9f WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 35 at WeakPtr.h:0:56
[  2] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35
[  2] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1
[  2] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27
[  3] 0x00000001a8a8db9f WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::moveOutOfAllShadowRoots(WebCore::Node&) + 35 at WeakPtr.h:0:56
[  3] 0x00000001a8a8db7c WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) + 36 at EventPath.cpp:316:35
[  3] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) [inlined] WebCore::RelatedNodeRetargeter::RelatedNodeRetargeter(WebCore::Node&, WebCore::Node&) at EventPath.cpp:302:1
[  3] 0x00000001a8a8db58 WebCore`WebCore::EventPath::setRelatedTarget(WebCore::Node&, WebCore::Node&) + 1924 at EventPath.cpp:148:27

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240328/01275564/attachment-0001.htm>


More information about the webkit-unassigned mailing list