There is no relevant recent code change in the crash files,looping to SVG owner for updates.

Minimized and cleaned up testcase.

Deleted: crash.html 405 bytes

crash.html 405 bytes View Download

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ccdb62a9c8970104efc2e127744a7caf35fe8787

commit ccdb62a9c8970104efc2e127744a7caf35fe8787
Author: pdr <pdr@chromium.org>
Date: Wed Mar 30 16:45:24 2016

Do not show display:none clipPath targets when referenced with <use>

This patch fixes a crash when a <use> element references a display:none
geometry element. In this scenario there is no layout object and no
path to use for clipping, so no clipping should occur. This matches the
existing behavior for non-used display:none elements
(LayoutSVGResourceClipper::createContentPicture).

A test has been added of both direct and indirect display:none clip path
children.

BUG= 598806 

Review URL: https://codereview.chromium.org/1840343002

Cr-Commit-Position: refs/heads/master@{#384002}

[add] https://crrev.com/ccdb62a9c8970104efc2e127744a7caf35fe8787/third_party/WebKit/LayoutTests/svg/clip-path/display-none-children-expected.html
[add] https://crrev.com/ccdb62a9c8970104efc2e127744a7caf35fe8787/third_party/WebKit/LayoutTests/svg/clip-path/display-none-children.html
[modify] https://crrev.com/ccdb62a9c8970104efc2e127744a7caf35fe8787/third_party/WebKit/Source/core/svg/SVGUseElement.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ccdb62a9c8970104efc2e127744a7caf35fe8787

commit ccdb62a9c8970104efc2e127744a7caf35fe8787
Author: pdr <pdr@chromium.org>
Date: Wed Mar 30 16:45:24 2016

Do not show display:none clipPath targets when referenced with <use>

This patch fixes a crash when a <use> element references a display:none
geometry element. In this scenario there is no layout object and no
path to use for clipping, so no clipping should occur. This matches the
existing behavior for non-used display:none elements
(LayoutSVGResourceClipper::createContentPicture).

A test has been added of both direct and indirect display:none clip path
children.

BUG= 598806 

Review URL: https://codereview.chromium.org/1840343002

Cr-Commit-Position: refs/heads/master@{#384002}

[add] https://crrev.com/ccdb62a9c8970104efc2e127744a7caf35fe8787/third_party/WebKit/LayoutTests/svg/clip-path/display-none-children-expected.html
[add] https://crrev.com/ccdb62a9c8970104efc2e127744a7caf35fe8787/third_party/WebKit/LayoutTests/svg/clip-path/display-none-children.html
[modify] https://crrev.com/ccdb62a9c8970104efc2e127744a7caf35fe8787/third_party/WebKit/Source/core/svg/SVGUseElement.cpp

 Issue 599681  has been merged into this issue.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5688300735561728

Fuzzer: mbarbella_js_mutation_layout
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000000b
Crash State:
  blink::SVGRectElement::asPath
  blink::SVGGeometryElement::toClipPath
  blink::SVGUseElement::toClipPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=381899:383055

Minimized Testcase (0.35 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96VDC_VlS9Om6PWGx17Kygx4-RAl19O8xZmQkWCzedRb0nSQrArZ9oFsfwnRJKStZAimOSPD0PLvPyesNJurBdkEeHJgfBH2ikqZfwIYI8OJ4_4PJcpUwazvDPVGQe4Sca3MTL3hFE2mqHPgK64YpSF0n7XpA
  <svg>
   <defs>
    <rect height="100" id="clip2Shape" width="50">
    </rect>
    <rect height="100" id="clip3Shape" style="display:none">
    </rect>
    <clipPath id="clipUnion">
     <use xlink:href="#clip2Shape">
     </use>
     <use xlink:href="#clip3Shape" clip. --</rect>
   </defs>
   <rect clip-path="url(#clipUnion)" height="100" width="300">


Filer: manoranjanr

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5688300735561728

Fuzzer: mbarbella_js_mutation_layout
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000000b
Crash State:
  blink::SVGRectElement::asPath
  blink::SVGGeometryElement::toClipPath
  blink::SVGUseElement::toClipPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=381899:383055

Minimized Testcase (0.35 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96VDC_VlS9Om6PWGx17Kygx4-RAl19O8xZmQkWCzedRb0nSQrArZ9oFsfwnRJKStZAimOSPD0PLvPyesNJurBdkEeHJgfBH2ikqZfwIYI8OJ4_4PJcpUwazvDPVGQe4Sca3MTL3hFE2mqHPgK64YpSF0n7XpA
  <svg>
   <defs>
    <rect height="100" id="clip2Shape" width="50">
    </rect>
    <rect height="100" id="clip3Shape" style="display:none">
    </rect>
    <clipPath id="clipUnion">
     <use xlink:href="#clip2Shape">
     </use>
     <use xlink:href="#clip3Shape" clip. --</rect>
   </defs>
   <rect clip-path="url(#clipUnion)" height="100" width="300">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Fixed?

ClusterFuzz has detected this issue as fixed in range 383194:384397.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4580571728052224

Fuzzer: attekett_dom_fuzzer
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::SVGCircleElement::asPath
  blink::SVGGeometryElement::toClipPath
  blink::SVGUseElement::toClipPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=383194:384397

Minimized Testcase (0.43 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97PK7kXkShQ7x_D77Cxcej6gNMKrGe7NZRz_rLYcLuXLh4dDm4ymAsNJ1fPJ1jatN7AYFiaAJFlLUdwfQb9IPQImGHTJ1V3lA_rmouL_SEu9egpVVnrIRN1EV1C4UDBDyc9JT4eFJdcETi8cW0R-zVZ4pqfuQ
<svg>
	<defs>
            <polygon id="clip1Shape" points="100,10 40,180 190,60 10,60 160,180 100,10" />        
            <circle id="clip2Shape" />
        <clipPath id="clipUnion">
            <use xlink:href="#clip1Shape" />
            <use xlink:href="#clip2Shape">
	</defs>
	<rect width="180" height="180" clip-path="url(#clipUnion)">
<script> 
var test3=document.getElementById("clip2Shape")
test3.style.display='none';
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot