Crash in blink::HTMLViewSourceDocument::addSource |
|||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5351068955574272 Fuzzer: svg_more_tokenfuzz Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000ad8 Crash State: blink::HTMLViewSourceDocument::addSource blink::HTMLViewSourceParser::pumpTokenizer blink::HTMLViewSourceParser::finish Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95BnkradLFsLIfBtvOAV0tPSIYoj45rWxnwR8KVgVwEdUCM1d4Ms7tLE8_YLerLudZs4V4DeuBgzp53BCXngc0afu1DuvXRw9Be80784Gl06QYLt3UXlhEtGtIFoiaU6JoLlIYv-BM2TsnqG7S6h8udlIC5ZwO0umwglEDmR3dyhDdCAPE?testcase_id=5351068955574272 Additional requirements: Requires Gestures Filer: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 30 2016
I don't think this is either of the CLs listed there. I've requested a re-do of the minimization, regressed, and blame lines in clusterfuzz. We need a proper regression range to find a good owner. This is sort of loader related so "Blink>Loader" is a potential component label, but I'd prefer to find the exact regression range.
,
Jun 30 2016
,
Jun 30 2016
added Blink>Loader component. Thanks
,
Jul 1 2016
Does your CL look to be the root cause? CC'ing the relevant owners. Thanks. Author: sigbjornf Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/3e5bcb132b1af136ba6faa1c152dcba2c298549f Time: Mon May 23 14:28:16 2016 The CL last changed line 74 of file Member.h, which is stack frame 0. Author: hyatt Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/2b76a2797477a6e10feb4e8391b4a95252efff06 Time: Sat May 19 07:42:59 2007 The CL last changed line 95 of file HTMLViewSourceDocument.cpp, which is stack frame 1. Author: tsepez@chromium.org Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/ca64b3770b3c708af2b14ff543932f7de2129559 Time: Mon Jun 02 21:43:29 2014 The CL last changed line 57 of file HTMLViewSourceParser.cpp, which is stack frame 2. Author: abarth@webkit.org Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/01e1e7c4d63efa522d22e39ff61c09602986a9d9 Time: Wed Aug 11 07:30:57 2010 The CL last changed line 76 of file HTMLViewSourceParser.cpp, which is stack frame 3. Author: abarth@webkit.org Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/3c27c62d9b372af0ab401f1b6ad435e4a05863d0 Time: Sat Jun 11 00:56:13 2011 The CL last changed line 108 of file DocumentWriter.cpp, which is stack frame 4. Author: morrita@chromium.org Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/474725d67b2f7fd3479a439bff61590a6a851e15 Time: Mon Jul 01 04:45:05 2013 The CL last changed line 659 of file DocumentLoader.cpp, which is stack frame 5. Author: japhet Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/ba1f66fc44875b25efb3faf991c0b6754793088b Time: Tue Nov 03 02:41:22 2015 The CL last changed line 297 of file DocumentLoader.cpp, which is stack frame 6.
,
Jul 1 2016
,
Jul 1 2016
Loader team, would you be able to take a look? I don't think this is a regression and am unsure if it's a P1.
,
Jul 6 2016
Moving to untriaged to go back in loader rotation. My guess is that document() is a nullptr in HTMLViewSourceParser::pumpTokenizer() so addSource immediately crashes. This could happen if the parser detaches. To the next loading triager: It may be helpful to see if the clusterfuzz report can be reproduced locally at TOT asan build. That way, we can see exactly when the parser is getting detached and why (if that hypothesis is correct).
,
Jul 11 2016
Couldn't reproduced on Linux. +kouhei@
,
Jul 13 2016
CL: https://codereview.chromium.org/2145003002
,
Jul 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/00435c119e19ce53b1b07f337c568eee4ffc7521 commit 00435c119e19ce53b1b07f337c568eee4ffc7521 Author: kouhei <kouhei@chromium.org> Date: Wed Jul 13 08:00:55 2016 HTMLViewSourceParser should pumpTokenizer only if not detached Speculative crash fix for non-reproducible clusterfuzz case. BUG= 624903 Review-Url: https://codereview.chromium.org/2145003002 Cr-Commit-Position: refs/heads/master@{#405073} [modify] https://crrev.com/00435c119e19ce53b1b07f337c568eee4ffc7521/third_party/WebKit/Source/core/html/parser/HTMLViewSourceParser.cpp
,
Jul 13 2016
,
Jul 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/00435c119e19ce53b1b07f337c568eee4ffc7521 commit 00435c119e19ce53b1b07f337c568eee4ffc7521 Author: kouhei <kouhei@chromium.org> Date: Wed Jul 13 08:00:55 2016 HTMLViewSourceParser should pumpTokenizer only if not detached Speculative crash fix for non-reproducible clusterfuzz case. BUG= 624903 Review-Url: https://codereview.chromium.org/2145003002 Cr-Commit-Position: refs/heads/master@{#405073} [modify] https://crrev.com/00435c119e19ce53b1b07f337c568eee4ffc7521/third_party/WebKit/Source/core/html/parser/HTMLViewSourceParser.cpp
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by mmohammad@chromium.org
, Jun 30 2016