Issue 619870 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	japhet@chromium.org
Closed:	Oct 2016
Components:	Blink>WindowDialog
EstimatedDays:	----
NextAction:	----
OS:	Mac
Pri:	2
Type:	Bug
Te-Logged Stability-Crash Reproducible Stability-Memory-AddressSanitizer Findit-for-crash M-54 Clusterfuzz MovedFrom-52 MovedFrom-53

Crash in blink::createWindowHelper

Project Member Reported by ClusterFuzz, Jun 14 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5695298139848704

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::createWindowHelper
  blink::createWindow
  blink::LocalDOMWindow::open
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=330259:330269

Minimized Testcase (0.57 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94H6FX-iK4_3sGFRPukJriCSOjdI4qtqr2hmH8tXM3JDZ_kvqQm6s7rm0qNmzQE0HnRnXhxZ3UK2UTvTMtUDVWk4r04XONzXCcV1HkLcqezaARIr6Q4nz1v92j2_x2uFCbNndxOTJOFJQ7Ctvj-Rk-rxS2yhA
<script>
function eventhandler2() {
 /*EventListener*/ var var00012 = this.onscroll;  //line 13
 /*HTMLDocument*/ var var00163 = document;  //line 180
 /*string_cssproperty*/ var var00224 = "border-top-left-radius";  //line 250
 this.onblur = var00012;  //line 291
 /*DOMWindow*/ var var00291 = window;  //line 330
 /*string_tag*/ var var00292 = "object";  //line 331
 /*DOMWindow*/ var var00293 = var00291.open(var00224,var00292);  //line 332
 var00163.open();  //line 363
}
</script>
<svg onscroll="eventhandler2()" onload="eventhandler2()"></svg>
<iframe name="object">


Filer: durga.behera

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by durga.behera@chromium.org, Jun 14 2016

Components: Tools>Test>FindIt>CorrectResult Blink
Labels: findit-for-crash Te-Logged M-52
Owner: japhet@chromium.org
Status: Assigned (was: Available)

Suspected CLs:
==============
The result is a list of CLs that change the crashed files.

Author: japhet@chromium.org
Project: chromium-blink
Changelist: https://chromium.googlesource.com/chromium/blink.git/+/f9070bd5f3a31b65f3760a0887764dd3e4807e58
Time: Fri May 15 23:05:03 2015
Lines 151-159, 179-193 of file CreateWindow.cpp which potentially caused crash are changed in this cl (frame #0, "blink::createWindowHelper"; frame #1, "blink::createWindow").

File LocalDOMWindow.cpp is changed in this cl (and is part of stack frame #2, "blink::LocalDOMWindow::open")
Minimum distance from crash line to modified line: 0. (file: CreateWindow.cpp, crashed on: 151, modified: 151).

Suspected Project: chromium-blink
==================================
Based on the above CL list suspecting the below.
Suspect : https://chromium.googlesource.com/chromium/blink.git/+/f9070bd5f3a31b65f3760a0887764dd3e4807e58
japhet@ : Could you please take a look into this if its related to your change.
Currently its impacting the latest Stable (51.0.2704.84) & Beta (52.0.2743.33).

Project Member

Comment 2 by sheriffbot@chromium.org, Jun 14 2016

Labels: -M-52 M-53 MovedFrom-52

Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 3 by cbiesin...@chromium.org, Jun 15 2016

Components: -Blink Blink>WindowDialog

Project Member

Comment 4 by sheriffbot@chromium.org, Jul 5 2016

Labels: -M-53 -Pri-1 M-54 MovedFrom-53 Pri-2

This issue is Pri-1 but has already been moved once. Lowering the priority and moving to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 5 by bugdroid1@chromium.org, Oct 11 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0a16bdd9b4f92ea68b2b40bfba075e8ba0a6fa83

commit 0a16bdd9b4f92ea68b2b40bfba075e8ba0a6fa83
Author: japhet <japhet@chromium.org>
Date: Tue Oct 11 17:58:28 2016

Fix reentrancy crash in createWindowHelper

BUG= 619870 
TEST=http/tests/loading/window-open-onblur-reentrancy.html

Review-Url: https://codereview.chromium.org/2393053002
Cr-Commit-Position: refs/heads/master@{#424482}

[add] https://crrev.com/0a16bdd9b4f92ea68b2b40bfba075e8ba0a6fa83/third_party/WebKit/LayoutTests/http/tests/loading/window-open-onblur-reentrancy-expected.html
[add] https://crrev.com/0a16bdd9b4f92ea68b2b40bfba075e8ba0a6fa83/third_party/WebKit/LayoutTests/http/tests/loading/window-open-onblur-reentrancy.html
[modify] https://crrev.com/0a16bdd9b4f92ea68b2b40bfba075e8ba0a6fa83/third_party/WebKit/Source/core/page/CreateWindow.cpp

Comment 6 by japhet@chromium.org, Oct 11 2016

Status: Fixed (was: Assigned)

Project Member

Comment 7 by ClusterFuzz, Oct 13 2016

ClusterFuzz has detected this issue as fixed in range 424153:424892.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5695298139848704

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::createWindowHelper
  blink::createWindow
  blink::LocalDOMWindow::open
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=378433:378578
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=424153:424892

Minimized Testcase (0.57 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94H6FX-iK4_3sGFRPukJriCSOjdI4qtqr2hmH8tXM3JDZ_kvqQm6s7rm0qNmzQE0HnRnXhxZ3UK2UTvTMtUDVWk4r04XONzXCcV1HkLcqezaARIr6Q4nz1v92j2_x2uFCbNndxOTJOFJQ7Ctvj-Rk-rxS2yhA?testcase_id=5695298139848704
<script>
function eventhandler2() {
 /*EventListener*/ var var00012 = this.onscroll;  //line 13
 /*HTMLDocument*/ var var00163 = document;  //line 180
 /*string_cssproperty*/ var var00224 = "border-top-left-radius";  //line 250
 this.onblur = var00012;  //line 291
 /*DOMWindow*/ var var00291 = window;  //line 330
 /*string_tag*/ var var00292 = "object";  //line 331
 /*DOMWindow*/ var var00293 = var00291.open(var00224,var00292);  //line 332
 var00163.open();  //line 363
}
</script>
<svg onscroll="eventhandler2()" onload="eventhandler2()"></svg>
<iframe name="object">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 619870 link

Issue metadata

Crash in blink::createWindowHelper

Issue description

Comment 1 by durga.behera@chromium.org, Jun 14 2016

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Jun 14 2016

Comment 2 Deleted

Comment 3 by cbiesin...@chromium.org, Jun 15 2016

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, Jul 5 2016

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Oct 11 2016

Comment 5 Deleted

Comment 6 by japhet@chromium.org, Oct 11 2016

Comment 6 Deleted

Comment 7 by ClusterFuzz, Oct 13 2016

Comment 7 Deleted

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Comment 8 Deleted

Sign in to add a comment