Issue 591299 link

Starred by 0 users

Issue metadata

Status:	Fixed
Owner:	wangxianzhu@chromium.org
Closed:	Mar 2016
Cc:	wangxianzhu@chromium.org █ dstockwell@chromium.org █ ranjitkan@chromium.org pucchakayala@google.com vmp...@chromium.org
Components:	Blink>Paint
EstimatedDays:	----
NextAction:	----
OS:	Mac
Pri:	2
Type:	Bug-Regression
Te-Logged Stability-Crash Reproducible Stability-Memory-AddressSanitizer Findit-for-crash Clusterfuzz M-51

Crash in blink::PaintLayerScrollableArea::PaintLayerScrollableArea

Project Member Reported by ClusterFuzz, Mar 2 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6391520078331904

Fuzzer: attekett_dom_fuzzer
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN
Crash Address: 0x000000000038
Crash State:
  blink::PaintLayerScrollableArea::PaintLayerScrollableArea
  blink::PaintLayer::updateScrollableArea
  blink::LayoutBoxModelObject::createLayer
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=378207:378422

Minimized Testcase (0.26 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97dDUfBhJqquQI1bMJyRT_MQ89K0LMqH4GPuZrbWPDS_62Jc5gqgx_BadhhSbghcw4Xps-nfzsoQGr15XJRQzpf5a-ys8ftpxnaOun0Hl_kr1iJ56_l0pFOGhttPXdu07vN6hu8_Bp0HqUWa2z79ddaJMQ3Bg
<br><script> 
var test0=document.body.appendChild(document.createElement("mark"))
setTimeout(function(){
test0.style['opacity']='0.2352309252601117';
})


setInterval(function(){
})
try{test0.style.setProperty('resize','horizontal','important');}catch(e){}

</script>


Filer: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ranjitkan@chromium.org, Mar 2 2016

Cc: ranjitkan@chromium.org
Labels: -Pri-1 -Type-Bug findit-for-crash Te-Logged M-51 Type-Bug-Regression Pri-2
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Available)

Author: wangxianzhu
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/e3e7bae15616191d743019b9a5b77ac201aec20e
Time: Mon Feb 29 19:37:40 2016
Lines 1474 of file PaintLayer.cpp which potentially caused crash are changed in this cl (frame #5, "blink::PaintLayer::updateScrollableArea").
Minimum distance from crash line to modified line: 0. (file: PaintLayer.cpp, crashed on: 1472, modified: 1472).

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Paint

@wangxianzhu: Request you to please take a look into it. Please help us to reassign this issue to the right owner if not with respect to your change.

Thanks.!

Comment 2 by ranjitkan@chromium.org, Mar 2 2016

Components: Blink>Paint

Comment 3 by wangxianzhu@chromium.org, Mar 2 2016

Status: Fixed (was: Assigned)

Fixed by https://chromium.googlesource.com/chromium/src.git/+/b772a3d31c12361e22a8d6950cbef821ac3dc7d5

Comment 4 by wangxianzhu@chromium.org, Mar 2 2016

 Issue 591288  has been merged into this issue.

Project Member

Comment 5 by ClusterFuzz, Mar 3 2016

ClusterFuzz has detected this issue as fixed in range 378770:378857.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6391520078331904

Fuzzer: attekett_dom_fuzzer
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN
Crash Address: 0x000000000038
Crash State:
  blink::PaintLayerScrollableArea::PaintLayerScrollableArea
  blink::PaintLayer::updateScrollableArea
  blink::LayoutBoxModelObject::createLayer
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=378207:378422
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=378770:378857

Minimized Testcase (0.26 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97dDUfBhJqquQI1bMJyRT_MQ89K0LMqH4GPuZrbWPDS_62Jc5gqgx_BadhhSbghcw4Xps-nfzsoQGr15XJRQzpf5a-ys8ftpxnaOun0Hl_kr1iJ56_l0pFOGhttPXdu07vN6hu8_Bp0HqUWa2z79ddaJMQ3Bg
<br><script> 
var test0=document.body.appendChild(document.createElement("mark"))
setTimeout(function(){
test0.style['opacity']='0.2352309252601117';
})


setInterval(function(){
})
try{test0.style.setProperty('resize','horizontal','important');}catch(e){}

</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 6 by wangxianzhu@chromium.org, Mar 7 2016

Cc: pucchakayala@google.com dstockwell@chromium.org wangxianzhu@chromium.org

 Issue 591584  has been merged into this issue.

Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 591299 link

Issue metadata

Crash in blink::PaintLayerScrollableArea::PaintLayerScrollableArea

Issue description

Comment 1 by ranjitkan@chromium.org, Mar 2 2016

Comment 1 Deleted

Comment 2 by ranjitkan@chromium.org, Mar 2 2016

Comment 2 Deleted

Comment 3 by wangxianzhu@chromium.org, Mar 2 2016

Comment 3 Deleted

Comment 4 by wangxianzhu@chromium.org, Mar 2 2016

Comment 4 Deleted

Comment 5 by ClusterFuzz, Mar 3 2016

Comment 5 Deleted

Comment 6 by wangxianzhu@chromium.org, Mar 7 2016

Comment 6 Deleted

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Comment 7 Deleted

Sign in to add a comment