New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 618637 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::RootInlineBox::closestLeafChildForLogicalLeftPosition

Project Member Reported by ClusterFuzz, Jun 9 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5917336280498176

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000021
Crash State:
  blink::RootInlineBox::closestLeafChildForLogicalLeftPosition
  blink::RootInlineBox::closestLeafChildForPoint
  blink::previousLinePosition
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=387407:387538

Minimized Testcase (2.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv950fBuL2xZMIy2EsFPDf5TzHpilRbOntwrnGb5dfx3o3nf_P2xa7znmxd3SjLzPf4BWBczrPyTmbZf0JRFIsVJmcJhrNbw--jW0OBNyxdKukAoz2DI3mxaPfqEY59KBH60FywfVP9o8-0RfxdNsHZhh8ZDOoQ

Filer: ashejole

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: ashej...@chromium.org
Components: Blink>Layout Tools>Test>FindIt>CorrectResult
Labels: findit-for-crash Te-Logged
Owner: danakj@chromium.org
Status: Assigned (was: Available)
Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: rniwa@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/79672f284256ae8cdade7ca7b2a87b319ff36f1b
Time: Thu Mar 29 09:48:42 2012
The CL last changed line 351 of file InlineBox.h, which is stack frame 0.

Author: rniwa@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/79672f284256ae8cdade7ca7b2a87b319ff36f1b
Time: Thu Mar 29 09:48:42 2012
The CL last changed line 129 of file InlineBox.h, which is stack frame 1.

Author: szager@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b07d89f749873a04cde67e67efd9b4941ab66b20
Time: Sun May 31 16:33:32 2015
The CL last changed line 204 of file InlineBox.h, which is stack frame 2.

Author: szager@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b07d89f749873a04cde67e67efd9b4941ab66b20
Time: Sun May 31 16:33:32 2015
The CL last changed line 205 of file InlineBox.h, which is stack frame 3.

Author: danakj
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/0b5c86b7b67ab235998e7dcddc00df65d833f87d
Time: Sat Feb 27 02:08:05 2016
The CL last changed line 440 of file RootInlineBox.cpp, which is stack frame 4.

Author: sl.ostapenko@samsung.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/fb3ec7184cc1d84f415db6c922913f26e143c385
Time: Sat Mar 01 04:07:13 2014
The CL last changed line 415 of file RootInlineBox.cpp, which is stack frame 5.

Author: danakj
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/0b5c86b7b67ab235998e7dcddc00df65d833f87d
Time: Sat Feb 27 02:08:05 2016
The CL last changed line 1329 of file VisibleUnits.cpp, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>Layout
--------------------------------------------------------

@danakj: Hey, would you mind checking the above issue and see if its related to your suspected change which is frame 4 ?

Feel free to route the above issue to concern dev, if that is not the case.

I really appreciate your help.

Thank you!
Owner: szager@chromium.org
Hi, my CLs just rename some enums. You'll have to look deeper.

/tosses to szager?
Project Member

Comment 3 by ClusterFuzz, Jun 24 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5078573870481408

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60e000028700
Crash State:
  blink::RootInlineBox::closestLeafChildForPoint
  blink::previousLinePosition
  blink::SelectionModifier::modifyMovingBackward
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=325152:325175

Minimized Testcase (1.35 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Fc7EV_kgWNq7Xiw-cIuEm6uXMptr9LknxixkRhBqMbq24Zc2g_4pUwVVXaJVDuU4CL4cMk9pDmmsbHbyL-6o9pGHqpNrJgW-jrvOuWgagteMbSEAZdA3QfE4uD8ZTzdSjqMY6XtXCq6gWrfMwrZEmooNHHw?testcase_id=5078573870481408

Filer: tanin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 4 by ClusterFuzz, Jun 24 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5634844411559936

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x07f1a5c0
Crash State:
  blink::RootInlineBox::block
  blink::RootInlineBox::closestLeafChildForPoint
  blink::previousLinePosition
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=401554:401557

Minimized Testcase (1.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94pRg1M9RJUPZW692QaF8mwSmWr3DSF9e6mzM7NRz5gP9EY4Q3ILErvRU7-MV4mc9fW_wp_wMSADj5FsApm7db63Bu3cbrBZS5p7kvCgF--HQvKRVn5C_JH9VdcPNDBmGKRtJExfobg3axAlOwTbVVStDEUpA?testcase_id=5634844411559936

Filer: tanin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 5 by ClusterFuzz, Jun 25 2016

ClusterFuzz has detected this issue as fixed in range 401557:401582.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5078573870481408

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60e000028700
Crash State:
  blink::RootInlineBox::closestLeafChildForPoint
  blink::previousLinePosition
  blink::SelectionModifier::modifyMovingBackward
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=325152:325175
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=401557:401582

Minimized Testcase (1.35 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Fc7EV_kgWNq7Xiw-cIuEm6uXMptr9LknxixkRhBqMbq24Zc2g_4pUwVVXaJVDuU4CL4cMk9pDmmsbHbyL-6o9pGHqpNrJgW-jrvOuWgagteMbSEAZdA3QfE4uD8ZTzdSjqMY6XtXCq6gWrfMwrZEmooNHHw?testcase_id=5078573870481408

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 6 by e...@chromium.org, Aug 22 2016

Labels: -ClusterFuzz -findit-for-crash Clusterfuzz Findit-for-crash
Status: Fixed (was: Assigned)
Marking as fixed as per clusterfuzz.
Project Member

Comment 7 by ClusterFuzz, Sep 8 2016

ClusterFuzz has detected this issue as fixed in range 416842:416885.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5917336280498176

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000021
Crash State:
  blink::RootInlineBox::closestLeafChildForLogicalLeftPosition
  blink::RootInlineBox::closestLeafChildForPoint
  blink::previousLinePosition
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=387407:387538
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=416842:416885

Minimized Testcase (2.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv950fBuL2xZMIy2EsFPDf5TzHpilRbOntwrnGb5dfx3o3nf_P2xa7znmxd3SjLzPf4BWBczrPyTmbZf0JRFIsVJmcJhrNbw--jW0OBNyxdKukAoz2DI3mxaPfqEY59KBH60FywfVP9o8-0RfxdNsHZhh8ZDOoQ?testcase_id=5917336280498176

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Assigned (was: Fixed)
Project Member

Comment 9 by ClusterFuzz, Oct 7 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4540267824939008

Fuzzer: bj_broddelwerk
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000000d
Crash State:
  blink::RootInlineBox::closestLeafChildForLogicalLeftPosition
  blink::RootInlineBox::closestLeafChildForPoint
  blink::nextLinePosition
  

Minimized Testcase (11.37 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95q6ZOw1AalnYGx-NIkDjMCk3S6RJXpKuBZsWfRGrVJj-PRKQegJUuZuFzhAaeLHIF9-gyNrIqwhMRVbc2OZHnCamEor6OIr-tzMyyHa1Ff8V5Iyv-xQYxxLDKlfVI_cZLIua0ZYs6YqRDweG0EaMLQJe9sJQ?testcase_id=4540267824939008

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by e...@chromium.org, Feb 2 2017

Status: Fixed (was: Assigned)
Project Member

Comment 12 by ClusterFuzz, Mar 1 2017

ClusterFuzz has detected this issue as fixed in range 451236:451282.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4540267824939008

Fuzzer: bj_broddelwerk
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000000d
Crash State:
  blink::RootInlineBox::closestLeafChildForLogicalLeftPosition
  blink::RootInlineBox::closestLeafChildForPoint
  blink::nextLinePosition
  
Sanitizer: address (ASAN)

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=451236:451282

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95q6ZOw1AalnYGx-NIkDjMCk3S6RJXpKuBZsWfRGrVJj-PRKQegJUuZuFzhAaeLHIF9-gyNrIqwhMRVbc2OZHnCamEor6OIr-tzMyyHa1Ff8V5Iyv-xQYxxLDKlfVI_cZLIua0ZYs6YqRDweG0EaMLQJe9sJQ?testcase_id=4540267824939008


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by ClusterFuzz, Mar 1 2017

ClusterFuzz has detected this issue as fixed in range 451236:451282.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4540267824939008

Fuzzer: bj_broddelwerk
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000000d
Crash State:
  blink::RootInlineBox::closestLeafChildForLogicalLeftPosition
  blink::RootInlineBox::closestLeafChildForPoint
  blink::nextLinePosition
  
Sanitizer: address (ASAN)

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=451236:451282

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95q6ZOw1AalnYGx-NIkDjMCk3S6RJXpKuBZsWfRGrVJj-PRKQegJUuZuFzhAaeLHIF9-gyNrIqwhMRVbc2OZHnCamEor6OIr-tzMyyHa1Ff8V5Iyv-xQYxxLDKlfVI_cZLIua0ZYs6YqRDweG0EaMLQJe9sJQ?testcase_id=4540267824939008


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 14 by ClusterFuzz, Mar 1 2017

ClusterFuzz has detected this issue as fixed in range 451236:451282.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4540267824939008

Fuzzer: bj_broddelwerk
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000000d
Crash State:
  blink::RootInlineBox::closestLeafChildForLogicalLeftPosition
  blink::RootInlineBox::closestLeafChildForPoint
  blink::nextLinePosition
  
Sanitizer: address (ASAN)

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=451236:451282

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95q6ZOw1AalnYGx-NIkDjMCk3S6RJXpKuBZsWfRGrVJj-PRKQegJUuZuFzhAaeLHIF9-gyNrIqwhMRVbc2OZHnCamEor6OIr-tzMyyHa1Ff8V5Iyv-xQYxxLDKlfVI_cZLIua0ZYs6YqRDweG0EaMLQJe9sJQ?testcase_id=4540267824939008


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment