Maybe

Author: dsinclair@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/193ad20975ef9540c9f6aa163c6514dd78725a7b
Time: Tue Apr 21 20:39:29 2015
The CL last changed line 831 of file LayoutTableSection.cpp, which is stack frame 0.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5583731490553856

Fuzzer: inferno_twister
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 7
Crash Address: 0x6110000345f8
Crash State:
  blink::LayoutTableSection::layout
  blink::FrameView::performLayout
  blink::FrameView::layout
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=394251:394739

Minimized Testcase (0.33 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv949r5P-YL7lzrNZ1c97K3arGMZNMLGE7Cf9sc0yAM_EapweY_PexCOB_RuhKwTa8CsF0vi3LRKPeUVN44wEgmiRqse1biw_5Vhr9LfDXGkjPK8pDKe1MMr-V9EMd9lOSQ1YAkI1VTwaDprVOtKwQyi-n-Wnjw
<table>
<tr id=tCF4>
</style><style>
* { animation-name: cfpulse95;248)scale(-11%); contain: strict;</style><script>
var docElement = document.body ? document.body : document.documentElement;
if (docElement) docElement.offsetTop;
tCFDoc6911 = document.implementation.createDocument( "", null);
tCFDoc6911.appendChild(tCF4);
</script>


Filer: inferno

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Author: nainar
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/52328753422fc25a3815bd58f6eaf8e70f6e27ff
Time: Thu May 19 03:04:00 2016
Lines 2588 of file FrameView.cpp which potentially caused crash are changed in this cl (frame #6, "blink::FrameView::updateStyleAndLayoutIfNeededRecursiveInternal").
Minimum distance from crash line to modified line: 0. (file: FrameView.cpp, crashed on: 2588, modified: 2588).

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The suspect CL in comment #3 is just a name change, so not a plausible candidate. I'm investigating.

robhogan@:

Hi Rob, I think this is a regression from one of your CLs:
https://codereview.chromium.org/1946413002

This is actually a use-after-free caused by a table section not getting RecalcCells() called it needs it. There is some DOM manipulation to create this condition, and then there is a dereference of stale pointer in the row list (never mind that the initial report calls this a bad cast, apparently the memory was getting reallocated to a PaintLayer).

This is a security bug. Are you able to resolve it?

I can reproduce it with both https://codereview.chromium.org/1946413002 and its ancestor https://codereview.chromium.org/1809643008 reverted.

I'm surprised to see layoutFromRootObject() use a table section as the layout root. I would have said only tables can deal with sections directly - and skipping layout on the table is the reason why needsCellsRecalc() is asserting, as that's where sections and cells are rebuilt if necessary.

So we need someone familiar with subtree layout to cast their eye over this. leviw maybe?

This bug does seem to be containment-related. Maybe we shouldn't be able to make table sections a relayout boundary? 

@leviw?

Here's a reduction:

<table>
<tr id=tCF4>
<style>
* { contain: strict;} 
</style>
<script>
var docElement = document.documentElement;
docElement.offsetTop;
document.implementation.createDocument( "", null).appendChild(tCF4);
</script>

Deleted: 613907.html 214 bytes

613907.html 214 bytes View Download

Ah, sorry. I thought I had reverted your change and had it fail to reproduce, but I must have done something wrong because I am seeing the same assertion.

Thanks for your help with the analysis. This is a fairly recent regression (I had an older build on my Windows machine and it wasn't hitting the assert), but it might be getting triggered as a side-effect of an unrelated change to layout somewhere.

Levi is no longer working on Blink.

Also, this is not a regression as it relies on a new feature.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0274d37d7fbebbdb95a912255e2015779b03394d

commit 0274d37d7fbebbdb95a912255e2015779b03394d
Author: dgrogan <dgrogan@chromium.org>
Date: Thu Jun 02 16:09:08 2016

[css] Bandaid fix for crash when tables and containment mix.

BUG= 613907 

Review-Url: https://codereview.chromium.org/2037443002
Cr-Commit-Position: refs/heads/master@{#397433}

[add] https://crrev.com/0274d37d7fbebbdb95a912255e2015779b03394d/third_party/WebKit/LayoutTests/fast/table/containment-expected.txt
[add] https://crrev.com/0274d37d7fbebbdb95a912255e2015779b03394d/third_party/WebKit/LayoutTests/fast/table/containment.html
[modify] https://crrev.com/0274d37d7fbebbdb95a912255e2015779b03394d/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Your change meets the bar and is auto-approved for M52 (branch: 2743)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d87e8e5e90b234510614a57119c748e27b1939e8

commit d87e8e5e90b234510614a57119c748e27b1939e8
Author: David Grogan <dgrogan@chromium.org>
Date: Fri Jun 03 16:30:40 2016

[css] Bandaid fix for crash when tables and containment mix.

BUG= 613907 

Review-Url: https://codereview.chromium.org/2037443002
Cr-Commit-Position: refs/heads/master@{#397433}
(cherry picked from commit 0274d37d7fbebbdb95a912255e2015779b03394d)

Review URL: https://codereview.chromium.org/2040463002 .

Cr-Commit-Position: refs/branch-heads/2743@{#204}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[add] https://crrev.com/d87e8e5e90b234510614a57119c748e27b1939e8/third_party/WebKit/LayoutTests/fast/table/containment-expected.txt
[add] https://crrev.com/d87e8e5e90b234510614a57119c748e27b1939e8/third_party/WebKit/LayoutTests/fast/table/containment.html
[modify] https://crrev.com/d87e8e5e90b234510614a57119c748e27b1939e8/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp

Now that this isn't a security issue further work will take place in  https://crbug.com/616643  (Tables and CSS containment interact poorly), just FYI

ClusterFuzz has detected this issue as fixed in range 397421:397444.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5583731490553856

Fuzzer: inferno_twister
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 7
Crash Address: 0x61100002a878
Crash State:
  blink::LayoutTableSection::layout
  blink::FrameView::performLayout
  blink::FrameView::layout
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=394251:394739
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=397421:397444

Minimized Testcase (0.33 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94wD-KYqn7nvrD8KojTwQef1S9rET0ufjg1jdRKC97yZ70cXWsj2sGNHF7rwxK9T8iDK6C-F2aEUJs8ZKaftozdCqIpE8nreJY6QXYGQ1w1LeYNkP4Ngxo5anOLsCZooxaT9zBNoFpZidzTYG_dw3D_J0APoQ
<table>
<tr id=tCF4>
</style><style>
* { animation-name: cfpulse95;248)scale(-11%); contain: strict;</style><script>
var docElement = document.body ? document.body : document.documentElement;
if (docElement) docElement.offsetTop;
tCFDoc6911 = document.implementation.createDocument( "", null);
tCFDoc6911.appendChild(tCF4);
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot