Issue 624321 link

Starred by 2 users

Issue metadata

Status:	Duplicate
Merged:	issue 573921
Owner:	█ dominicc@chromium.org Last visit > 30 days ago
Closed:	Jul 2016
Cc:	kouhei@chromium.org █ jww@chromium.org █ sigbjo...@opera.com █ dominicc@chromium.org █ mummare...@chromium.org haraken@chromium.org lfg@chromium.org
Components:	Blink>Bindings
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Te-Logged Stability-Crash Reproducible Stability-Memory-AddressSanitizer Findit-for-crash M-53 Clusterfuzz MovedFrom-52

Crash in blink::toScriptLoaderIfPossible

Project Member Reported by ClusterFuzz, Jun 29 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4506062057373696

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::toScriptLoaderIfPossible
  blink::HTMLScriptRunner::runScript
  blink::HTMLScriptRunner::execute
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=173978:174317

Minimized Testcase (0.47 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94HBFugAmB-n9M57wcOxvdr9E98Knb1zMU7AuHAl01TBwuBp4bkTrbx2XH7teDaRJPAx6INV2-PzQfDXp6ojGo1exJn1FFHIGJTYuFi7fTlyJq9lz0JEMqfqfuHf2Sk5kpCytBFLy4zemhFzHcMyTWEt0er8w?testcase_id=4506062057373696
<style>
@import url(N#Va_=l|3M&amp;</style>
<script>
function eventhandler8() {
 /*Document*/ var var00102 = document;  //line 111
 /*Node*/ var var00103 = var00102;  //line 112
 /*HTMLDocument*/ var var00267 = document;  //line 303
 /*XMLSerializer*/ var var00268 = new XMLSerializer();  //line 304
 /*DOMString*/ var var00269 = var00268.serializeToString(var00103);  //line 305
 var00267.writeln(var00269);  //line 306
}
</script>
<style onload="eventhandler8()"></style>
<iframe>


Filer: tkonchada

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by tkonch...@chromium.org, Jun 29 2016

Cc: eseidel@chromium.org
Components: Blink
Labels: findit-for-crash Te-Logged M-52
Owner: adamk@chromium.org
Status: Assigned (was: Available)

Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: mjs@apple.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/554c7634cddfec7925865257d362fa718c34ac3a
Time: Thu May 06 22:41:15 2010
The CL last changed line 748 of file Node.h, which is stack frame 0.

Author: ch.dumez@samsung.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/587fbaddd0ea17eb7b10ee94ef55fd6bd24ed8b7
Time: Wed Mar 12 06:34:51 2014
The CL last changed line 340 of file ScriptLoader.cpp, which is stack frame 1.

Author: morrita@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/76d57963828b7fcce9867876852fac640ae78ef0
Time: Tue Jul 09 07:10:09 2013
The CL last changed line 525 of file ScriptLoader.cpp, which is stack frame 2.

Author: morrita@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/76d57963828b7fcce9867876852fac640ae78ef0
Time: Tue Jul 09 07:10:09 2013
The CL last changed line 404 of file HTMLScriptRunner.cpp, which is stack frame 3.

Author: keishi
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/e052139d295bf332a88308c833bb7a31546e1778
Time: Mon Apr 11 09:48:59 2016
The CL last changed line 275 of file HTMLScriptRunner.cpp, which is stack frame 4.

Author: keishi
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/e052139d295bf332a88308c833bb7a31546e1778
Time: Mon Apr 11 09:48:59 2016
The CL last changed line 258 of file HTMLDocumentParser.cpp, which is stack frame 5.

Author: eric@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6733eada55d78af85b14dc76934e5cdb03a05681
Time: Mon Jul 09 23:48:14 2012
The CL last changed line 268 of file HTMLDocumentParser.cpp, which is stack frame 6.

Possible suspect : https://chromium.googlesource.com/chromium/src//+/587fbaddd0ea17eb7b10ee94ef55fd6bd24ed8b7

Please reassign if this is not related to your change.

Project Member

Comment 2 by sheriffbot@chromium.org, Jun 29 2016

Labels: -M-52 M-53 MovedFrom-52

Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 3 by adamk@chromium.org, Jun 29 2016

Cc: -eseidel@chromium.org
Components: -Blink Blink>Bindings
Owner: haraken@chromium.org

Comment 4 by sigbjo...@opera.com, Jun 29 2016

Cc: haraken@chromium.org kouhei@chromium.org
Owner: dominicc@chromium.org

Same testcase as  issue 605066  (dup of  issue 573921 , which appears to be RVG-labelled and inaccessible.)

Fixed by https://codereview.chromium.org/2099583002 , re-assigning to dominicc@ for a closer look.

Project Member

Comment 5 by ClusterFuzz, Jun 30 2016

ClusterFuzz has detected this issue as fixed in range 402095:402107.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4506062057373696

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::toScriptLoaderIfPossible
  blink::HTMLScriptRunner::runScript
  blink::HTMLScriptRunner::execute
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=173978:174317
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=402095:402107

Minimized Testcase (0.47 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94HBFugAmB-n9M57wcOxvdr9E98Knb1zMU7AuHAl01TBwuBp4bkTrbx2XH7teDaRJPAx6INV2-PzQfDXp6ojGo1exJn1FFHIGJTYuFi7fTlyJq9lz0JEMqfqfuHf2Sk5kpCytBFLy4zemhFzHcMyTWEt0er8w?testcase_id=4506062057373696
<style>
@import url(N#Va_=l|3M&amp;</style>
<script>
function eventhandler8() {
 /*Document*/ var var00102 = document;  //line 111
 /*Node*/ var var00103 = var00102;  //line 112
 /*HTMLDocument*/ var var00267 = document;  //line 303
 /*XMLSerializer*/ var var00268 = new XMLSerializer();  //line 304
 /*DOMString*/ var var00269 = var00268.serializeToString(var00103);  //line 305
 var00267.writeln(var00269);  //line 306
}
</script>
<style onload="eventhandler8()"></style>
<iframe>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 6 by dominicc@chromium.org, Jul 1 2016

Mergedinto: 573921
Status: Duplicate (was: Assigned)

Yes; I think this was fixed in e75f7662727fbbd08cc730c41b3c63da7d61c36c. Thank you for the de-dup sigbjornf.

Comment 7 by dominicc@chromium.org, Jul 11 2016

Cc: mummare...@chromium.org jww@chromium.org sigbjo...@opera.com dominicc@chromium.org

 Issue 626735  has been merged into this issue.

Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 624321 link

Issue metadata

Crash in blink::toScriptLoaderIfPossible

Issue description

Comment 1 by tkonch...@chromium.org, Jun 29 2016

Comment 1 Deleted

Comment 2 by sheriffbot@chromium.org, Jun 29 2016

Comment 2 Deleted

Comment 3 by adamk@chromium.org, Jun 29 2016

Comment 3 Deleted

Comment 4 by sigbjo...@opera.com, Jun 29 2016

Comment 4 Deleted

Comment 5 by ClusterFuzz, Jun 30 2016

Comment 5 Deleted

Comment 6 by dominicc@chromium.org, Jul 1 2016

Comment 6 Deleted

Comment 7 by dominicc@chromium.org, Jul 11 2016

Comment 7 Deleted

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Comment 8 Deleted

Sign in to add a comment