New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 592323 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Mar 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::Document::setTitleElement

Project Member Reported by ClusterFuzz, Mar 7 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6408005303664640

Fuzzer: inferno_twister
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x000000000010
Crash State:
  blink::Document::setTitleElement
  blink::HTMLTitleElement::insertedInto
  blink::ContainerNode::notifyNodeInsertedInternal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=379046:379326

Minimized Testcase (2.80 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94lXUqk2G_OKiaY64MH5aThre-s0K-UYLPUT3S4xqXjQIDFiM8s5ijEzrN_R4mQ0TKgKMJhC43iiqsCgs35Kq3meUGOcOVYRbnB3y2BVBQPhu3mDgvIOeTTM0QYb-9Sd8NwQmdS0Y3XJbru-z-0SoIu2vIMEA

Filer: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: -nyerramilli@google.com nyerramilli@chromium.org
Labels: findit-for-crash Te-Logged
Owner: hyunjune...@samsung.com
Status: Assigned (was: Available)
From findit :The result is a list of CLs that change the crashed files.

Author: hyunjune.kim
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/2764e5d8a0ec6cf13cb4d918a5032e45da691247
Time: Fri Mar 04 16:33:01 2016
Lines 1339-1348 of file Document.cpp which potentially caused crash are changed in this cl (frame #3, "blink::Document::setTitleElement").
Minimum distance from crash line to modified line: 0. (file: Document.cpp, crashed on: 1339, modified: 1339).

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-DOM

hyunjune.kim@, could you please check the issue.
fuzz-twister-glyphicons-halflings-regular1457145639.57.svg
2.8 KB Download
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 7 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b25217584cf92b17941a2db757baa2efd93a77d8

commit b25217584cf92b17941a2db757baa2efd93a77d8
Author: hyunjune.kim <hyunjune.kim@samsung.com>
Date: Mon Mar 07 12:38:40 2016

Revert of Fix SVGDocument return title that is not a child of the root element (patchset #12 id:220001 of https://codereview.chromium.org/1752713002/ )

Reason for revert:
Crash in blink:Document::setTitleElement.

Issue : https://bugs.chromium.org/p/chromium/issues/detail?id=592323

Original issue's description:
> Fix SVGDocument return title that is not a child of the root element
>
> The title element should be a child of the root element.
> But currently return invalid title that is not a child of the root element.
>
> Because on getting, if the root element is an svg element in the SVG
> namespace, then let value ba a concatenation of the data of all
> the child Text nodes of the first title element in the SVG namespace
> that is a child of the root element.[1]
>
> And on setting, let element be the first title element in the SVG
> namespace that is a child of the root element, if any.
> If there isn't one, create a title element in the SVG namespace,
> insert it as the first child of the root element, and let element
> be that element.[1]
>
> [1] https://html.spec.whatwg.org/multipage/dom.html#document.title
>
> BUG= 543061 
>
> Committed: https://crrev.com/2764e5d8a0ec6cf13cb4d918a5032e45da691247
> Cr-Commit-Position: refs/heads/master@{#379301}

TBR=fs@opera.com,pdr@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG= 54306 , 592323 

Review URL: https://codereview.chromium.org/1771703003

Cr-Commit-Position: refs/heads/master@{#379541}

[add] https://crrev.com/b25217584cf92b17941a2db757baa2efd93a77d8/third_party/WebKit/LayoutTests/imported/web-platform-tests/html/dom/documents/dom-tree-accessors/document.title-09-expected.txt
[delete] https://crrev.com/d65f3cc4524525f69e30ce6e6c71769ee44459ba/third_party/WebKit/LayoutTests/svg/dom/svg-document-set-title-mutations.html
[modify] https://crrev.com/b25217584cf92b17941a2db757baa2efd93a77d8/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/b25217584cf92b17941a2db757baa2efd93a77d8/third_party/WebKit/Source/core/svg/SVGTitleElement.cpp
[modify] https://crrev.com/b25217584cf92b17941a2db757baa2efd93a77d8/third_party/WebKit/Source/core/svg/SVGTitleElement.h

Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Mar 8 2016

ClusterFuzz has detected this issue as fixed in range 379540:379555.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6408005303664640

Fuzzer: inferno_twister
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x000000000010
Crash State:
  blink::Document::setTitleElement
  blink::HTMLTitleElement::insertedInto
  blink::ContainerNode::notifyNodeInsertedInternal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=379046:379326
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=379540:379555

Minimized Testcase (2.80 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94lXUqk2G_OKiaY64MH5aThre-s0K-UYLPUT3S4xqXjQIDFiM8s5ijEzrN_R4mQ0TKgKMJhC43iiqsCgs35Kq3meUGOcOVYRbnB3y2BVBQPhu3mDgvIOeTTM0QYb-9Sd8NwQmdS0Y3XJbru-z-0SoIu2vIMEA

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 6 by f...@opera.com, Mar 8 2016

Cc: pucchakayala@google.com f...@opera.com hyunjune...@samsung.com
 Issue 592833  has been merged into this issue.
Project Member

Comment 7 by bugdroid1@chromium.org, Mar 11 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/962d172872d7097c7074c6597fd52732882a1d9f

commit 962d172872d7097c7074c6597fd52732882a1d9f
Author: hyunjune.kim <hyunjune.kim@samsung.com>
Date: Fri Mar 11 14:58:20 2016

Fix SVGDocument return title that is not a child of the root element

The title element should be a child of the root element.
But currently return invalid title that is not a child of
the root element.

Because on getting, if the root element is an svg element in the SVG
namespace, then let value ba a concatenation of the data of all
the child Text nodes of the first title element in the SVG namespace
that is a child of the root element.[1]

And on setting, let element be the first title element in the SVG
namespace that is a child of the root element, if any.
If there isn't one, create a title element in the SVG namespace,
insert it as the first child of the root element, and let element
be that element.[1]

About a patch reverted[2][3], didn't consider inner svg document
in <html> or etc but is not <svg>.
If be inner svg document and insert <title> element that is not
svg namespace two times, occurred to crash.
Because call the member function of instance(m_titleElement)
that is null.
And added crash case that is
set-title-element-on-inner-svg-document.html.

[1] https://html.spec.whatwg.org/multipage/dom.html#document.title
[2] https://codereview.chromium.org/1771703003/
[3] https://codereview.chromium.org/1752713002/

BUG= 543061 ,  592323 

Review URL: https://codereview.chromium.org/1774913003

Cr-Commit-Position: refs/heads/master@{#380634}

[delete] https://crrev.com/46bf9ff55e29336f3a26f2d3bee81b71a97de669/third_party/WebKit/LayoutTests/imported/web-platform-tests/html/dom/documents/dom-tree-accessors/document.title-09-expected.txt
[add] https://crrev.com/962d172872d7097c7074c6597fd52732882a1d9f/third_party/WebKit/LayoutTests/svg/dom/set-title-element-on-inner-svg-document.html
[add] https://crrev.com/962d172872d7097c7074c6597fd52732882a1d9f/third_party/WebKit/LayoutTests/svg/dom/set-title-html-namespace-on-SVG.html
[add] https://crrev.com/962d172872d7097c7074c6597fd52732882a1d9f/third_party/WebKit/LayoutTests/svg/dom/svg-document-set-title-mutations.html
[modify] https://crrev.com/962d172872d7097c7074c6597fd52732882a1d9f/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/962d172872d7097c7074c6597fd52732882a1d9f/third_party/WebKit/Source/core/svg/SVGTitleElement.cpp
[modify] https://crrev.com/962d172872d7097c7074c6597fd52732882a1d9f/third_party/WebKit/Source/core/svg/SVGTitleElement.h

Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment