Crash in blink::measureTextLayoutObject |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5251958440460288 Fuzzer: bj_broddelwerk Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: Crash State: blink::measureTextLayoutObject blink::walkTree blink::SVGTextMetricsBuilder::buildMetricsAndLayoutAttributes Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=381448:381525 Minimized Testcase (42.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95HAZoEWVtfAGww25ugDCo8_42yM0eL5y67THrAHqN8xpW_Xo7CAUYeZROJ8FgQhS0Rs_84KDoh_rAQPQUzEBrcFzbh8qqoh-rmguMwnv8Q1mC4MGMxVD6n-QcNuaR7XMjo8vzdChO_SdOSmN0tNJmB7OAm17uv-JxN5LYINHZsNKSRKOQ Filer: ligimole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 18 2016
,
Mar 19 2016
,
Mar 19 2016
Patch up: https://codereview.chromium.org/1806263005 The only challenging part of that patch was manually reducing the 42Kb testcase. I've filed https://crbug.com/596194 to fix the auto-minimizer for bj_broddelwerk.
,
Mar 19 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8e375826a04e52a50c4656f64eaa29c7fb05927c commit 8e375826a04e52a50c4656f64eaa29c7fb05927c Author: pdr <pdr@chromium.org> Date: Sat Mar 19 02:29:52 2016 Do not crash when measuring empty SVG text nodes A regression was introduced by [1] where the loop in SVGTextMetricsBuilder::measureTextLayoutObject would no longer check if there was any text before attempting to measure the text. This patch adds the trivial empty text check and adds a new test for this edgecase. [1] https://chromium.googlesource.com/chromium/src/+/304ec1544273ed8d62c693da6dd2c63727805cdd BUG= 596148 , 589525 Review URL: https://codereview.chromium.org/1806263005 Cr-Commit-Position: refs/heads/master@{#382170} [add] https://crrev.com/8e375826a04e52a50c4656f64eaa29c7fb05927c/third_party/WebKit/LayoutTests/svg/text/empty-text-node-crash.html [modify] https://crrev.com/8e375826a04e52a50c4656f64eaa29c7fb05927c/third_party/WebKit/Source/core/layout/svg/SVGTextMetricsBuilder.cpp
,
Mar 19 2016
,
Mar 19 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5251958440460288 Fuzzer: bj_broddelwerk Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: Crash State: blink::measureTextLayoutObject blink::walkTree blink::SVGTextMetricsBuilder::buildMetricsAndLayoutAttributes Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=381448:381525 Minimized Testcase (42.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95HAZoEWVtfAGww25ugDCo8_42yM0eL5y67THrAHqN8xpW_Xo7CAUYeZROJ8FgQhS0Rs_84KDoh_rAQPQUzEBrcFzbh8qqoh-rmguMwnv8Q1mC4MGMxVD6n-QcNuaR7XMjo8vzdChO_SdOSmN0tNJmB7OAm17uv-JxN5LYINHZsNKSRKOQ See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 22 2016
Clusterfuzz is still complaining hence reopening.
,
Mar 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6713590270132224 Fuzzer: lcamtuf_cross_fuzz Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: Crash State: blink::measureTextLayoutObject blink::walkTree blink::SVGTextMetricsBuilder::buildMetricsAndLayoutAttributes Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=381525:381877 Minimized Testcase (19.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94m_HDwXPVVB0FroLSxHWwFAslHKje8yONOrO-ligdSsaeIOel5JSV8ptrUWD2IK_khExlVD4TppsjowkG8R-ze2Unk1ASyd-ld7MN6dKlSsDASst_wid6K-Mczm3M7asof-xTpajH5l1_ikstJ7fyMYj5P_Ko8xlXZjzLr-c9o3isxe7I Filer: ligimole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 22 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6713590270132224 Fuzzer: lcamtuf_cross_fuzz Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: Crash State: blink::measureTextLayoutObject blink::walkTree blink::SVGTextMetricsBuilder::buildMetricsAndLayoutAttributes Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=381525:381877 Minimized Testcase (19.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94m_HDwXPVVB0FroLSxHWwFAslHKje8yONOrO-ligdSsaeIOel5JSV8ptrUWD2IK_khExlVD4TppsjowkG8R-ze2Unk1ASyd-ld7MN6dKlSsDASst_wid6K-Mczm3M7asof-xTpajH5l1_ikstJ7fyMYj5P_Ko8xlXZjzLr-c9o3isxe7I See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 23 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6713590270132224 Fuzzer: lcamtuf_cross_fuzz Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: Crash State: blink::measureTextLayoutObject blink::walkTree blink::SVGTextMetricsBuilder::buildMetricsAndLayoutAttributes Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=381525:381877 Minimized Testcase (19.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94m_HDwXPVVB0FroLSxHWwFAslHKje8yONOrO-ligdSsaeIOel5JSV8ptrUWD2IK_khExlVD4TppsjowkG8R-ze2Unk1ASyd-ld7MN6dKlSsDASst_wid6K-Mczm3M7asof-xTpajH5l1_ikstJ7fyMYj5P_Ko8xlXZjzLr-c9o3isxe7I See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 23 2016
,
Mar 25 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5251958440460288 Fuzzer: bj_broddelwerk Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: Crash State: blink::measureTextLayoutObject blink::walkTree blink::SVGTextMetricsBuilder::buildMetricsAndLayoutAttributes Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=381448:381525 Minimized Testcase (42.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95HAZoEWVtfAGww25ugDCo8_42yM0eL5y67THrAHqN8xpW_Xo7CAUYeZROJ8FgQhS0Rs_84KDoh_rAQPQUzEBrcFzbh8qqoh-rmguMwnv8Q1mC4MGMxVD6n-QcNuaR7XMjo8vzdChO_SdOSmN0tNJmB7OAm17uv-JxN5LYINHZsNKSRKOQ See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ligim...@chromium.org
, Mar 18 2016Labels: M-51 Te-Logged
Owner: pdr@chromium.org
Status: Assigned (was: Available)