Issue metadata
Sign in to add a comment
|
CHECK failed: !document().isActive() || !document().needsLayoutTreeUpdateForNode |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4577226078552064 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: CHECK failed: !document().isActive() || !document().needsLayoutTreeUpdateForNode blink::Element::isFocusable blink::Element::focus Minimized Testcase (0.17 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95-55zOGnPoVu7xaxXgBWBSp2KLQjKIfAyodOvaztVEncmlq8LU9XrvymDCXHCdHxcVbwyVQVB89pgvvcU-EynpR4Uv9YovpOLF0DJp7vk9rL_6mzuWmIflkJFCsG8AKID0EAugTiS3dXO4bN8f72iEdLKjQA <style> .box { -webkit-filter: url(#offset); </style> <div class="box before"> <svg> <filter id="offset"> <div id="div"> <script> div.focus(); </script> Filer: manoranjanr See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 20 2016
,
Jul 20 2016
,
Jul 20 2016
I formatted the reduced reproduction case and it looks like this:
<style>
.box { -webkit-filter: url(#f); }
</style>
<svg><filter id="f"></filter></svg>
<div class="box" id="div"></div>
<script>
div.focus();
</script>
-webkit-filter refers to SVG filter #f, and the style rule will be applied
to <div class="box">. div.focus() tries to set focus on the div element.
The Element::focus() code does this:
2403 document().updateStyleAndLayoutIgnorePendingStylesheetsForNode(this);
2404 if (!isFocusable())
2405 return;
and in isFocusable(), !document().isActive() || !document().needsLayoutTreeUpdateForNode
check is performed.
Usually after line 2403, this element's style is expected to be up-to-date,
but in this case, needsLayoutTreeUpdate flag isn't cleared.
If I change the filter style rule to, say, "sepia(30%)" then the crash doesn't occur
(layout got up-to-date).
At this point I think -webkit-filter: url(#..) code has some problem that the
reference cannot resolve the style to layout computation.
Can someone take over this?
,
Jul 21 2016
,
Sep 21 2016
ClusterFuzz has detected this issue as fixed in range 392551:392552. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4577226078552064 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !document().isActive() || !document().needsLayoutTreeUpdateForNode(*this) in Ele blink::Element::isFocusable blink::Element::focus Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=374251:374424 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=392551:392552 Minimized Testcase (0.22 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97NdOOhpzNoNZUadm-deCF-AhVnHsdllszEErk4xz4Ac21JbuoVCbZeEeaDNik-gI_r8vmm4KbOlLNKiDJrPe2QU_7EFY8ND6MULH9ZtAtbtudikNPzrWLdTWvpHbLlydl_j7VKLS0AAtWBXJT9_MVhsnKQew?testcase_id=4577226078552064 <style> .box { -webkit-filter: url(#offset); </style> <div class="box before"> <svg height="0" xmlns="http://www.w3.org/2000/svg"> <filter id="offset"> <div id="div"> <script> div.focus(); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 5 2017
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by manoranj...@chromium.org
, Apr 21 2016Labels: Te-Logged