New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 626750 link

Starred by 3 users
Status: Fixed
Owner:
kochi@chromium.org
Last visit > 30 days ago
Closed: Jul 2016
Cc:
yosin@chromium.org
mummare...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

We should not call FocusController::setFocusedFrame() for detached frame

Project Member Reported by ClusterFuzz, Jul 8 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4730814759960576

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000310
Crash State:
  blink::FrameSelection::focusedOrActiveStateChanged
  blink::FrameSelection::pageActivationChanged
  blink::FocusController::setActive
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=398502:398570

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96dHxQRr2lf2DOP44Rr0pp4nJw1Kf_SLnZh7a1rgOyiU7J8iR_1b7RQ_seYDZFup1owTlgJ0C3RAwIyyAZqsMtsFWaIvkibWcMkfvYeXB5b3Zr2JTTufjbj-vjV8_BxcySxtzXX7aASIpXztIb-zbioPxqvHQ?testcase_id=4730814759960576


Additional requirements: Requires Gestures

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Jul 8 2016

Labels: Te-Logged M-53
Owner: yosin@chromium.org
Status: Assigned (was: Available)
From findit tool:

Author: yosin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/9c38a83b780e6cbd388579067b137ef12a39ff0c
Time: Wed Jun 08 11:12:19 2016
Lines 928, 962-963 of file FrameSelection.cpp which potentially caused crash are changed in this cl (frame #2, "blink::FrameSelection::focusedOrActiveStateChanged"; frame #3, "blink::FrameSelection::pageActivationChanged").

File WebViewImpl.cpp is changed in this cl (and is part of stack frame #5, "blink::WebViewImpl::setIsActive")
Minimum distance from crash line to modified line: 0. (file: FrameSelection.cpp, crashed on: 928, modified: 928).

Suspected Project: chromium
Suspected Component: Blink>Editing
Project Member

Comment 2 by sheriffbot@chromium.org, Jul 9 2016

Labels: -M-53 M-54 MovedFrom-53
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 3 by yosin@chromium.org, Jul 12 2016

Cc: yosin@chromium.org
Owner: kochi@chromium.org
Summary: We should not call setFocusedFrame() for detached frame (was: Crash in blink::FrameSelection::focusedOrActiveStateChanged)
DCHECK(!frame || frame->page() == m_page)
in FocusController::setFocusedFrame()

This frame is detached by "focusout" event handler,
then "focus" event handler attempts to set focus.

FocusController::setFocusedFrame(blink::Frame * frame, bool notifyEmbedder) Line 723
FocusController::focusDocumentView(blink::Frame * frame, bool notifyEmbedder) Line 776
DOMWindow::focus(blink::ExecutionContext * context) Line 375
DOMWindowV8Internal::focusMethod(const v8::FunctionCallbackInfo<v8::Value> & info) Line 4169
DOMWindowV8Internal::focusMethodCallback(const v8::FunctionCallbackInfo<v8::Value> & info) Line 4174
v8.dll!v8::internal::FunctionCallbackArguments::Call(void(*)(const v8::FunctionCallbackInfo<v8::Value> &) f) Line 20
v8.dll!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::HeapObject> function, v8::internal::Handle<v8::internal::HeapObject> new_target, v8::internal::Handle<v8::internal::FunctionTemplateInfo> fun_data, v8::internal::Handle<v8::internal::Object> receiver, v8::internal::`anonymous-namespace'::BuiltinArguments args) Line 5803
v8.dll!v8::internal::Builtin_Impl_HandleApiCall(v8::internal::`anonymous-namespace'::BuiltinArguments args, v8::internal::Isolate * isolate) Line 5831
v8.dll!v8::internal::Builtin_HandleApiCall(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 5819
[External Code]	
v8.dll!v8::internal::Builtin_HandleApiCall(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 5819
[External Code]	
v8.dll!v8::internal::Runtime_LoadIC_Miss(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 2259
[External Code]	
v8.dll!v8::internal::Runtime_LoadGlobalIC_Miss(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 2300

Comment 4 by yosin@chromium.org, Jul 12 2016

Components: Blink>Focus

Comment 5 by yosin@chromium.org, Jul 12 2016

Summary: We should not call FocusController::setFocusedFrame() for detached frame (was: We should not call setFocusedFrame() for detached frame)
Project Member

Comment 6 by ClusterFuzz, Jul 14 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6714113216741376

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000327
Crash State:
  blink::FrameSelection::focusedOrActiveStateChanged
  blink::FocusController::setActive
  IPC::MessageT<ViewMsg_SetActive_Meta,std::tuple<bool>,void>::Dispatch<content::R
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=404473:404552

Minimized Testcase (0.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96hWRqqoKmYHrso2hjXw5HkoBv_DTwvjSr7fIcftUrGe-W07IbSd3JxcX_RZTzxYRUvyMmqpS-mW9HHQgG9VXz9n3c13vJtvR05R0QImvSA7ApSiTbKCeb95p0_J6mVqxgBfdr3kZAA5NuaZ-y8NPW_-VmbmA?testcase_id=6714113216741376

Additional requirements: Requires Gestures

Filer: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 7 by kochi@chromium.org, Jul 15 2016

Status: Started (was: Assigned)

Comment 8 by kochi@chromium.org, Jul 21 2016 

Issue 605071 has been merged into this issue.
Project Member

Comment 9 by bugdroid1@chromium.org, Jul 22 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f0bde6849797c7856ec8c4edadf3b4572c3261f5

commit f0bde6849797c7856ec8c4edadf3b4572c3261f5
Author: kochi <kochi@chromium.org>
Date: Fri Jul 22 03:24:01 2016

Should not call FocusController::setFocusedFrame() for detached frame

In case frame is detached, do not call setFocusedFrame() as it can't be focused.

BUG= 626750 
TEST=LayoutTests/fast/dom/Selection/selection-crash.html

Review-Url: https://codereview.chromium.org/2153063003
Cr-Commit-Position: refs/heads/master@{#407019}

[add] https://crrev.com/f0bde6849797c7856ec8c4edadf3b4572c3261f5/third_party/WebKit/LayoutTests/fast/dom/Selection/selection-crash.html
[modify] https://crrev.com/f0bde6849797c7856ec8c4edadf3b4572c3261f5/third_party/WebKit/Source/core/page/FocusController.cpp

Comment 10 by kochi@chromium.org, Jul 22 2016

Status: Fixed (was: Started)
Project Member

Comment 11 by bugdroid1@chromium.org, Jul 22 2016

Labels: merge-merged-2804
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f0bde6849797c7856ec8c4edadf3b4572c3261f5

commit f0bde6849797c7856ec8c4edadf3b4572c3261f5
Author: kochi <kochi@chromium.org>
Date: Fri Jul 22 03:24:01 2016

Should not call FocusController::setFocusedFrame() for detached frame

In case frame is detached, do not call setFocusedFrame() as it can't be focused.

BUG= 626750 
TEST=LayoutTests/fast/dom/Selection/selection-crash.html

Review-Url: https://codereview.chromium.org/2153063003
Cr-Commit-Position: refs/heads/master@{#407019}

[add] https://crrev.com/f0bde6849797c7856ec8c4edadf3b4572c3261f5/third_party/WebKit/LayoutTests/fast/dom/Selection/selection-crash.html
[modify] https://crrev.com/f0bde6849797c7856ec8c4edadf3b4572c3261f5/third_party/WebKit/Source/core/page/FocusController.cpp
Project Member

Comment 12 by ClusterFuzz, Jul 23 2016 

ClusterFuzz has detected this issue as fixed in range 407005:407057.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4730814759960576

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000310
Crash State:
  blink::FrameSelection::focusedOrActiveStateChanged
  blink::FrameSelection::pageActivationChanged
  blink::FocusController::setActive
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=398502:398570
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=407005:407057

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96dHxQRr2lf2DOP44Rr0pp4nJw1Kf_SLnZh7a1rgOyiU7J8iR_1b7RQ_seYDZFup1owTlgJ0C3RAwIyyAZqsMtsFWaIvkibWcMkfvYeXB5b3Zr2JTTufjbj-vjV8_BxcySxtzXX7aASIpXztIb-zbioPxqvHQ?testcase_id=4730814759960576


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 14 by benhenry@chromium.org, Sep 29 2017

Components: Blink>HTML>Focus

Comment 15 by benhenry@chromium.org, Sep 29 2017

Components: -Blink>Focus

Sign in to add a comment