New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 591288 link

Starred by 0 users
Status: Duplicate
Merged: issue 591299
Owner:
wangxianzhu@chromium.org
Closed: Mar 2016
Cc:
ranjitkan@chromium.org
vmp...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Crash in blink::LayoutObject::LayoutObjectBitfields::isAnonymous

Project Member Reported by ClusterFuzz, Mar 2 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4634389096431616

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x00000000003c
Crash State:
  blink::LayoutObject::LayoutObjectBitfields::isAnonymous
  blink::LayoutObject::isAnonymous
  blink::LayoutObject::node
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=378207:378422

Minimized Testcase (0.34 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94gkvPNIb0hLpYxN4bnss7MFf7agvspzfCy2by5F7KEP_was_GcaIEuFi3lsDC8GFmZcRXZsZn_FZJKC7mSvGkEi6vWz4lhsE1VtkQwUOqo9enWI5weB7aty6a2h0w3gLJzzByHcOwg4z2FiOby5Mw-Rh0NJw
<style>
.c7 { dipslay: none; resize: auto; mix-blend-mode: luminosity;</style><script>
var docElement = document.body ? document.body : document.documentElement;
tCF47 = document.createElementNS("http://www.w3.org/1999/xhtml", "myelement");
tCF47.setAttribute("class", "c7");
docElement.appendChild(tCF47);
function tCF_custom_7() {
}
</script>


Filer: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ranjitkan@chromium.org, Mar 2 2016

Components: Blink>Paint
Labels: -Pri-1 -Type-Bug findit-for-crash Te-Logged M-51 Type-Bug-Regression Pri-2
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Available)
Author: wangxianzhu
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/e3e7bae15616191d743019b9a5b77ac201aec20e
Time: Mon Feb 29 19:37:40 2016
Lines 1472-1479 of file PaintLayer.cpp which potentially caused crash are changed in this cl (frame #5, "blink::PaintLayer::updateScrollableArea").
Minimum distance from crash line to modified line: 0. (file: PaintLayer.cpp, crashed on: 1472, modified: 1472).

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Paint

@wangxianzhu: Request you to please take a look into it. Please help us to reassign if not with respect to your change.

Comment 2 by ranjitkan@chromium.org, Mar 2 2016

Cc: ranjitkan@chromium.org

Comment 3 by wangxianzhu@chromium.org, Mar 2 2016

Mergedinto: 591299
Status: Duplicate (was: Assigned)
Project Member

Comment 4 by ClusterFuzz, Mar 3 2016 

ClusterFuzz has detected this issue as fixed in range 378770:378857.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4634389096431616

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x00000000003c
Crash State:
  blink::LayoutObject::LayoutObjectBitfields::isAnonymous
  blink::LayoutObject::isAnonymous
  blink::LayoutObject::node
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=378207:378422
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=378770:378857

Minimized Testcase (0.34 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94gkvPNIb0hLpYxN4bnss7MFf7agvspzfCy2by5F7KEP_was_GcaIEuFi3lsDC8GFmZcRXZsZn_FZJKC7mSvGkEi6vWz4lhsE1VtkQwUOqo9enWI5weB7aty6a2h0w3gLJzzByHcOwg4z2FiOby5Mw-Rh0NJw
<style>
.c7 { dipslay: none; resize: auto; mix-blend-mode: luminosity;</style><script>
var docElement = document.body ? document.body : document.documentElement;
tCF47 = document.createElementNS("http://www.w3.org/1999/xhtml", "myelement");
tCF47.setAttribute("class", "c7");
docElement.appendChild(tCF47);
function tCF_custom_7() {
}
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment