New issue
Advanced search Search tips

Issue 628089 link

Starred by 1 user
Status: WontFix
Owner:
yosin@chromium.org
Closed: Nov 2016
Cc:
nyerramilli@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::Range::checkExtractPrecondition

Project Member Reported by ClusterFuzz, Jul 14 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4951061051998208

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  blink::Range::checkExtractPrecondition
  blink::Range::extractContents
  blink::RangeV8Internal::extractContentsMethodCallback
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=397991:398006

Minimized Testcase (3.84 Kb): https://cluster-fuzz.appspot.com/download/AMIfv947ptCvBAXuOLkHTfLnWG2IPrkDwtmkrNappdHgfTRWFF_vt45sdmaOP5t44kTL5EYZ466CG38Sd4S5UNrYHQKfoG4pyPry7YQqu9w_V_U8vmNLjjckU11lnLG96gtWKIeXHBws3SP-LXEXB44-3iGiWEADtQ?testcase_id=4951061051998208

Filer: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by nyerramilli@chromium.org, Jul 14 2016

Cc: nyerramilli@chromium.org
Components: Tools>Test>FindIt>WrongResult
Labels: findit-wrong Te-Logged
Owner: yosin@chromium.org
Status: Assigned (was: Available)
providing Findit results for internal purpose:

Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: danakj
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/bda5037a1df2390c268493f608ca9b88b38ca715
Time: Thu Feb 25 10:22:52 2016
The CL last changed line 495 of file Node.h, which is stack frame 0.

Author: rob.buis@samsung.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8ecea682fb7551b0ba6599c04d3158f54f198ab0
Time: Mon Jan 27 16:43:08 2014
The CL last changed line 1229 of file Range.cpp, which is stack frame 1.

Author: kangil.han@samsung.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/300eac0a927c7e827b21158e8f3cc63f232aabd7
Time: Wed Aug 13 06:30:42 2014
The CL last changed line 714 of file Range.cpp, which is stack frame 2.

Suspected Project: chromium
Suspected Component: Blink>DOM

using codesearch, seeing some changes to range.cpp in
https://chromium.googlesource.com/chromium/src/+/a2deac124bc5d4f76bc277c5b712a536bf892feb

yosin@, Could you please take a look at the issue and assign it to concerned developer if your changes are not responsible?
Project Member

Comment 2 by ClusterFuzz, Aug 17 2016

Labels: Hotlist-SyzyASAN
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5645548898222080

Fuzzer: bj_broddelwerk
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000003
Crash State:
  blink::Range::checkExtractPrecondition
  blink::Range::extractContents
  blink::Range::surroundContents
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=411953:411957

Minimized Testcase (3.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97AUPw54S5eAK2GA2Rk_1k_cICWAp90FU0EIf-Ja2NQ855tFk53c9wSZ72P1ZKc4ZUMtbb6uEGrqGAcMiv52zEY_NdCF-_Og5p4CmqZ8V-e5TS6-N-3eebCQxw_dh_rOIGysYtO1r4C_cXdd8X7A-I8vJEPdA?testcase_id=5645548898222080

Issue manually filed by: ajha

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 3 by ClusterFuzz, Aug 20 2016 

ClusterFuzz has detected this issue as fixed in range 413090:413122.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4951061051998208

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  blink::Range::checkExtractPrecondition
  blink::Range::extractContents
  blink::RangeV8Internal::extractContentsMethodCallback
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=397991:398006
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=413090:413122

Minimized Testcase (3.84 Kb): https://cluster-fuzz.appspot.com/download/AMIfv947ptCvBAXuOLkHTfLnWG2IPrkDwtmkrNappdHgfTRWFF_vt45sdmaOP5t44kTL5EYZ466CG38Sd4S5UNrYHQKfoG4pyPry7YQqu9w_V_U8vmNLjjckU11lnLG96gtWKIeXHBws3SP-LXEXB44-3iGiWEADtQ?testcase_id=4951061051998208

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 4 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>WrongResult
Labels: Test-Predator-Wrong

Comment 5 by dtapu...@chromium.org, Nov 18 2016

Components: Blink>Editing
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by yosin@chromium.org, Nov 28 2016

Status: Fixed (was: Assigned)
I could not reproduce on ToT and M54 Stable.
Project Member

Comment 8 by ClusterFuzz, Nov 28 2016 

ClusterFuzz has detected this issue as fixed in range 413090:413122.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4951061051998208

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  blink::Range::checkExtractPrecondition
  blink::Range::extractContents
  blink::RangeV8Internal::extractContentsMethodCallback
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=397991:398006
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=413090:413122

Minimized Testcase (3.84 Kb): https://cluster-fuzz.appspot.com/download/AMIfv947ptCvBAXuOLkHTfLnWG2IPrkDwtmkrNappdHgfTRWFF_vt45sdmaOP5t44kTL5EYZ466CG38Sd4S5UNrYHQKfoG4pyPry7YQqu9w_V_U8vmNLjjckU11lnLG96gtWKIeXHBws3SP-LXEXB44-3iGiWEADtQ?testcase_id=4951061051998208

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 9 by tkent@chromium.org, Nov 29 2016

Status: WontFix (was: Fixed)

Sign in to add a comment