New issue
Advanced search Search tips

Issue 600918 link

Starred by 0 users

Issue metadata

Status: Duplicate
Owner: ----
Closed: Apr 2016
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::ElementStyleResources::loadPendingImages

Project Member Reported by ClusterFuzz, Apr 6 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6414543130984448

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000008
Crash State:
  blink::ElementStyleResources::loadPendingImages
  blink::ElementStyleResources::loadPendingResources
  blink::StyleResolver::applyMatchedProperties
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=383194:384406

Minimized Testcase (0.53 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96mWg85KlXOyE54w_Js1oafi5smLClO71uwevPnW-34Dsp2KNtPR5DxVBNLoVn0BqNWINwGskpU874g9F7gC760qxXGH-qBa0KjEnrOTcaHCkdQrVOak5wDP5XUKb41ceFxZtNcWWNh0BsfSFRizP8PEmXZ7Q
<style>.c31 {
    content: counter(ctr) url(chrome://favicon/) open-quote "Before " attr(class)
    }
.c31 {
    content: counter(ctr) url(chrome://favicon/) open-quote "Before " attr(class)
</style><script>
var docElement = document.body ? document.body : document.documentElement;
 tCF176 = document.createElementNS("http://www.w3.org/1999/xhtml", "ul"); 
 docElement.appendChild(tCF176); 
function editFuzz() {
document.designMode = "on";
}
setTimeout("try { editFuzz(); } catch(e) {}");
 tCF176.setAttribute("class", "c31"); 
</script>


Filer: nainar

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Mergedinto: 599705
Status: Duplicate (was: Available)
Project Member

Comment 2 by ClusterFuzz, Jun 9 2016

ClusterFuzz has detected this issue as fixed in range 385386:385450.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6414543130984448

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000008
Crash State:
  blink::ElementStyleResources::loadPendingImages
  blink::ElementStyleResources::loadPendingResources
  blink::StyleResolver::applyMatchedProperties
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=383194:384406
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=385386:385450

Minimized Testcase (18.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95RUPfMoseknFMXqdG5bMXxsBR6UbpFdiiw2ViLHrLSpi2XCPK3_OtjpObpd_f3DvtpS0OMHGFtwl8KH8s7PkGLhFmqANOkVW-JI_Leq7xKuMsZVoNv1pid8fP3AvczNrTzNe_dMGku5Vv889Y7GTqpi6AHQcq2NlS2ciahZYj8gKfUkHk

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment