node.canParticipateInFlatTree() in FlatTreeTraversal.h |
||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6562935031988224 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: node.canParticipateInFlatTree() in FlatTreeTraversal.h blink::FlatTreeTraversal::assertPrecondition blink::FlatTreeTraversal::parent Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=402485:402737 Minimized Testcase (0.12 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94BCy3leQmeVmPHGvocNP1nmzu1c4XsBD9xa_xAYrqrV3vPDHXXeMgXgpUS4O3uuE9yKI4HfJLsNky5okLAYPDN_Hf4ZMWyCNCnalKWv107HaEjevYEV6SpPx6dhDpOgya7KVJeQjFpz0VbaayMNi21_7Igng?testcase_id=6562935031988224 <script> tCF18 = document.createElementNS("http://www.w3.org/1999/xhtml", "slot"); tCF18.setAttribute("dir", "auto"); </script> Filer: kavvaru See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 12 2016
Moving this nonessential bug to the next milestone. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 19 2016
,
Jul 21 2016
eae@, was there a particular reason this was triaged to loading? Adding some common Shadow DOM components for further triage. Hopefully repro is easy, looks like two lines of JS. I'm building an asan content_shell now to hopefully repro on TOT. Will update if it repros.
,
Jul 21 2016
Nevermind it crashes even on TOT release build with DCHECKs always on :)
,
Jul 21 2016
hayato@, do you mind taking a look at this one? I'm unfamiliar with the slot element, and Shadow DOM in general.
FYI for future in case it stops being reproducible. This crashed content_shell with DCHECK_ALWAYS_ON, synced to #406848 by navigating to:
data:text/html;charset=utf-8,<script>tCF18 = document.createElementNS("http://www.w3.org/1999/xhtml", "slot"); tCF18.setAttribute("dir", "auto");
;</script>
,
Jul 22 2016
,
Jul 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c75de11273c24c2a26738c5298074dac079b1016 commit c75de11273c24c2a26738c5298074dac079b1016 Author: hayato <hayato@chromium.org> Date: Fri Jul 22 09:12:36 2016 Fix a crash caused by changing dir attribute of a slot element HTMLElement::dirAttributeChaged() calls FlatTreeTraversal::parent(*this) unconditionally. Since Blink does not support "slots in a flat tree", we should return early here for a slot element. BUG= 627385 Review-Url: https://codereview.chromium.org/2172133002 Cr-Commit-Position: refs/heads/master@{#407108} [add] https://crrev.com/c75de11273c24c2a26738c5298074dac079b1016/third_party/WebKit/LayoutTests/shadow-dom/crashes/slot-dir-attribute-crash.html [modify] https://crrev.com/c75de11273c24c2a26738c5298074dac079b1016/third_party/WebKit/Source/core/html/HTMLElement.cpp
,
Jul 22 2016
,
Jul 22 2016
Thank you for the prompt fix :)
,
Jul 23 2016
ClusterFuzz has detected this issue as fixed in range 406809:407197. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6562935031988224 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: node.canParticipateInFlatTree() in FlatTreeTraversal.h blink::FlatTreeTraversal::assertPrecondition blink::FlatTreeTraversal::parent Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=402485:402737 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=406809:407197 Minimized Testcase (0.12 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94BCy3leQmeVmPHGvocNP1nmzu1c4XsBD9xa_xAYrqrV3vPDHXXeMgXgpUS4O3uuE9yKI4HfJLsNky5okLAYPDN_Hf4ZMWyCNCnalKWv107HaEjevYEV6SpPx6dhDpOgya7KVJeQjFpz0VbaayMNi21_7Igng?testcase_id=6562935031988224 <script> tCF18 = document.createElementNS("http://www.w3.org/1999/xhtml", "slot"); tCF18.setAttribute("dir", "auto"); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by kavvaru@chromium.org
, Jul 12 2016Labels: Te-Logged M-53
Owner: szager@chromium.org
Status: Assigned (was: Available)