Crash in blink::SVGSMILElement::notifyDependentsIntervalChanged |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5891995872002048 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::SVGSMILElement::notifyDependentsIntervalChanged blink::SVGSMILElement::resolveFirstInterval blink::SMILTimeContainer::setElapsed Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97eA9IiIX-oT8Mt8zeS3V5xSg1QibzbapgkYIh8bSmz5UTZ5oxOFOfv5KAldmc54gtGpmvDvkjQb9aXJ_AB3HkNGHYHBIO5kbyDX_euJkYsiCJVBnso0RNXOPb-cxq8lBb8FUrF8jlyAct34A30ApEBTHmumA Additional requirements: Requires Gestures Filer: ligimole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 11 2016
,
May 11 2016
Unlikely suspect, but i can take a look.
,
May 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6d735f78334721b46d37f97ad8efb12d6e329e75 commit 6d735f78334721b46d37f97ad8efb12d6e329e75 Author: sigbjornf <sigbjornf@opera.com> Date: Wed May 11 14:39:31 2016 Simplify SVGSMILElement::notifyDependentsIntervalChanged loop breaker. To catch out recursive notifications, notifyDependentsIntervalChanged() keeps track of the SVGSMILElements that are on the stack and being notified, so as to bail early in case of loops. There's no need for that set of SVGSMILElements to be recorded using a persistent static local as the objects are stack reachable should a conservative GC be needed, so an 'ordinary' hash set will do. Not using a persistent reference also addresses a bad interaction with LSan (Blink has to release all static persistents before shutting down to prevent false leaks w/ LSan enabled), but SVGImages containing animations may end up in this code path as part of an image resource being finalized. Which would then encounter an empty persistent static reference and fail (see associated bug and stack trace.) R=haraken BUG= 610855 Review-Url: https://codereview.chromium.org/1968683003 Cr-Commit-Position: refs/heads/master@{#392919} [modify] https://crrev.com/6d735f78334721b46d37f97ad8efb12d6e329e75/third_party/WebKit/Source/core/svg/animation/SVGSMILElement.cpp
,
May 11 2016
The crash condition was LSan-specific.
,
May 17 2016
ClusterFuzz has detected this issue as fixed in range 393799:393810. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5891995872002048 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::SVGSMILElement::notifyDependentsIntervalChanged blink::SVGSMILElement::resolveFirstInterval blink::SMILTimeContainer::setElapsed Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=393799:393810 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97eA9IiIX-oT8Mt8zeS3V5xSg1QibzbapgkYIh8bSmz5UTZ5oxOFOfv5KAldmc54gtGpmvDvkjQb9aXJ_AB3HkNGHYHBIO5kbyDX_euJkYsiCJVBnso0RNXOPb-cxq8lBb8FUrF8jlyAct34A30ApEBTHmumA Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ligim...@chromium.org
, May 10 2016Components: Blink
Labels: Te-Logged M-52
Owner: sigbj...@opera.com
Status: Assigned (was: Available)