Crash in cc::Viewport::ScrollAnimated |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5048137714761728 Fuzzer: bj_broddelwerk Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0000000000f0 Crash State: cc::Viewport::ScrollAnimated cc::LayerTreeHostImpl::ScrollAnimated ui::InputHandlerProxy::HandleGestureScrollUpdate Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=404886:404895 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv974zh71LdaFP9jedpRtKdC-QZpJWP97D2oqbDyVYnBdyvKJKeTYJLO8yFr9SMN-lO3TNbVWLFlX8nkvlYW2fKSM-dIDFKACxTKrEFDiJMtERo9viU0ba-a9KYD8vGsqqUx5Y1G7rZlHI_kqP5H9xIIZWvlLF61NFRdYPSeGX3gGiH12_4Q?testcase_id=5048137714761728 Additional requirements: Requires Gestures Filer: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 15 2016
ClusterFuzz has detected this issue as fixed in range 405613:405645. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5048137714761728 Fuzzer: bj_broddelwerk Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0000000000f0 Crash State: cc::Viewport::ScrollAnimated cc::LayerTreeHostImpl::ScrollAnimated ui::InputHandlerProxy::HandleGestureScrollUpdate Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=404886:404895 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=405613:405645 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv974zh71LdaFP9jedpRtKdC-QZpJWP97D2oqbDyVYnBdyvKJKeTYJLO8yFr9SMN-lO3TNbVWLFlX8nkvlYW2fKSM-dIDFKACxTKrEFDiJMtERo9viU0ba-a9KYD8vGsqqUx5Y1G7rZlHI_kqP5H9xIIZWvlLF61NFRdYPSeGX3gGiH12_4Q?testcase_id=5048137714761728 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 15 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5350807818207232 Fuzzer: bj_broddelwerk Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0000000000f0 Crash State: cc::Viewport::ScrollAnimated cc::LayerTreeHostImpl::ScrollAnimated ui::InputHandlerProxy::HandleGestureScrollUpdate Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=405563:405613 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96n3hDWDKPPADjKi2TDlo64H6QTo3IhVin53mXVTEGTlXQ45CX-ujx2t2EwCwDlgnIc3VGsqJYdtA9xqf-Mq5YDz3ESF6Vz8DWZxN-1wPzhWFkvwvV_RfS5aLmaOh8iFi3TRp6-8U-R0sdLQ0-bYCTTwZILcJuVtyc-md_cLr1bD90weQo?testcase_id=5350807818207232 Additional requirements: Requires Gestures Filer: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 22 2016
I can also reproduce this crash with M52 and M53 on Windows (using an application based on the Content API) by running with the `--root-layer-scrolls` command-line flag and then scrolling to the bottom of an iframe using a trackpad scroll gesture. For example: 1. Run with the `--root-layer-scrolls` command-line flag 2. Load http://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframe 3. Scroll to the bottom of the iframe using a trackpad scroll gesture 4. Get the following crash: Exception thrown: read access violation. this was nullptr. > libcef.dll!cc::LayerImpl::scroll_tree_index() Line 128 C++ libcef.dll!cc::Viewport::ScrollAnimated(const gfx::Vector2dF & delta) Line 93 C++ libcef.dll!cc::LayerTreeHostImpl::ScrollAnimated(const gfx::Point & viewport_point, const gfx::Vector2dF & scroll_delta) Line 2837 C++ libcef.dll!ui::InputHandlerProxy::HandleGestureScrollUpdate(const blink::WebGestureEvent & gesture_event) Line 664 C++ libcef.dll!ui::InputHandlerProxy::HandleInputEvent(const blink::WebInputEvent & event) Line 299 C++ libcef.dll!ui::InputHandlerProxy::HandleInputEventWithLatencyInfo(const blink::WebInputEvent & event, ui::LatencyInfo * latency_info) Line 279 C++ libcef.dll!content::InputHandlerManager::HandleInputEvent(int routing_id, const blink::WebInputEvent * input_event, ui::LatencyInfo * latency_info) Line 259 C++ libcef.dll!base::internal::RunnableAdapter<enum content::InputEventAckState (__thiscall content::InputHandlerManager::*)(int,blink::WebInputEvent const *,ui::LatencyInfo *)>::Run<content::InputHandlerManager *,int,blink::WebInputEvent const *,ui::LatencyInfo *>(content::InputHandlerManager * && receiver_ptr, int && <args_0>, const blink::WebInputEvent * && <args_1>, ui::LatencyInfo * && <args_2>) Line 186 C++ libcef.dll!base::internal::InvokeHelper<0,enum content::InputEventAckState,base::internal::RunnableAdapter<enum content::InputEventAckState (__thiscall content::InputHandlerManager::*)(int,blink::WebInputEvent const *,ui::LatencyInfo *)> >::MakeItSo<content::InputHandlerManager *,int,blink::WebInputEvent const *,ui::LatencyInfo *>(base::internal::RunnableAdapter<enum content::InputEventAckState (__thiscall content::InputHandlerManager::*)(int,blink::WebInputEvent const *,ui::LatencyInfo *)> runnable, content::InputHandlerManager * && <args_0>, int && <args_1>, const blink::WebInputEvent * && <args_2>, ui::LatencyInfo * && <args_3>) Line 304 C++ libcef.dll!base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<enum content::InputEventAckState (__thiscall content::InputHandlerManager::*)(int,blink::WebInputEvent const *,ui::LatencyInfo *)>,enum content::InputEventAckState __cdecl(content::InputHandlerManager *,int,blink::WebInputEvent const *,ui::LatencyInfo *),base::internal::UnretainedWrapper<content::InputHandlerManager> >,base::internal::InvokeHelper<0,enum content::InputEventAckState,base::internal::RunnableAdapter<enum content::InputEventAckState (__thiscall content::InputHandlerManager::*)(int,blink::WebInputEvent const *,ui::LatencyInfo *)> >,enum content::InputEventAckState __cdecl(int,blink::WebInputEvent const *,ui::LatencyInfo *)>::Run(base::internal::BindStateBase * base, int && <unbound_args_0>, const blink::WebInputEvent * && <unbound_args_1>, ui::LatencyInfo * && <unbound_args_2>) Line 362 C++ libcef.dll!base::Callback<enum content::InputEventAckState __cdecl(int,blink::WebInputEvent const *,ui::LatencyInfo *),1>::Run(int <args_0>, const blink::WebInputEvent * <args_1>, ui::LatencyInfo * <args_2>) Line 397 C++ libcef.dll!content::InputEventFilter::ForwardToHandler(const IPC::Message & message) Line 193 C++ libcef.dll!base::internal::RunnableAdapter<void (__thiscall content::InputEventFilter::*)(IPC::Message const &)>::Run<scoped_refptr<content::InputEventFilter> const &,IPC::Message const &>(const scoped_refptr<content::InputEventFilter> & receiver_ptr, const IPC::Message & <args_0>) Line 186 C++ libcef.dll!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__thiscall content::InputEventFilter::*)(IPC::Message const &)> >::MakeItSo<scoped_refptr<content::InputEventFilter> const &,IPC::Message const &>(base::internal::RunnableAdapter<void (__thiscall content::InputEventFilter::*)(IPC::Message const &)> runnable, const scoped_refptr<content::InputEventFilter> & <args_0>, const IPC::Message & <args_1>) Line 312 C++ libcef.dll!base::internal::Invoker<base::IndexSequence<0,1>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall content::InputEventFilter::*)(IPC::Message const &)>,void __cdecl(content::InputEventFilter *,IPC::Message const &),content::InputEventFilter * const,IPC::Message const &>,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__thiscall content::InputEventFilter::*)(IPC::Message const &)> >,void __cdecl(void)>::Run(base::internal::BindStateBase * base) Line 362 C++ libcef.dll!base::Callback<void __cdecl(void),1>::Run() Line 397 C++ libcef.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, const base::PendingTask & pending_task) Line 53 C++ libcef.dll!base::MessageLoop::RunTask(const base::PendingTask & pending_task) Line 473 C++ libcef.dll!base::MessageLoop::DeferOrRunPendingTask(const base::PendingTask & pending_task) Line 484 C++ libcef.dll!base::MessageLoop::DoWork() Line 598 C++ libcef.dll!base::MessagePumpDefault::Run(base::MessagePump::Delegate * delegate) Line 33 C++ libcef.dll!base::MessageLoop::RunHandler() Line 436 C++ libcef.dll!base::RunLoop::Run() Line 36 C++ libcef.dll!base::MessageLoop::Run() Line 289 C++ libcef.dll!base::Thread::Run(base::MessageLoop * message_loop) Line 203 C++ libcef.dll!base::Thread::ThreadMain() Line 254 C++ libcef.dll!base::`anonymous namespace'::ThreadFunc(void * params) Line 84 C++ [External Code]
,
Aug 22 2016
CC'ing some people working on RLS.
,
Aug 22 2016
@comment#4: Appears to be fixed in 54.0.2836.1 canary SyzyASan, probably due to https://chromium.googlesource.com/chromium/src/+/64008c4c193242d6c19a773583e4c531d6d717f9
,
Aug 22 2016
Maybe a error in the BUG= line for the above commit? This is issue #628015 and the above commit lists issue #628125.
,
Aug 22 2016
No, the BUG= line is correct but the issues share the underlying cause so this probably deserves to be dup'd.
,
Sep 27 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mmohammad@chromium.org
, Jul 13 2016Status: Assigned (was: Available)