We should not call FocusController::setFocusedFrame() for detached frame |
|||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4730814759960576 Fuzzer: attekett_dom_fuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000310 Crash State: blink::FrameSelection::focusedOrActiveStateChanged blink::FrameSelection::pageActivationChanged blink::FocusController::setActive Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=398502:398570 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96dHxQRr2lf2DOP44Rr0pp4nJw1Kf_SLnZh7a1rgOyiU7J8iR_1b7RQ_seYDZFup1owTlgJ0C3RAwIyyAZqsMtsFWaIvkibWcMkfvYeXB5b3Zr2JTTufjbj-vjV8_BxcySxtzXX7aASIpXztIb-zbioPxqvHQ?testcase_id=4730814759960576 Additional requirements: Requires Gestures Filer: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 9 2016
Moving this nonessential bug to the next milestone. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 12 2016
DCHECK(!frame || frame->page() == m_page) in FocusController::setFocusedFrame() This frame is detached by "focusout" event handler, then "focus" event handler attempts to set focus. FocusController::setFocusedFrame(blink::Frame * frame, bool notifyEmbedder) Line 723 FocusController::focusDocumentView(blink::Frame * frame, bool notifyEmbedder) Line 776 DOMWindow::focus(blink::ExecutionContext * context) Line 375 DOMWindowV8Internal::focusMethod(const v8::FunctionCallbackInfo<v8::Value> & info) Line 4169 DOMWindowV8Internal::focusMethodCallback(const v8::FunctionCallbackInfo<v8::Value> & info) Line 4174 v8.dll!v8::internal::FunctionCallbackArguments::Call(void(*)(const v8::FunctionCallbackInfo<v8::Value> &) f) Line 20 v8.dll!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::HeapObject> function, v8::internal::Handle<v8::internal::HeapObject> new_target, v8::internal::Handle<v8::internal::FunctionTemplateInfo> fun_data, v8::internal::Handle<v8::internal::Object> receiver, v8::internal::`anonymous-namespace'::BuiltinArguments args) Line 5803 v8.dll!v8::internal::Builtin_Impl_HandleApiCall(v8::internal::`anonymous-namespace'::BuiltinArguments args, v8::internal::Isolate * isolate) Line 5831 v8.dll!v8::internal::Builtin_HandleApiCall(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 5819 [External Code] v8.dll!v8::internal::Builtin_HandleApiCall(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 5819 [External Code] v8.dll!v8::internal::Runtime_LoadIC_Miss(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 2259 [External Code] v8.dll!v8::internal::Runtime_LoadGlobalIC_Miss(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 2300
,
Jul 12 2016
,
Jul 12 2016
,
Jul 14 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6714113216741376 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000327 Crash State: blink::FrameSelection::focusedOrActiveStateChanged blink::FocusController::setActive IPC::MessageT<ViewMsg_SetActive_Meta,std::tuple<bool>,void>::Dispatch<content::R Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=404473:404552 Minimized Testcase (0.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96hWRqqoKmYHrso2hjXw5HkoBv_DTwvjSr7fIcftUrGe-W07IbSd3JxcX_RZTzxYRUvyMmqpS-mW9HHQgG9VXz9n3c13vJtvR05R0QImvSA7ApSiTbKCeb95p0_J6mVqxgBfdr3kZAA5NuaZ-y8NPW_-VmbmA?testcase_id=6714113216741376 Additional requirements: Requires Gestures Filer: ranjitkan See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 15 2016
,
Jul 21 2016
Issue 605071 has been merged into this issue.
,
Jul 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f0bde6849797c7856ec8c4edadf3b4572c3261f5 commit f0bde6849797c7856ec8c4edadf3b4572c3261f5 Author: kochi <kochi@chromium.org> Date: Fri Jul 22 03:24:01 2016 Should not call FocusController::setFocusedFrame() for detached frame In case frame is detached, do not call setFocusedFrame() as it can't be focused. BUG= 626750 TEST=LayoutTests/fast/dom/Selection/selection-crash.html Review-Url: https://codereview.chromium.org/2153063003 Cr-Commit-Position: refs/heads/master@{#407019} [add] https://crrev.com/f0bde6849797c7856ec8c4edadf3b4572c3261f5/third_party/WebKit/LayoutTests/fast/dom/Selection/selection-crash.html [modify] https://crrev.com/f0bde6849797c7856ec8c4edadf3b4572c3261f5/third_party/WebKit/Source/core/page/FocusController.cpp
,
Jul 22 2016
,
Jul 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f0bde6849797c7856ec8c4edadf3b4572c3261f5 commit f0bde6849797c7856ec8c4edadf3b4572c3261f5 Author: kochi <kochi@chromium.org> Date: Fri Jul 22 03:24:01 2016 Should not call FocusController::setFocusedFrame() for detached frame In case frame is detached, do not call setFocusedFrame() as it can't be focused. BUG= 626750 TEST=LayoutTests/fast/dom/Selection/selection-crash.html Review-Url: https://codereview.chromium.org/2153063003 Cr-Commit-Position: refs/heads/master@{#407019} [add] https://crrev.com/f0bde6849797c7856ec8c4edadf3b4572c3261f5/third_party/WebKit/LayoutTests/fast/dom/Selection/selection-crash.html [modify] https://crrev.com/f0bde6849797c7856ec8c4edadf3b4572c3261f5/third_party/WebKit/Source/core/page/FocusController.cpp
,
Jul 23 2016
ClusterFuzz has detected this issue as fixed in range 407005:407057. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4730814759960576 Fuzzer: attekett_dom_fuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000310 Crash State: blink::FrameSelection::focusedOrActiveStateChanged blink::FrameSelection::pageActivationChanged blink::FocusController::setActive Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=398502:398570 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=407005:407057 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96dHxQRr2lf2DOP44Rr0pp4nJw1Kf_SLnZh7a1rgOyiU7J8iR_1b7RQ_seYDZFup1owTlgJ0C3RAwIyyAZqsMtsFWaIvkibWcMkfvYeXB5b3Zr2JTTufjbj-vjV8_BxcySxtzXX7aASIpXztIb-zbioPxqvHQ?testcase_id=4730814759960576 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 29 2017
,
Sep 29 2017
|
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by mummare...@chromium.org
, Jul 8 2016Owner: yosin@chromium.org
Status: Assigned (was: Available)