Issue metadata
Sign in to add a comment
|
Bad-cast to blink::LayoutObject from blink::PaintLayer;LayoutTableSection.cpp:831:18 |
|||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6056485184602112 Fuzzer: inferno_twister Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x13233700c3e8 Crash State: Bad-cast to blink::LayoutObject from blink::PaintLayer LayoutTableSection.cpp:831:18 Recommended Security Severity: High Minimized Testcase (0.51 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94dmFOau04VI-pr-TUHqzA1xrpUCryszBX44w89cZW90V93fG6VnMRU5uUkFP2FlEZ1Px0ivlUyaqEhwvR_ZmMpnNPxUOn62BUcIxAwhD8XcFULEhb-Lw-VmDZGJkdSz1CZoclVt-yCODfQvFVQZrNaSyWnFw <unknown id=tCF9><frijole id=tCF17 style="marker-offset: 1486458433em; "</frijole></frijole><style> * { animation-name: cfpulse68; contain: strict;</style><script> var docElement = document.body ? document.body : document.documentElement; tCF94 = document.createElementNS("http://www.w3.org/1999/xhtml", "cr"); tCF96 = document.createElementNS("http://www.w3.org/1999/xhtml", "dl"); tCF9.style.display = "table-row-group" if (docElement) docElement.offsetTop; tCF94.appendChild(tCF17); tCF9.appendChild(tCF96); </script> Additional requirements: Requires HTTP Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 23 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5583731490553856 Fuzzer: inferno_twister Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 7 Crash Address: 0x6110000345f8 Crash State: blink::LayoutTableSection::layout blink::FrameView::performLayout blink::FrameView::layout Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=394251:394739 Minimized Testcase (0.33 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv949r5P-YL7lzrNZ1c97K3arGMZNMLGE7Cf9sc0yAM_EapweY_PexCOB_RuhKwTa8CsF0vi3LRKPeUVN44wEgmiRqse1biw_5Vhr9LfDXGkjPK8pDKe1MMr-V9EMd9lOSQ1YAkI1VTwaDprVOtKwQyi-n-Wnjw <table> <tr id=tCF4> </style><style> * { animation-name: cfpulse95;248)scale(-11%); contain: strict;</style><script> var docElement = document.body ? document.body : document.documentElement; if (docElement) docElement.offsetTop; tCFDoc6911 = document.implementation.createDocument( "", null); tCFDoc6911.appendChild(tCF4); </script> Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 23 2016
Author: nainar Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/52328753422fc25a3815bd58f6eaf8e70f6e27ff Time: Thu May 19 03:04:00 2016 Lines 2588 of file FrameView.cpp which potentially caused crash are changed in this cl (frame #6, "blink::FrameView::updateStyleAndLayoutIfNeededRecursiveInternal"). Minimum distance from crash line to modified line: 0. (file: FrameView.cpp, crashed on: 2588, modified: 2588).
,
May 23 2016
,
May 23 2016
,
May 23 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 26 2016
,
May 26 2016
,
May 26 2016
The suspect CL in comment #3 is just a name change, so not a plausible candidate. I'm investigating.
,
May 31 2016
robhogan@: Hi Rob, I think this is a regression from one of your CLs: https://codereview.chromium.org/1946413002 This is actually a use-after-free caused by a table section not getting RecalcCells() called it needs it. There is some DOM manipulation to create this condition, and then there is a dereference of stale pointer in the row list (never mind that the initial report calls this a bad cast, apparently the memory was getting reallocated to a PaintLayer). This is a security bug. Are you able to resolve it?
,
May 31 2016
I can reproduce it with both https://codereview.chromium.org/1946413002 and its ancestor https://codereview.chromium.org/1809643008 reverted. I'm surprised to see layoutFromRootObject() use a table section as the layout root. I would have said only tables can deal with sections directly - and skipping layout on the table is the reason why needsCellsRecalc() is asserting, as that's where sections and cells are rebuilt if necessary. So we need someone familiar with subtree layout to cast their eye over this. leviw maybe?
,
May 31 2016
This bug does seem to be containment-related. Maybe we shouldn't be able to make table sections a relayout boundary? @leviw?
,
May 31 2016
Here's a reduction:
<table>
<tr id=tCF4>
<style>
* { contain: strict;}
</style>
<script>
var docElement = document.documentElement;
docElement.offsetTop;
document.implementation.createDocument( "", null).appendChild(tCF4);
</script>
,
May 31 2016
Ah, sorry. I thought I had reverted your change and had it fail to reproduce, but I must have done something wrong because I am seeing the same assertion. Thanks for your help with the analysis. This is a fairly recent regression (I had an older build on my Windows machine and it wasn't hitting the assert), but it might be getting triggered as a side-effect of an unrelated change to layout somewhere.
,
Jun 1 2016
Levi is no longer working on Blink.
,
Jun 1 2016
Also, this is not a regression as it relies on a new feature.
,
Jun 1 2016
,
Jun 1 2016
,
Jun 2 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0274d37d7fbebbdb95a912255e2015779b03394d commit 0274d37d7fbebbdb95a912255e2015779b03394d Author: dgrogan <dgrogan@chromium.org> Date: Thu Jun 02 16:09:08 2016 [css] Bandaid fix for crash when tables and containment mix. BUG= 613907 Review-Url: https://codereview.chromium.org/2037443002 Cr-Commit-Position: refs/heads/master@{#397433} [add] https://crrev.com/0274d37d7fbebbdb95a912255e2015779b03394d/third_party/WebKit/LayoutTests/fast/table/containment-expected.txt [add] https://crrev.com/0274d37d7fbebbdb95a912255e2015779b03394d/third_party/WebKit/LayoutTests/fast/table/containment.html [modify] https://crrev.com/0274d37d7fbebbdb95a912255e2015779b03394d/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp
,
Jun 2 2016
,
Jun 2 2016
,
Jun 3 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. - Your friendly ClusterFuzz
,
Jun 3 2016
,
Jun 3 2016
,
Jun 3 2016
Your change meets the bar and is auto-approved for M52 (branch: 2743)
,
Jun 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d87e8e5e90b234510614a57119c748e27b1939e8 commit d87e8e5e90b234510614a57119c748e27b1939e8 Author: David Grogan <dgrogan@chromium.org> Date: Fri Jun 03 16:30:40 2016 [css] Bandaid fix for crash when tables and containment mix. BUG= 613907 Review-Url: https://codereview.chromium.org/2037443002 Cr-Commit-Position: refs/heads/master@{#397433} (cherry picked from commit 0274d37d7fbebbdb95a912255e2015779b03394d) Review URL: https://codereview.chromium.org/2040463002 . Cr-Commit-Position: refs/branch-heads/2743@{#204} Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939} [add] https://crrev.com/d87e8e5e90b234510614a57119c748e27b1939e8/third_party/WebKit/LayoutTests/fast/table/containment-expected.txt [add] https://crrev.com/d87e8e5e90b234510614a57119c748e27b1939e8/third_party/WebKit/LayoutTests/fast/table/containment.html [modify] https://crrev.com/d87e8e5e90b234510614a57119c748e27b1939e8/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp
,
Jun 3 2016
Now that this isn't a security issue further work will take place in https://crbug.com/616643 (Tables and CSS containment interact poorly), just FYI
,
Jun 9 2016
ClusterFuzz has detected this issue as fixed in range 397421:397444. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5583731490553856 Fuzzer: inferno_twister Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 7 Crash Address: 0x61100002a878 Crash State: blink::LayoutTableSection::layout blink::FrameView::performLayout blink::FrameView::layout Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=394251:394739 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=397421:397444 Minimized Testcase (0.33 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94wD-KYqn7nvrD8KojTwQef1S9rET0ufjg1jdRKC97yZ70cXWsj2sGNHF7rwxK9T8iDK6C-F2aEUJs8ZKaftozdCqIpE8nreJY6QXYGQ1w1LeYNkP4Ngxo5anOLsCZooxaT9zBNoFpZidzTYG_dw3D_J0APoQ <table> <tr id=tCF4> </style><style> * { animation-name: cfpulse95;248)scale(-11%); contain: strict;</style><script> var docElement = document.body ? document.body : document.documentElement; if (docElement) docElement.offsetTop; tCFDoc6911 = document.implementation.createDocument( "", null); tCFDoc6911.appendChild(tCF4); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 29 2016
,
Sep 9 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
||||||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, May 23 2016Labels: Pri-1
Owner: dsinclair@chromium.org
Status: Assigned (was: Available)