Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in blink::FloatingObject::unsafeClone |
||||||||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5959874131525632 Fuzzer: bj_broddelwerk Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: blink::FloatingObject::unsafeClone blink::LayoutBlockFlow::moveAllChildrenIncludingFloatsTo blink::LayoutBlockFlow::mergeSiblingContiguousAnonymousBlock Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=396253:396347 Minimized Testcase (2.76 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96lgqcmN9SHmSzLPC6NMJdSWGXisX7wXac7uA8_1d1F8eCJcYovcTrE2WP0txDtQ4a8rPbu1DzWNOTNHg9U0p2GK17hjqVQKdrOyOokt99qbDZwtmErm3sHs0HZ30zn9__neDVVGZXqMPOafNIjijvrsTUaGg Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 12 2016
,
Jun 12 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 12 2016
,
Jun 14 2016
chrishtr@, can you please take a look? It looks like this might be related to https://codereview.chromium.org/2009353003. Thanks!
,
Jun 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5198467647668224 Fuzzer: bj_broddelwerk Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x2524eccb Crash State: blink::FloatingObject::FloatingObject blink::FloatingObject::unsafeClone blink::LayoutBlockFlow::moveAllChildrenIncludingFloatsTo Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=399164:399271 Minimized Testcase (0.80 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97swQbwhh6n9MM2xBFt_EUD-97kbocwh1kekPkXru0SZrXQPzeHYyBvpo2ALilO_7n1T_eyz6ocAaw21ijcYUu0ALaWPr6mbL3X3Ys098mO5Do1c14tf9pBYcceJm1LHy1kG44Qka4RL_iTutR0SgfzV61SnA <style> *{-webkit-transition-timing-function:step-end;display:block;} .CLASS9{width:initial;display:list-item;} *:enabled{width:+93.5%;float:right;</style> <script> function event_handler_27C_DOMContentLoaded() { var oSelection=window.getSelection(); document.execCommand("SelectAll") var oRange = oSelection.rangeCount ? oSelection.getRangeAt(39 % oSelection.rangeCount) : null; var oInsertedElement = (function(){ var aoElements = document.getElementsByTagName("*"); if (aoElements.length) return aoElements[7 % aoElements.length]; })(); oRange.insertNode(oInsertedElement) var oParentElement = ({ })(); } document.addEventListener("DOMContentLoaded", event_handler_27C_DOMContentLoaded); </script> <table> <caption class="CLASS8 CLASS9"nl"> <ruby> <rt> <rtc> <input> </rtc> Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 20 2016
,
Jun 20 2016
,
Jun 21 2016
==5116==ERROR: AddressSanitizer: heap-use-after-free on address 0x13b009e0 at pc 0x03569268 bp 0xdeadbeef sp 0x003ac198
READ of size 4 at 0x13b009e0 thread T0
==5116==*** WARNING: Failed to initialize DbgHelp! ***
==5116==*** Most likely this means that the app is already ***
==5116==*** using DbgHelp, possibly with incompatible flags. ***
==5116==*** Due to technical reasons, symbolization might crash ***
==5116==*** or produce wrong results. ***
#0 0x3569267 in blink::FloatingObject::unsafeClone+0x2b7 (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x1519267)
#1 0x365aa7f in blink::LayoutBlockFlow::moveAllChildrenIncludingFloatsTo+0x1bf (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x160aa7f)
#2 0x3659334 in blink::LayoutBlockFlow::mergeSiblingContiguousAnonymousBlock D:\src\chrome\src\third_party\WebKit\Source\core\layout\LayoutBlockFlow.cpp:2591
#3 0x365859b in blink::LayoutBlockFlow::removeChild D:\src\chrome\src\third_party\WebKit\Source\core\layout\LayoutBlockFlow.cpp:2436
#4 0x38d163f in blink::LayoutObject::willBeDestroyed+0x2ef (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x188163f)
#5 0x37351b4 in blink::LayoutBoxModelObject::willBeDestroyed D:\src\chrome\src\third_party\WebKit\Source\core\layout\LayoutBoxModelObject.cpp:141
#6 0x38d6f3f in blink::LayoutObject::destroy+0x2f (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x1886f3f)
#7 0x5461a89 in blink::Node::detach+0xe9 (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x3411a89)
#8 0x522b1ef in blink::ContainerNode::detach+0x1df (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x31db1ef)
#9 0x537bc43 in blink::Element::detach+0x653 (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x332bc43)
#10 0x522b177 in blink::ContainerNode::detach+0x167 (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x31db177)
#11 0x537bc43 in blink::Element::detach D:\src\chrome\src\third_party\WebKit\Source\core\dom\Element.cpp:1598
#12 0x522525a in blink::ContainerNode::removeChild D:\src\chrome\src\third_party\WebKit\Source\core\dom\ContainerNode.cpp:456
#13 0x521ff7c in blink::collectChildrenAndRemoveFromOldParent D:\src\chrome\src\third_party\WebKit\Source\core\dom\ContainerNode.cpp:74
#14 0x521dfe5 in blink::ContainerNode::insertBefore D:\src\chrome\src\third_party\WebKit\Source\core\dom\ContainerNode.cpp:181
#15 0x54e543c in blink::Range::insertNode D:\src\chrome\src\third_party\WebKit\Source\core\dom\Range.cpp:803
#16 0x283ba9b in blink::RangeV8Internal::insertNodeMethodCallback+0x3cb (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x7eba9b)
#17 0x54788e0f in v8::internal::FunctionCallbackArguments::Call D:\src\chrome\src\v8\src\api-arguments.cc:19
#18 0x53db1750 in v8::internal::`anonymous namespace'::HandleApiCallHelper D:\src\chrome\src\v8\src\builtins.cc:5175
#19 0x53e6f273 in v8::internal::Builtin_Impl_HandleApiCall D:\src\chrome\src\v8\src\builtins.cc:5192
#20 0x53dbd971 in v8::internal::Builtin_HandleApiCall D:\src\chrome\src\v8\src\builtins.cc:5190
0x13b009e0 is located 64 bytes inside of 168-byte region [0x13b009a0,0x13b00a48)
freed by thread T0 here:
#0 0x660826c4 in __asan_wrap_HeapSize+0x314 (D:\src\chrome\src\out_asan\Release\clang_rt.asan_dynamic-i386.dll+0x226c4)
#1 0x39ed4f6 in blink::LayoutTextControlSingleLine::~LayoutTextControlSingleLine D:\src\chrome\src\third_party\WebKit\Source\core\layout\LayoutTextControlSingleLine.cpp:53
#2 0x38d6f64 in blink::LayoutObject::destroy+0x54 (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x1886f64)
#3 0x5461a89 in blink::Node::detach D:\src\chrome\src\third_party\WebKit\Source\core\dom\Node.cpp:926
#4 0x522b1ef in blink::ContainerNode::detach+0x1df (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x31db1ef)
#5 0x537bc43 in blink::Element::detach D:\src\chrome\src\third_party\WebKit\Source\core\dom\Element.cpp:1598
#6 0x5c169bd in blink::HTMLInputElement::detach+0xd (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x3bc69bd)
#7 0x522b177 in blink::ContainerNode::detach+0x167 (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x31db177)
#8 0x537bc43 in blink::Element::detach D:\src\chrome\src\third_party\WebKit\Source\core\dom\Element.cpp:1598
#9 0x522b177 in blink::ContainerNode::detach+0x167 (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x31db177)
#10 0x537bc43 in blink::Element::detach D:\src\chrome\src\third_party\WebKit\Source\core\dom\Element.cpp:1598
#11 0x522525a in blink::ContainerNode::removeChild D:\src\chrome\src\third_party\WebKit\Source\core\dom\ContainerNode.cpp:456
#12 0x521ff7c in blink::collectChildrenAndRemoveFromOldParent D:\src\chrome\src\third_party\WebKit\Source\core\dom\ContainerNode.cpp:74
#13 0x521dfe5 in blink::ContainerNode::insertBefore D:\src\chrome\src\third_party\WebKit\Source\core\dom\ContainerNode.cpp:181
#14 0x54e543c in blink::Range::insertNode D:\src\chrome\src\third_party\WebKit\Source\core\dom\Range.cpp:803
#15 0x283ba9b in blink::RangeV8Internal::insertNodeMethodCallback+0x3cb (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x7eba9b)
#16 0x54788e0f in v8::internal::FunctionCallbackArguments::Call D:\src\chrome\src\v8\src\api-arguments.cc:19
#17 0x53db1750 in v8::internal::`anonymous namespace'::HandleApiCallHelper D:\src\chrome\src\v8\src\builtins.cc:5175
#18 0x53e6f273 in v8::internal::Builtin_Impl_HandleApiCall D:\src\chrome\src\v8\src\builtins.cc:5192
#19 0x53dbd971 in v8::internal::Builtin_HandleApiCall D:\src\chrome\src\v8\src\builtins.cc:5190
previously allocated by thread T0 here:
#0 0x66082798 in __asan_wrap_HeapSize+0x3e8 (D:\src\chrome\src\out_asan\Release\clang_rt.asan_dynamic-i386.dll+0x22798)
#1 0x38a410b in blink::LayoutObject::operator new D:\src\chrome\src\third_party\WebKit\Source\core\layout\LayoutObject.cpp:149
#2 0x5e9ebf0 in blink::TextFieldInputType::createLayoutObject+0x10 (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x3e4ebf0)
#3 0x5415af9 in blink::LayoutTreeBuilderForElement::createLayoutObject D:\src\chrome\src\third_party\WebKit\Source\core\dom\LayoutTreeBuilder.cpp:119
#4 0x5379c8c in blink::Element::attach D:\src\chrome\src\third_party\WebKit\Source\core\dom\Element.cpp:1535
#5 0x5b98a49 in blink::HTMLFormControlElement::attach+0x69 (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x3b48a49)
#6 0x5c1673e in blink::HTMLInputElement::attach D:\src\chrome\src\third_party\WebKit\Source\core\html\HTMLInputElement.cpp:803
#7 0x522ad7d in blink::ContainerNode::attach+0x16d (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x31dad7d)
#8 0x537a0ff in blink::Element::attach D:\src\chrome\src\third_party\WebKit\Source\core\dom\Element.cpp:1555
#9 0x522ad7d in blink::ContainerNode::attach+0x16d (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x31dad7d)
#10 0x537a0ff in blink::Element::attach D:\src\chrome\src\third_party\WebKit\Source\core\dom\Element.cpp:1555
#11 0x522ad7d in blink::ContainerNode::attach+0x16d (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x31dad7d)
#12 0x537a0ff in blink::Element::attach D:\src\chrome\src\third_party\WebKit\Source\core\dom\Element.cpp:1555
#13 0x522ad7d in blink::ContainerNode::attach+0x16d (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x31dad7d)
#14 0x537a0ff in blink::Element::attach D:\src\chrome\src\third_party\WebKit\Source\core\dom\Element.cpp:1555
#15 0x522ad7d in blink::ContainerNode::attach+0x16d (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x31dad7d)
#16 0x537a0ff in blink::Element::attach D:\src\chrome\src\third_party\WebKit\Source\core\dom\Element.cpp:1555
#17 0x522ad7d in blink::ContainerNode::attach+0x16d (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x31dad7d)
#18 0x537a0ff in blink::Element::attach D:\src\chrome\src\third_party\WebKit\Source\core\dom\Element.cpp:1555
#19 0x5461606 in blink::Node::reattach D:\src\chrome\src\third_party\WebKit\Source\core\dom\Node.cpp:904
#20 0x537fbff in blink::Element::recalcOwnStyle D:\src\chrome\src\third_party\WebKit\Source\core\dom\Element.cpp:1770
#21 0x537eaa1 in blink::Element::recalcStyle D:\src\chrome\src\third_party\WebKit\Source\core\dom\Element.cpp:1710
#22 0x52b2546 in blink::Document::updateStyle+0x746 (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x3262546)
#23 0x52a29f3 in blink::Document::updateStyleAndLayoutTree D:\src\chrome\src\third_party\WebKit\Source\core\dom\Document.cpp:1722
#24 0x444498c in blink::Editor::tidyUpHTMLStructure+0xbc (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x23f498c)
#25 0x52e6fc4 in blink::Document::execCommand+0x264 (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0x3296fc4)
#26 0x2e910fe in blink::DocumentV8Internal::execCommandMethodCallback+0xb1e (D:\src\chrome\src\out_asan\Release\webcore_shared.dll+0xe410fe)
#27 0x54788e0f in v8::internal::FunctionCallbackArguments::Call D:\src\chrome\src\v8\src\api-arguments.cc:19
#28 0x53db1750 in v8::internal::`anonymous namespace'::HandleApiCallHelper D:\src\chrome\src\v8\src\builtins.cc:5175
#29 0x53e6f273 in v8::internal::Builtin_Impl_HandleApiCall D:\src\chrome\src\v8\src\builtins.cc:5192
SUMMARY: AddressSanitizer: heap-use-after-free D:\src\chrome\src\third_party\WebKit\Source\core\layout\FloatingObjects.cpp:117 in blink::FloatingObject::unsafeClone
Shadow bytes around the buggy address:
0x327600e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
0x327600f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x32760100: 00 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa
0x32760110: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x32760120: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
=>0x32760130: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd
0x32760140: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x32760150: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x32760160: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x32760170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x32760180: 00 00 00 00 04 fa fa fa fa fa fa fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5116==ABORTING
,
Jun 22 2016
It doesn't say which variable was uninitialized?
,
Jun 22 2016
I believe it's floatingObject here: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp?q=moveAllChildrenIncludingFloatsTo&sq=package:chromium&dr=CSs&l=2524 I spent a bit of time looking at reducing test case and considering involved code, but tabled waiting to hear your thoughts.
,
Jun 22 2016
My guess from comments and code was that somehow an object is in two floating object lists at once, and it was deleted from one whose containing object was fully deleted, but not the other. And that our change re: self-painting has somehow led to this eventuality.
,
Jun 22 2016
Or it could be something within unsafeClone. Since it started happening after my commit, it's got to be one of the new fields that I am checking in the constructor. Maybe comment them out one by one and then recursively for functions called on PaintLayer?
,
Jun 22 2016
Robert knows a ton about floating objects, so +ccing him here.
,
Jun 22 2016
,
Jun 23 2016
M53 is branching soon and will be promoted to Beta in July.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.
,
Jun 23 2016
Working on it now.
,
Jun 23 2016
This issue appears to pre-date my CL. If a floating child is deleted in a scenario like this, it is deleted but not yet removed from the list of floating children for its floating container. Then when deleting other siblings, we attempt to move the floats from one container to another, which is invalid because the pointer is stale.
,
Jun 24 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/23aafd7fac7245071163eea43cc4dfeb6f302b9f commit 23aafd7fac7245071163eea43cc4dfeb6f302b9f Author: chrishtr <chrishtr@chromium.org> Date: Fri Jun 24 17:46:49 2016 Avoid dereferencing layoutObject during FloatingObject::unsafeClone There are bugs in the code that detaches subtrees in which a floating object sometimes is not detached from its owning m_floatingObjects set yet is still deleted. BUG= 619380 Review-Url: https://codereview.chromium.org/2099523002 Cr-Commit-Position: refs/heads/master@{#401899} [add] https://crrev.com/23aafd7fac7245071163eea43cc4dfeb6f302b9f/third_party/WebKit/LayoutTests/fast/block/float/float-reparent-during-detach-crash-expected.txt [add] https://crrev.com/23aafd7fac7245071163eea43cc4dfeb6f302b9f/third_party/WebKit/LayoutTests/fast/block/float/float-reparent-during-detach-crash.html [modify] https://crrev.com/23aafd7fac7245071163eea43cc4dfeb6f302b9f/third_party/WebKit/Source/core/layout/FloatingObjects.cpp [modify] https://crrev.com/23aafd7fac7245071163eea43cc4dfeb6f302b9f/third_party/WebKit/Source/core/layout/FloatingObjects.h
,
Jun 24 2016
,
Jun 24 2016
,
Jun 25 2016
,
Jun 25 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5198467647668224 Fuzzer: bj_broddelwerk Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x2524eccb Crash State: blink::FloatingObject::FloatingObject blink::FloatingObject::unsafeClone blink::LayoutBlockFlow::moveAllChildrenIncludingFloatsTo Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=399164:399271 Minimized Testcase (0.80 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97swQbwhh6n9MM2xBFt_EUD-97kbocwh1kekPkXru0SZrXQPzeHYyBvpo2ALilO_7n1T_eyz6ocAaw21ijcYUu0ALaWPr6mbL3X3Ys098mO5Do1c14tf9pBYcceJm1LHy1kG44Qka4RL_iTutR0SgfzV61SnA?testcase_id=5198467647668224 <style> *{-webkit-transition-timing-function:step-end;display:block;} .CLASS9{width:initial;display:list-item;} *:enabled{width:+93.5%;float:right;</style> <script> function event_handler_27C_DOMContentLoaded() { var oSelection=window.getSelection(); document.execCommand("SelectAll") var oRange = oSelection.rangeCount ? oSelection.getRangeAt(39 % oSelection.rangeCount) : null; var oInsertedElement = (function(){ var aoElements = document.getElementsByTagName("*"); if (aoElements.length) return aoElements[7 % aoElements.length]; })(); oRange.insertNode(oInsertedElement) var oParentElement = ({ })(); } document.addEventListener("DOMContentLoaded", event_handler_27C_DOMContentLoaded); </script> <table> <caption class="CLASS8 CLASS9"nl"> <ruby> <rt> <rtc> <input> </rtc> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 25 2016
ClusterFuzz has detected this issue as fixed in range 401888:401944. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5478610739920896 Fuzzer: bj_broddelwerk Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Heap-use-after-free READ 4 Crash Address: 0xaa4058a0 Crash State: blink::FloatingObject::unsafeClone blink::LayoutBlockFlow::moveAllChildrenIncludingFloatsTo blink::LayoutBlockFlow::mergeSiblingContiguousAnonymousBlock Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=396253:396347 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=401888:401944 Minimized Testcase (0.89 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95ZrfDstc0cOna5CbN8tj3j3gchBxwy3YKAVxB80cH7-g_wfyTfrhjwgPsFH7ogONAxXBVtr2W0x5Fc2ax4ET5UvRtJpAi488xnCBbpAT0HVtd4Nq8l31hqbi9fGYVexxOmpcs13vFBjJPxjY9DyIDp1T72IA?testcase_id=5478610739920896 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 25 2016
ClusterFuzz has detected this issue as fixed in range 401888:401934. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5959874131525632 Fuzzer: bj_broddelwerk Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: blink::FloatingObject::unsafeClone blink::LayoutBlockFlow::moveAllChildrenIncludingFloatsTo blink::LayoutBlockFlow::mergeSiblingContiguousAnonymousBlock Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=396253:396347 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=401888:401934 Minimized Testcase (2.76 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96lgqcmN9SHmSzLPC6NMJdSWGXisX7wXac7uA8_1d1F8eCJcYovcTrE2WP0txDtQ4a8rPbu1DzWNOTNHg9U0p2GK17hjqVQKdrOyOokt99qbDZwtmErm3sHs0HZ30zn9__neDVVGZXqMPOafNIjijvrsTUaGg?testcase_id=5959874131525632 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 26 2016
Fix already in M53, removing ReleaseBlock-Beta.
,
Aug 30 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6f208d569f6bd2488f2f2f6f9004e54417f78782 commit 6f208d569f6bd2488f2f2f6f9004e54417f78782 Author: robhogan <robhogan@gmail.com> Date: Tue Aug 30 17:30:44 2016 Copy float list of ruby base when merging it with a sibling When merging two ruby bases ensure that the new base has a complete float list. BUG= 619380 , 624028 Review-Url: https://codereview.chromium.org/2283413003 Cr-Commit-Position: refs/heads/master@{#415337} [modify] https://crrev.com/6f208d569f6bd2488f2f2f6f9004e54417f78782/third_party/WebKit/LayoutTests/fast/block/float/float-reparent-during-detach-crash.html [modify] https://crrev.com/6f208d569f6bd2488f2f2f6f9004e54417f78782/third_party/WebKit/Source/core/layout/FloatingObjects.cpp [modify] https://crrev.com/6f208d569f6bd2488f2f2f6f9004e54417f78782/third_party/WebKit/Source/core/layout/FloatingObjects.h [modify] https://crrev.com/6f208d569f6bd2488f2f2f6f9004e54417f78782/third_party/WebKit/Source/core/layout/LayoutRubyBase.cpp
,
Sep 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f6e18a33072f5811932ecafe3b6c314591b3fdc8 commit f6e18a33072f5811932ecafe3b6c314591b3fdc8 Author: wfh <wfh@chromium.org> Date: Sat Sep 10 09:03:23 2016 Revert of Copy float list of ruby base when merging it with a sibling (patchset #1 id:1 of https://codereview.chromium.org/2283413003/ ) Reason for revert: see crbug.com/644605 Original issue's description: > Copy float list of ruby base when merging it with a sibling > > When merging two ruby bases ensure that the new base has a complete float list. > > BUG= 619380 , 624028 > > Committed: https://crrev.com/6f208d569f6bd2488f2f2f6f9004e54417f78782 > Cr-Commit-Position: refs/heads/master@{#415337} TBR=eae@chromium.org,robhogan@gmail.com # Not skipping CQ checks because original CL landed more than 1 days ago. BUG= 619380 , 624028 ,644605 Review-Url: https://codereview.chromium.org/2322703002 Cr-Commit-Position: refs/heads/master@{#417825} [modify] https://crrev.com/f6e18a33072f5811932ecafe3b6c314591b3fdc8/third_party/WebKit/LayoutTests/fast/block/float/float-reparent-during-detach-crash.html [modify] https://crrev.com/f6e18a33072f5811932ecafe3b6c314591b3fdc8/third_party/WebKit/Source/core/layout/FloatingObjects.cpp [modify] https://crrev.com/f6e18a33072f5811932ecafe3b6c314591b3fdc8/third_party/WebKit/Source/core/layout/FloatingObjects.h [modify] https://crrev.com/f6e18a33072f5811932ecafe3b6c314591b3fdc8/third_party/WebKit/Source/core/layout/LayoutRubyBase.cpp
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Oct 11 2016
Fix was reverted, reopening.
,
Oct 12 2016
chrishtr: Uh oh! This issue still open and hasn't been updated in the last 109 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 12 2016
,
Oct 12 2016
https://codereview.chromium.org/2329863002 I have a CL for this - I just lack a decent test case for it. The clusterfuzz test cases that led to the revert are either flaky or trigger all sorts of unrelated asserts. :/ Maybe we should just have another go?
,
Oct 12 2016
,
Oct 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3453e2368a018544e7143e60afbc7a1454e848ed commit 3453e2368a018544e7143e60afbc7a1454e848ed Author: robhogan <robhogan@gmail.com> Date: Wed Oct 12 21:29:52 2016 Copy float list of ruby base when merging it with a sibling When merging two ruby bases ensure that the new base has a complete float list. A 2nd go at https://crrev.com/6f208d569f6bd2488f2f2f6f9004e54417f78782 BUG= 619380 , 624028 , 644605, 644803 Review-Url: https://codereview.chromium.org/2329863002 Cr-Commit-Position: refs/heads/master@{#424864} [modify] https://crrev.com/3453e2368a018544e7143e60afbc7a1454e848ed/third_party/WebKit/LayoutTests/fast/block/float/float-reparent-during-detach-crash.html [modify] https://crrev.com/3453e2368a018544e7143e60afbc7a1454e848ed/third_party/WebKit/Source/core/layout/FloatingObjects.cpp [modify] https://crrev.com/3453e2368a018544e7143e60afbc7a1454e848ed/third_party/WebKit/Source/core/layout/FloatingObjects.h [modify] https://crrev.com/3453e2368a018544e7143e60afbc7a1454e848ed/third_party/WebKit/Source/core/layout/LayoutRubyBase.cpp
,
Oct 13 2016
,
Oct 13 2016
We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue? For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 17 2016
Merge-Triage as we'll want to take this into M55 once it's baked.
,
Oct 17 2016
,
Oct 27 2016
,
Oct 27 2016
Your change meets the bar and is auto-approved for M55 (branch: 2883)
,
Oct 28 2016
robhogan@, please merge your change to M55 branch 2883 ASAP. Thank you.
,
Oct 28 2016
Confirmed with robhogan@. This is merged at - https://chromium.googlesource.com/chromium/src.git/+/615822c475c7373b23f2f75f6939d22a1b1138f0. Removing "Merge-Approved-55" label and applying "merge-merged-2883" label. awhalley@, does this require a merge to M54?
,
Oct 29 2016
We can pass on this for 54.
,
Nov 7 2016
,
Nov 29 2016
,
Jan 24 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 12 2016