New issue
Advanced search Search tips

Issue 594919 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

ASSERTION FAILED: !callingWindow->document()->getSecurityOrigin()->canAccessChec

Project Member Reported by ClusterFuzz, Mar 15 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5187962706329600

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: !callingWindow->document()->getSecurityOrigin()->canAccessChec
  blink::DOMWindow::sanitizedCrossDomainAccessErrorMessage
  blink::V8WrapperInstantiationScope::convertException
  

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96AIWnjiOvv0Yw1p21r4RUtyavcfhhPBCr9hcNAXqRJTMTLwdmt82mvPM-QKV_5ttZEwYN7nf-J2Iw92x1CnM-Eztj14gPoBgar5-jvUXuDhJ7jI1dhpY7_Vp3wX6OPChDKDbHsgkY0G12ZFM4EBQMhyURWGg
&#xf711;<script>
var iframe = document.body.appendChild(document.createElement("iframe"));
    var win = iframe.contentWindow;
    function recurse() {
        try { recurse(); } catch(e) {}
 win.location; 
    }
    recurse();
</script>


Filer: ajha

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by ajha@chromium.org, Mar 15 2016

Labels: -Pri-1 findit-for-crash Te-Logged M-51 Pri-2
Owner: danakj@chromium.org
Status: Assigned (was: Available)
Suspected CLs	Regression information is not available. The result is the blame information.

Author: Dana Jansens
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/71331253d6537b9409518dec2368388c5d73cb94
Time: Wed Mar 09 20:57:22 2016
The CL last changed line 240 of file DOMWindow.cpp, which is stack frame 0.

Author: jochen@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/051023a269e548c5da19246c7db6e9870dac2f69
Time: Mon Sep 14 18:02:36 2015
The CL last changed line 119 of file V8DOMWrapper.cpp, which is stack frame 1.

Author: jochen@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/051023a269e548c5da19246c7db6e9870dac2f69
Time: Mon Sep 14 18:02:36 2015
The CL last changed line 151 of file V8DOMWrapper.h, which is stack frame 2.

Author: abarth@webkit.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/89a2f32544b92a8104680a70e2c62eab53374ef3
Time: Thu Jul 09 17:37:46 2009
The CL last changed line 62 of file V8DOMWrapper.cpp, which is stack frame 3.

Author: deepak.s@samsung.com
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/e5a2cc0c08f4f6b8886b967fca35c28666242a63
Time: Wed Apr 29 11:38:17 2015
The CL last changed line 52 of file ScriptWrappable.cpp, which is stack frame 4.

Author: shiva.k1@samsung.com
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/246eda81650f0b14f9c9d503de973da17eee6ee4
Time: Thu May 07 13:06:59 2015
The CL last changed line 39 of file ToV8.h, which is stack frame 5.

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Bindings
===============================================

Another one of the Rename modules/method work prefix with get.

danakj@: Could you please take a look at this or help in finding an appropriate owner for this.

Comment 2 by danakj@chromium.org, Mar 15 2016

Cc: -ajha@chromium.org
Owner: ajha@chromium.org
Renaming the function isn't causing asserts, though, why assign to me? Can you assign to an owner of the given code?

Comment 3 by ajha@chromium.org, Mar 18 2016

Cc: ajha@chromium.org
Components: Blink>Bindings
Owner: yukishiino@chromium.org
Could this be related to https://codereview.chromium.org/1417023006

yukishiino@: Could you please take a look or help in finding an appropriate owner for this.


Components: Blink
Labels: -cr-blink
Remove legacy label cr-blink
Status: Started (was: Assigned)
This issue is not related to my CL, but it's in my area.
Seems we have the wrong ASSERT condition.
Project Member

Comment 6 by bugdroid1@chromium.org, Mar 23 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3174947e46175db49b0fae95863c79cac5f6ba4e

commit 3174947e46175db49b0fae95863c79cac5f6ba4e
Author: yukishiino <yukishiino@chromium.org>
Date: Wed Mar 23 13:20:35 2016

bindings: Removes a wrong ASSERT: Exception must be thrown across origins.

It's a wrong assumption that an exception should be thrown across origins
if the exception is thrown when we're creating a DOM wrapper for Location.

It's wrong because
1) Even if it's cross origins, we should be able to create a DOM wrapper
for Location in general because Location is cross-origin-accessible.
2) Even if it's same origins, it's possible that an exception will be
thrown due to the runtime error, such as OOM.

Thus, removes the wrong ASSERT at
DOMWindow::sanitizedCrossDomainAccessErrorMessage

BUG= 594919 

Review URL: https://codereview.chromium.org/1825323002

Cr-Commit-Position: refs/heads/master@{#382841}

[modify] https://crrev.com/3174947e46175db49b0fae95863c79cac5f6ba4e/third_party/WebKit/Source/bindings/core/v8/V8DOMWrapper.h
[modify] https://crrev.com/3174947e46175db49b0fae95863c79cac5f6ba4e/third_party/WebKit/Source/core/frame/DOMWindow.cpp

Status: Fixed (was: Started)
Status: Fixed (was: Started)
Project Member

Comment 9 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment