Ladybird: Crash when loading mmu.ac.uk

[jamierocks]

Ladybird crashes when loading the Manchester Metropolitan University website (https://www.mmu.ac.uk/).

I have attached the WebContent process to Clion to debug, and it seems that Ladybird SIGSEGV's on Node#type().

[Inlined] type Node.h:66
[Inlined] is_attribute Node.h:76
[Inlined] fast_is<…> Attr.h:61
[Inlined] is<…> TypeCasts.h:19
[Inlined] is<…> TypeCasts.h:27
compare_document_position() Node.cpp:1071
add_sheet() StyleSheetList.cpp:94
add_a_css_style_sheet() StyleSheetList.cpp:33
create_a_css_style_sheet() StyleSheetList.cpp:79
update_a_style_block() StyleElementUtils.cpp:63
Web::SVG::SVGStyleElement::inserted() SVGStyleElement.cpp:41
[Inlined] operator() Node.cpp:488
::for_each_shadow_including_inclusive_descendant<(lambda at /home/jmansfield/src/github/serenityos/serenity/Userland/Libraries/LibWeb/DOM/Node.cpp:486:72)>() ShadowRoot.h:79
::for_each_shadow_including_inclusive_descendant<(lambda at /home/jmansfield/src/github/serenityos/serenity/Userland/Libraries/LibWeb/DOM/Node.cpp:486:72)>() ShadowRoot.h:88
insert_before() Node.cpp:486
pre_insert() Node.cpp:545
Web::DOM::Node::append_child(JS::NonnullGCPtr<…>) Node.cpp:576
clone_element_tree_as_our_shadow_tree() SVGUseElement.cpp:134
attribute_changed() SVGUseElement.cpp:65
run_attribute_change_steps() Element.cpp:448
handle_attribute_changes() Attr.cpp:118
change_attribute() Attr.cpp:95
set_attribute_value() Element.cpp:282
set_attribute_ns() Element.cpp:246
[Inlined] throw_dom_exception_if_needed<(lambda at /home/jmansfield/src/github/serenityos/serenity/Build/lagom/Userland/Libraries/LibWeb/Bindings/ElementPrototype.cpp:2668:66), Web::WebIDL::ExceptionOr<void>, JS::Value> ExceptionOrUtils.h:97
operator()() Function.h:125
internal_call() NativeFunction.cpp:167
[Inlined] call AbstractOperations.h:102
perform_call() CommonImplementations.h:357
[Inlined] execute_impl Interpreter.cpp:1646
run_bytecode() Interpreter.cpp:545
run_executable() Interpreter.cpp:710
ordinary_call_evaluate_body() ECMAScriptFunctionObject.cpp:842
internal_call() ECMAScriptFunctionObject.cpp:418
[Inlined] call AbstractOperations.h:107
invoke_callback() AbstractOperations.cpp:251
[Inlined] operator() WindowOrWorkerGlobalScope.cpp:342
[Inlined] visit<const AK::Variant<JS::NonnullGCPtr<Web::WebIDL::CallbackType>, AK::String>, AK::Variant<JS::NonnullGCPtr<Web::WebIDL::CallbackType>, AK::String>::Visitor<(lambda at /home/jmansfield/src/github/serenityos/serenity/Userland/Libraries/LibWeb/HTML/WindowOrWorkerGlobalScope.cpp:341:13), (lambda at /home/jmansfield/src/github/serenityos/serenity/Userland/Libraries/LibWeb/HTML/WindowOrWorkerGlobalScope.cpp:346:13)>, (unsigned char)'\x00'> Variant.h:112
[Inlined] visit<(lambda at /home/jmansfield/src/github/serenityos/serenity/Userland/Libraries/LibWeb/HTML/WindowOrWorkerGlobalScope.cpp:341:13), (lambda at /home/jmansfield/src/github/serenityos/serenity/Userland/Libraries/LibWeb/HTML/WindowOrWorkerGlobalScope.cpp:346:13)> Variant.h:430
[Inlined] operator() WindowOrWorkerGlobalScope.cpp:339
call() Function.h:192
operator()() Function.h:125
operator()() Function.h:125
process() EventLoop.cpp:166
[Inlined] operator() SafeFunction.h:85
[Inlined] operator() TimerSerenity.cpp:23
call() Function.h:192
operator()() Function.h:125
dispatch_event() EventReceiver.cpp:162
[Inlined] qt_timer_fired EventLoopImplementationQt.cpp:88
[Inlined] operator() EventLoopImplementationQt.cpp:102
exec() EventLoop.cpp:88
serenity_main() main.cpp:171
main Main.cpp:39

[ADKaster]

NodeType is an enum, so this is likely a null ptr deref. The stacktrace looks like we're inserting a style property into an SVGUseElement. Smells like GC use-after-free, or some invalid assumption about the SVGDocument.