New issue
Advanced search Search tips
Starred by 0 users
Status: Fixed
Closed: Sep 2014
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Sign in to add a comment
Heap-use-after-free in void cc::PreCalculateMetaInformation<cc::LayerImpl>
Project Member Reported by ClusterFuzz, Sep 12 2014 Back to list
Detailed report:

Fuzzer: Marty_html_twiddler
Job Type: Android_asan_chrome

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x72d7c304
Crash State:
  void cc::PreCalculateMetaInformation<cc::LayerImpl>
  void cc::PreCalculateMetaInformation<cc::LayerImpl>
  void cc::PreCalculateMetaInformation<cc::LayerImpl>

Unminimized Testcase:

Additional requirements: Requires Gestures

Additional requirements: Requires HTTP

Filer: inferno
Status: Assigned
Comment 2 by, Sep 12 2014
Determining the affected versions is difficult at present because this doesn't reproduce reliably for CF.  Once the issue is understood, it should be possible to figure out how far back it goes.
Project Member Comment 3 by ClusterFuzz, Sep 12 2014
Labels: Pri-1
Status: Fixed
Should be fixed with this revert.
Project Member Comment 5 by ClusterFuzz, Sep 12 2014
Labels: -Restrict-View-SecurityTeam Merge-Triage Restrict-View-SecurityNotify
Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on

- Your friendly ClusterFuzz
Labels: -Merge-Triage
This bug was introduced by my CalcDrawProps refactor which has not made it to the beta or stable branches. No merge is required.
Project Member Comment 8 by, Sep 18 2014
Labels: merge-merged-2125
The following revision refers to this bug:

commit d1ea9b5a6670389019344279d5bb10bb7edfd139
Author: Ian Vollick <>
Date: Thu Sep 18 04:06:47 2014

Fix RemoveFromScrollTree and RemoveFromClipTree

These functions should set needs commit, but didn't. This lead to stale
pointers in the impl tree.

BUG= 413743 ,403866

Review URL:

Cr-Commit-Position: refs/heads/master@{#294749}
(cherry picked from commit 66133e86b6d79534605539aa684a248e6b6205bf)

Review URL:

Cr-Commit-Position: refs/branch-heads/2125@{#390}
Cr-Branched-From: b68026d94bda36dd106a3d91a098719f952a9477-refs/heads/master@{#290040}


Labels: Release-0-M39 Security_Impact-Stable
Project Member Comment 10 by ClusterFuzz, Dec 19 2014
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 11 by, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Project Member Comment 12 by, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment