New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Closed: Mar 2011
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

  • Only users with EditIssue permission may comment.

Sign in to add a comment
RIP goes to zero with select tag, and form validation message with position:relative
Reported by, Mar 21 2011 Back to list

rip == 0, or null pointer deref at 0x88

Chrome Version: 
Chromium	12.0.710.0 (Developer Build 78857) Ubuntu 10.10
WebKit	534.26 (trunk@81520)

Operating System: 
Ubuntu 10.10:
Linux 2.6.35-28-generic #49-Ubuntu SMP Tue Mar 1 14:39:03 UTC 2011 x86_64


Type of crash: tab
Crash State: 
#0  0x0000000000000000 in ?? ()
#1  0x00007ffff6676994 in remove (this=0x7ffff95ed048)
    at third_party/WebKit/Source/WebCore/rendering/RenderObject.h:752
#2  WebCore::RenderObject::destroy (this=0x7ffff95ed048)
    at third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp:2187

515 bytes View Download
Comment 1 by, Mar 21 2011
tools bisect says:

which is: Roll WebKit DEPS 80725:80974

Comment 2 by, Mar 21 2011
valgrind log.

it says null pointer at 0x88.  don't know if it's a timing issue.  
10.1 KB View Download
Comment 3 Deleted
looks like a dup of and will check when webkit rolls 
Still sad tab in my Linux 64-bit trunk build, after the roll.
Labels: -Pri-0 -Area-Undefined Pri-1 Area-WebKit SecSeverity-High OS-All Mstone-11
Status: Available
Owner: a deleted user
Status: Assigned
Summary: Regression(80773): RIP goes to zero with webkit-keyframes and select tag (was: NULL)
Kent, this is caused by the one liner change in Can you please take a look.

    // Needs to update layout now because we'd like to call isFocusable(), which
    // has !renderer()->needsLayout() assertion.
Comment 8 by, Mar 23 2011
I haven't found the root cause yet, but my findings at this moment are:

* I confirmed this was a use-after-free bug.

* RenderMenuList::m_innerBlock keeps a pointer to an anonymous block while m_innerBlock->addChild() can remove m_innerBlock.
   - See RenderMenuList::addChild(), and
   - removeLeftoverAnonymousBlock(this) at the bottom of RenderBlock::addChildIgnoringAnonymousColumnBlocks()

* Probably, doesn't have a code problem and it just exposed the bug.

Thanks a lot Kent. Happy to leave it in your able hands.
Comment 10 by, Mar 23 2011
Summary: Regression(80773): RIP goes to zero with webkit-keyframes, select tag, and form validation (was: NULL)
The crash doesn't happen if I replace document.getElementById('submit').click() with document.getElementByTagName('select')[0].offsetLeft, which calls updateLayoutIgnorePendingStylesheets().

So, I think WebCore/html/ValidationMessage broke an assumption of RenderMenuList.  I should handle this bug :-P

Comment 11 by, Mar 23 2011
Status: Started
Summary: RIP goes to zero with select tag, and form validation message with position:relative (was: NULL)
I found -webkit-animation was unrelated, and found a workaround.

The root cause is "div { positoin:relative; }".  It changes the style of a validation message div, and this style causes an optimization of anonymous blocks.

tracking webkit bug -
Comment 13 by, Mar 24 2011
Status: Fixed
Fixed in WebKit:
Need to merge it to M10 and M11 branches.

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: WillMerge
Thanks a lot Kent. We will handle the merges.
Labels: reward-topanel
Status: FixUnreleased
There are no more M10 patches.
Merged to M11:
Labels: -reward-topanel reward-1000 reward-unpaid
@miaubiz: great bug and thanks for the usual valgrind and even bisect awesomeness.

Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
Labels: CVE-2011-1447
Labels: -reward-unpaid
Invoice finalized; payment is in e-payment system; it can take a couple of weeks.
Labels: SecImpacts-Stable
Batch update.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member Comment 22 by, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 23 by, Mar 10 2013
Labels: -Type-Security -Area-WebKit -SecSeverity-High -Mstone-11 -SecImpacts-Stable Cr-Content Security-Impact-Stable Security-Severity-High M-11 Type-Bug-Security
Project Member Comment 24 by, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 25 by, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 26 by, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 27 by, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 28 by, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member Comment 29 by, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment