Crash in blink::Node::layoutBox |
|||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4671633638031360 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: blink::Node::layoutBox blink::LayoutTextControl::computeIntrinsicLogicalWidths blink::LayoutTextControl::computePreferredLogicalWidths Minimized Testcase (1.55 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95xwPrssL99IaLqaX9dppkuCF_s6RxexuaTOQpA8KDdGHCYKNRqEhmoFOBZN3h5UGgWgodf-O89QmBpYgnZ9BQZb67B8uftOO41aBXJvUJPaa43Oq3irpeg9qcQAh-do-9vbpXkOGIzeriVdQP9cfMHo_5FlA?testcase_id=4671633638031360 Filer: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 28 2016
I do not see how blink issues are related to AudioManager.
,
Jul 6 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4671633638031360 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: blink::Node::layoutBox blink::LayoutTextControl::computeIntrinsicLogicalWidths blink::LayoutTextControl::computePreferredLogicalWidths Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=374097:374217 Minimized Testcase (1.55 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95xwPrssL99IaLqaX9dppkuCF_s6RxexuaTOQpA8KDdGHCYKNRqEhmoFOBZN3h5UGgWgodf-O89QmBpYgnZ9BQZb67B8uftOO41aBXJvUJPaa43Oq3irpeg9qcQAh-do-9vbpXkOGIzeriVdQP9cfMHo_5FlA?testcase_id=4671633638031360 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 11 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6378826427006976 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: blink::Node::layoutBox blink::LayoutTextControl::computeIntrinsicLogicalWidths blink::LayoutTextControl::computePreferredLogicalWidths Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=374097:374217 Minimized Testcase (1.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96WWSrAgpDXVztcqIkfrE2qUoCm9PgT_oIWJz1rKVYPO-2aXKofSVKQmwrWR1-g9CuCah_RcKd_VBVWhAlyp2zLud-RA5RcEc53EGa-MqKqXTbMgwi6pDk20SdzOLOTrnKwW5r_esqfWvWsooCk7yv1P9X59A?testcase_id=6378826427006976 Filer: kavvaru See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 11 2016
More related CL from the find it tool information Author: dsinclair@chromium.org Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/ee2b344b0b5773d396f7aa7deca9200e96c940ec Time: Thu Apr 30 19:31:22 2015 The CL last changed line 598 of file Node.cpp, which is stack frame 3. dsinclair@ Please re assign if it is not related to your change. Thank you!
,
Jul 11 2016
The blamed CL is a rename only. Sending to eae@ for layout-dev triage.
,
Jul 11 2016
,
Jul 13 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6706151337230336 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: blink::Node::layoutBox blink::LayoutTextControl::computeIntrinsicLogicalWidths blink::LayoutBox::computeIntrinsicLogicalWidthUsing Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=363188:363337 Minimized Testcase (0.49 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97ky9B2E1rvP6dyTyT9wvzYmx5f4h0ltpN9FiFubsL61LRy6U_79gxsV4B9XUD_NmkAykmC7y1V3j9OK0e1gJ2l8mXN3H26gZe9tz5SzAK3LAMTV0m_TTBkLi0ASzO5gUmOp7SjD5gU4UtH56UDDKTMSC28sQ?testcase_id=6706151337230336 <video id="v"><script> var video = document.getElementById('v'); var videoShadow = window.internals.shadowRoot(video); traverse(videoShadow); function traverse(node) { if (!node) return; if (node.attributes) Array.prototype.forEach.call(node.attributes, function (n) { node[n && n.localName] = 2; }); Array.prototype.forEach.call(node.childNodes, traverse); if (node.localName == 'input') traverse(window.internals.shadowRoot(node)); } </script> Filer: brajkumar See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e2103861032db223dab265e7c519d69ee9b46ac3 commit e2103861032db223dab265e7c519d69ee9b46ac3 Author: eae <eae@chromium.org> Date: Fri Jul 15 01:15:18 2016 Add null-check for LayoutTextControl::innerEditorElement() Add a null-check in LayoutTextControl::computeIntrinsicLogicalWidths to ensure that innerEditorElement is non-null before calling layoutBox(). BUG= 623718 TBR=dgrogan@chromium.org Review-Url: https://codereview.chromium.org/2155513002 Cr-Commit-Position: refs/heads/master@{#405661} [modify] https://crrev.com/e2103861032db223dab265e7c519d69ee9b46ac3/third_party/WebKit/Source/core/layout/LayoutTextControl.cpp
,
Jul 15 2016
,
Jul 15 2016
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 9 2017
ClusterFuzz has detected this issue as fixed in range 455091:455394. Detailed report: https://clusterfuzz.com/testcase?key=6706151337230336 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: blink::Node::layoutBox blink::LayoutTextControl::computeIntrinsicLogicalWidths blink::LayoutBox::computeIntrinsicLogicalWidthUsing Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=363188:363337 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=455091:455394 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97ky9B2E1rvP6dyTyT9wvzYmx5f4h0ltpN9FiFubsL61LRy6U_79gxsV4B9XUD_NmkAykmC7y1V3j9OK0e1gJ2l8mXN3H26gZe9tz5SzAK3LAMTV0m_TTBkLi0ASzO5gUmOp7SjD5gU4UtH56UDDKTMSC28sQ?testcase_id=6706151337230336 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 9 2017
ClusterFuzz has detected this issue as fixed in range 455091:455394. Detailed report: https://clusterfuzz.com/testcase?key=6378826427006976 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: blink::Node::layoutBox blink::LayoutTextControl::computeIntrinsicLogicalWidths blink::LayoutTextControl::computePreferredLogicalWidths Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=374097:374217 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=455091:455394 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96WWSrAgpDXVztcqIkfrE2qUoCm9PgT_oIWJz1rKVYPO-2aXKofSVKQmwrWR1-g9CuCah_RcKd_VBVWhAlyp2zLud-RA5RcEc53EGa-MqKqXTbMgwi6pDk20SdzOLOTrnKwW5r_esqfWvWsooCk7yv1P9X59A?testcase_id=6378826427006976 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by mmohammad@chromium.org
, Jun 27 2016Status: Assigned (was: Available)