New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 619000 link

Starred by 1 user
Status: Verified
Owner:
ikilpatrick@chromium.org
Closed: Jun 2016
Cc:
yukishiino@chromium.org
haraken@chromium.org
ashej...@chromium.org
lfg@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::ScriptState::from

Project Member Reported by ClusterFuzz, Jun 10 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5866622237802496

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::ScriptState::from
  blink::messageHandlerInMainThread
  v8::internal::MessageHandler::ReportMessage
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703

Minimized Testcase (0.56 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96su6R9or--YSxsGea9XdVJ0rXM_80aMai8AVVSkjO8eR4m7IiQ6z1edXLXs9G_s64PSOn4MjsAq44OIdEqoCzAo_gcRPHNqoimbuHfPn-zQmyxcEEnSjLe0DnUxH2CejXFwX5EeJSl9R4OutYXa3n49o0I4A
<script>
    function runTest() {
        if (sessionStorage.pageReloaded)
            return;
        img = document.createElement('img');
        img.src = `data:image/svg+xml,
            <svg xmlns="http://www.w3.org/2000/svg">
                <foreignObject>
                    <body xmlns="http://www.w3.org/1999/xhtml">
                        <marquee></marquee>
                    </body>
                </foreignObject>
            </svg>`;
        document.body.appendChild(img);
        window.location.reload();
    }
</script>
<body onload='runTest()'>


Filer: ashejole

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ashej...@chromium.org, Jun 10 2016

Cc: tkent@chromium.org ashej...@chromium.org
Components: Tools>Test>FindIt>CorrectResult
Labels: findit-for-crash Te-Logged
Owner: ikilpatrick@chromium.org
Status: Assigned (was: Available)
Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: marja@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4c595eabf7a7990278f1701104527a265b436662
Time: Wed May 22 15:05:03 2013
The CL last changed line 66 of file ScopedPersistent.h, which is stack frame 2.

Author: deepak.s@samsung.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/e5a2cc0c08f4f6b8886b967fca35c28666242a63
Time: Wed Apr 29 11:38:17 2015
The CL last changed line 94 of file ScriptState.h, which is stack frame 3.

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/be2579d48fbb2b4c98f693ab1c62cf1a9d60a06d
Time: Thu Mar 31 06:53:42 2016
The CL last changed line 77 of file ScriptState.h, which is stack frame 4.

Author: haraken@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a97386546856d9129a8b2712296faf4bee343552
Time: Mon Mar 31 07:02:45 2014
The CL last changed line 56 of file ScriptState.h, which is stack frame 5.

Author: ikilpatrick
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8e9a7753c76d9878338c6b916bdba9fa80796574
Time: Thu Apr 14 19:09:35 2016
The CL last changed line 118 of file V8Initializer.cpp, which is stack frame 6.

Suspected Project: chromium-v8

------------------------------

ikilpatrick@: Hey, would you mind checking the above issue as per suspected CL in frame 5 ?

Feel free to assign it to appropriate owner if that is not the case.

I really appreciate the help.

Thank you!

Comment 2 by tkent@chromium.org, Jun 10 2016

Cc: -tkent@chromium.org haraken@chromium.org yukishiino@chromium.org
Components: Blink>Bindings
Project Member

Comment 3 by ClusterFuzz, Jun 11 2016 

ClusterFuzz has detected this issue as fixed in range 398017:398351.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5866622237802496

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::ScriptState::from
  blink::messageHandlerInMainThread
  v8::internal::MessageHandler::ReportMessage
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=398017:398351

Minimized Testcase (0.56 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96su6R9or--YSxsGea9XdVJ0rXM_80aMai8AVVSkjO8eR4m7IiQ6z1edXLXs9G_s64PSOn4MjsAq44OIdEqoCzAo_gcRPHNqoimbuHfPn-zQmyxcEEnSjLe0DnUxH2CejXFwX5EeJSl9R4OutYXa3n49o0I4A
<script>
    function runTest() {
        if (sessionStorage.pageReloaded)
            return;
        img = document.createElement('img');
        img.src = `data:image/svg+xml,
            <svg xmlns="http://www.w3.org/2000/svg">
                <foreignObject>
                    <body xmlns="http://www.w3.org/1999/xhtml">
                        <marquee></marquee>
                    </body>
                </foreignObject>
            </svg>`;
        document.body.appendChild(img);
        window.location.reload();
    }
</script>
<body onload='runTest()'>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Jun 15 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4662633383067648

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::ScriptState::from
  blink::messageHandlerInMainThread
  v8::internal::MessageHandler::ReportMessage
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286

Minimized Testcase (0.55 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94hb5aWrV_s56S_wQL5qAISVYfTW1p_GLhTIkL0anQVo6LcfCHj5dm8A5CXmzKdOJIF0efvLBGGfubwmPbOzRct3x_mmdOrF37XPL4h1v1nRBoYWmh9e5Rvj0x3-SqSI0IJzBoQ8dbdx2WkoD4NqXiD9opE2g
<script>
    function runTest() {
        if (sessionStorage.pageReloaded)
            return;
        img = document.createElement('img');
        img.src = `data:image/svg+xml,
            <svg xmlns="http://www.w3.org/2000/svg">
                <foreignObject>
                    <body xmlns="http://www.w3.org/1999/xhtml">
                        <marquee></marquee>
                    </body>
                </foreignObject>
            </svg>`;
        document.body.appendChild(img);
        window.location.reload();
    }
</script>
<body onload=runTest()>


Filer: durga.behera

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 5 by durga.behera@chromium.org, Jun 15 2016

Labels: M-52
Clusterfuzz has detected this failure and its impacting to the latest Beta (52.0.2743.33).
ikilpatrick@: As per the above comment #3 it seems to be fixed if so can it be merged to M52.Could you please take a look into this and update further.
Project Member

Comment 6 by ClusterFuzz, Jun 15 2016 

ClusterFuzz has detected this issue as fixed in range 398017:398351.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4662633383067648

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::ScriptState::from
  blink::messageHandlerInMainThread
  v8::internal::MessageHandler::ReportMessage
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=398017:398351

Minimized Testcase (0.55 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94hb5aWrV_s56S_wQL5qAISVYfTW1p_GLhTIkL0anQVo6LcfCHj5dm8A5CXmzKdOJIF0efvLBGGfubwmPbOzRct3x_mmdOrF37XPL4h1v1nRBoYWmh9e5Rvj0x3-SqSI0IJzBoQ8dbdx2WkoD4NqXiD9opE2g
<script>
    function runTest() {
        if (sessionStorage.pageReloaded)
            return;
        img = document.createElement('img');
        img.src = `data:image/svg+xml,
            <svg xmlns="http://www.w3.org/2000/svg">
                <foreignObject>
                    <body xmlns="http://www.w3.org/1999/xhtml">
                        <marquee></marquee>
                    </body>
                </foreignObject>
            </svg>`;
        document.body.appendChild(img);
        window.location.reload();
    }
</script>
<body onload=runTest()>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Jun 15 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 8 by ikilpatrick@chromium.org, Jun 22 2016 

Issue 620865 has been merged into this issue.
Project Member

Comment 9 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment