Issue metadata
Sign in to add a comment
|
[shadowdom] Crash in blink::Node::layoutBox |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5377263113863168 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: blink::Node::layoutBox blink::LayoutSlider::layout blink::LayoutBlockFlow::layoutInlineChildren Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=283013:284047 Minimized Testcase (0.24 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97g9e05emwPlGRgKvZRldSkkZQ7Swsa2LHNTKO6twsOuPTmcug-9zQA7HgYOc0UCPoZXRJeU25HgkQx9SHpx8crhH2Y8005dAk04Xk8Lecyel7eaMnG7SGJFhCeO2PRVPLbi4wBcOEDu2IiZkaBU9Cv56Y9RQ?testcase_id=5377263113863168 <input type="range"</script> <script> function mutate(elt) { elt.firstChild.textContent = 'goodbye'; } var shadowRoot = internals.shadowRoot(document.querySelector('input')); mutate(shadowRoot.firstChild); </script> Filer: rnimmagadda See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 26 2016
That Cl is a rename only cl with no functional changes.
,
Jul 27 2016
Unable to find the exact culprit. Could someone from the Dev team please look into this issue. Thank you.
,
Jul 27 2016
,
Jul 28 2016
,
Aug 22 2016
From findit tool: Author: mjs@apple.com Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/554c7634cddfec7925865257d362fa718c34ac3a Time: Thu May 06 22:41:15 2010 The CL last changed line 715 of file Node.h, which is stack frame 0. Author: eae@chromium.org Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/6a5c28eb68ffad0155a7b86e5394aa10ca6af96a Time: Thu Dec 06 21:41:27 2012 The CL last changed line 745 of file Node.h, which is stack frame 1. Author: rnephew Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/cbe9a86098dfc52db1f5a910696a28473a1a54de Time: Fri Jun 24 17:42:05 2016 The CL last changed line 489 of file Node.h, which is stack frame 2. Author: dsinclair@chromium.org Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/ee2b344b0b5773d396f7aa7deca9200e96c940ec Time: Thu Apr 30 19:31:22 2015 The CL last changed line 635 of file Node.cpp, which is stack frame 3. Author: dsinclair@chromium.org Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/f5ea6de097cb98ed2d92b2b5a70ffbde56991dee Time: Tue Feb 24 17:59:27 2015 The CL last changed line 70 of file LayoutSlider.cpp, which is stack frame 4. Author: dsinclair@chromium.org Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/8c100aa6fafc0738675c73b79788b6d8163fb0ce Time: Fri Feb 06 00:05:44 2015 The CL last changed line 901 of file LayoutObject.h, which is stack frame 5. Author: mstensho Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/b56f9c5e4843967306e2fa249d7228394b3de930 Time: Fri Apr 29 21:26:48 2016 The CL last changed line 1588 of file LayoutBlockFlowLine.cpp, which is stack frame 6. Suspected Project: chromium-blink Suspected Component: Blink>DOM rnephew@, could you please take a look and reassign if it is not related your changes.
,
Aug 22 2016
,
Aug 24 2016
That change was just me sheriffing and reverting a CL that broke a perf test. It seems unlikely that reverting a CL would cause a new issue that wasn't present before that CL landed. I'm not sure who to reassign this to.
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 9 2017
ClusterFuzz has detected this issue as fixed in range 455091:455394. Detailed report: https://clusterfuzz.com/testcase?key=5377263113863168 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: blink::Node::layoutBox blink::LayoutSlider::layout blink::LayoutBlockFlow::layoutInlineChildren Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=283013:284047 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=455091:455394 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97g9e05emwPlGRgKvZRldSkkZQ7Swsa2LHNTKO6twsOuPTmcug-9zQA7HgYOc0UCPoZXRJeU25HgkQx9SHpx8crhH2Y8005dAk04Xk8Lecyel7eaMnG7SGJFhCeO2PRVPLbi4wBcOEDu2IiZkaBU9Cv56Y9RQ?testcase_id=5377263113863168 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 9 2017
ClusterFuzz testcase 5377263113863168 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by rnimmagadda@chromium.org
, Jul 26 2016Labels: -Pri-1 -Type-Bug M-54 Findit-for-crash Te-Logged Pri-2 Type-Bug-Regression
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)