New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 627340 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Jul 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::WebViewImpl::dragTargetDragOver

Project Member Reported by ClusterFuzz, Jul 12 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5152501779398656

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000038
Crash State:
  blink::WebViewImpl::dragTargetDragOver
  test_runner::EventSender::DoDragAfterMouseUp
  test_runner::EventSender::PointerUp
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=268656:269696

Minimized Testcase (1.55 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96tqoUsMJLgKCpMd81eJYHGA-QcZEpl4h71EyRHNxPPj0VbxRn65pFSP1bYc8Bn27zGCUdZYV_qn9WDKzk-MGc3d6IY1kAnTooSXrkowfUeIQZO-qiWdCV5lceJo2BatOExCZ0oMGMwsd4jGQnC-ir3PTMddQ?testcase_id=5152501779398656

Filer: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: nyerramilli@chromium.org
Components: Tools>Test>FindIt>CorrectResult
Labels: findit-for-crash Te-Logged M-52
Owner: bokan@chromium.org
Status: Assigned (was: Available)
based on findit results, assigning to bokan@ - Could you please take a look at the issue and assign it to concerned developer if your changes are not responsible?

Findit Result:
-------------------------
Suspected CLs	The result is a list of CLs that change the crashed files.

Author: bokan@chromium.org
Project: chromium-blink
Changelist: https://chromium.googlesource.com/chromium/blink.git/+/47871c38cf4e2c9fdc07e4467ad6723991e099ab
Time: Thu May 08 20:14:39 2014
File WebViewImpl.cpp is changed in this cl (and is part of stack frame #1, "dragTargetDragEnterOrOver"; frame #2, "blink::WebViewImpl::dragTargetDragOver")
Minimum distance from crash line to modified line: 37. (file: WebViewImpl.cpp, crashed on: 3676, modified: 3639).

Suspected Project: chromium-blink

Comment 2 by bokan@chromium.org, Jul 12 2016

Cc: bokan@chromium.org
Owner: mustaq@chromium.org
Definitely not my patch but we're unlikely to find a culprit CL at this point.

Mustaq, could you triage? It looks like we hit some drag and drop code without initializing drag data. 

Comment 3 by mustaq@chromium.org, Jul 12 2016

Could be a crack in EventSender drag-drop states. Looking into it now.

Comment 4 by mustaq@chromium.org, Jul 12 2016

Status: Available (was: Assigned)
Confirmed that it's an WevViewImpl drag-drop issue (not an EventSender drag-drop issue as I initially suspected).

The DCHECK at the beginning of WebViewImpl::dragTargetDragEnterOrOver is failing:
DCHECK(m_currentDragData)
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/web/WebViewImpl.cpp?rcl=1468322258&l=3754
The code seems to expect a drag-enter before a drag-over which is not happening. I am not familiar with drag-drop code so can't comment further.

I am attaching a minimal html (edited from fizz html) which fails locally when run with --run-layout-test.

Note that the crash happens regardless of whether PointerEvent is enabled or not.

fuzz-lyt-006111467861628.95-edited.html
1.1 KB View Download

Comment 5 by mustaq@chromium.org, Jul 12 2016

Owner: hush@chromium.org
hush@, any chance you can take a look? I picked you because you recently changed drag-drop code (crrev.com/1723763002), so could even point us to a drag-drop expert.

Comment 6 by mustaq@chromium.org, Jul 13 2016

Owner: mustaq@chromium.org
Status: Started (was: Available)
Yeah, this seems like a event_sender function reentry bug.

Comment 7 by hush@chromium.org, Jul 13 2016

Hello Mustaq,
I am working on drag and drop on Android, where it is possible for the OS the send 2 consecutive DragEnter events. I'm considering removing this DCHECK.

Comment 8 by hush@chromium.org, Jul 13 2016

Cc: dcheng@chromium.org
Oh nevermind comment #7. It's a different bug.
This issue is about getting DragOver before any DragEnter, on Linux.

Comment 9 by hush@chromium.org, Jul 13 2016

Cc: hush@chromium.org
It turned out that EventSender::FinishDragAndDrop was involved in a cyclic reentry in this case (crrev.com/2148733003). Sorry for creating the confusion with my "dragover" comment.
Here is the actual problem: I have attached a (real) minimal test html. The test uses an EventSender sequence to drag from one div to another. The sequence ends with a mouseup, but the drag target also fires a mouseup on dragend. While the first mouseup was still processing a drag-drop at EventSender::FinishDragAndDrop, the second mouseup triggered another call to EventSender::FinishDragAndDrop, causing a premature call to WebViewImpl::dragTargetDragEnterOrOver with the crash.

fuzz-lyt-006111467861628.95-minimal.html
741 bytes View Download
Currently, there's an expectation that the embedder must call the events in the right order (the events come from the browser to the renderer, so we trust the browser to do the right thing).

This is basically "WAI".
Yes, this is WAI for browser/renderer. We guaranteed the order through a fix in EventSender (crrev.com/2148733003), will close the bug after the CL lands.

Project Member

Comment 14 by bugdroid1@chromium.org, Jul 14 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f2d3dd78f333c287f6fcb44738bcf399b7af8515

commit f2d3dd78f333c287f6fcb44738bcf399b7af8515
Author: mustaq <mustaq@chromium.org>
Date: Thu Jul 14 17:22:06 2016

Avoided rentry to EventSender::FinishDragAndDrop.

Avoided rentry to EventSender::FinishDragAndDrop to fix
a ClusterFuzz crash. The test uses an EventSender sequence
to drag from one div to another. The sequence ends with a
mouseup, but the drag target also fires a mouseup on
dragend. While the first mouseup was still processing a
drag-drop at EventSender::FinishDragAndDrop, the second
mouseup triggered another call to
EventSender::FinishDragAndDrop, causing a premature call
to WebViewImpl::dragTargetDragEnterOrOver with the crash.

See the bug for a minimal test case.

BUG= 627340 

Review-Url: https://codereview.chromium.org/2148733003
Cr-Commit-Position: refs/heads/master@{#405510}

[modify] https://crrev.com/f2d3dd78f333c287f6fcb44738bcf399b7af8515/components/test_runner/event_sender.cc

Labels: Hotlist-Input-Dev
Status: Fixed (was: Started)
Project Member

Comment 16 by ClusterFuzz, Jul 15 2016

ClusterFuzz has detected this issue as fixed in range 405500:405563.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5152501779398656

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000038
Crash State:
  blink::WebViewImpl::dragTargetDragOver
  test_runner::EventSender::DoDragAfterMouseUp
  test_runner::EventSender::PointerUp
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=268656:269696
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=405500:405563

Minimized Testcase (1.55 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96tqoUsMJLgKCpMd81eJYHGA-QcZEpl4h71EyRHNxPPj0VbxRn65pFSP1bYc8Bn27zGCUdZYV_qn9WDKzk-MGc3d6IY1kAnTooSXrkowfUeIQZO-qiWdCV5lceJo2BatOExCZ0oMGMwsd4jGQnC-ir3PTMddQ?testcase_id=5152501779398656

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 17 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment