Issue metadata
Sign in to add a comment
|
Crash in blink::getPropertyNameString |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4892616789590016 Fuzzer: inferno_twister Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000397 Crash State: blink::getPropertyNameString blink::InlineStylePropertyMap::getProperties blink::StylePropertyMapV8Internal::getPropertiesMethod Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=407460:407477 Minimized Testcase (2.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96D1B6rrWAfFCLBWoa6JBuLxVEMIR7tdWnXw69LyMxjkmrXrNbxxqfgOheSMglfomB3Qp3W3HQANaNY7QkAyH6KlmKl5S4XA3u2HHeb1ET5RNuId6HaSw-3M59X5BSzNWB8PUDLi-jX6ct7k6Km64G9wpBXMA?testcase_id=4892616789590016 Filer: rnimmagadda See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 4 2016
Looks like a style bug?
,
Aug 9 2016
Issue 634410 has been merged into this issue.
,
Aug 10 2016
634410 is a security bug, adding flags.
,
Aug 10 2016
This looks like a nullptr crash to me? Crash Address: 0x00000397
,
Aug 10 2016
See repro in https://bugs.chromium.org/p/chromium/issues/detail?id=634410. Maybe the duplication is wrong, but stack looked similar to timloh@.
,
Aug 10 2016
Ouch that's pretty bad, needs to be fixed faster than a P2 then. Also that crazy CF test case probably needs to be reduced. timloh@, meade@ would one of you take this on? :)
,
Aug 10 2016
meade@ has a patch up: https://codereview.chromium.org/2227503002/
,
Aug 10 2016
,
Aug 10 2016
Yep, on the commit queue now :)
,
Aug 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/05df3156828407c7a51f8af78d4ba27764435114 commit 05df3156828407c7a51f8af78d4ba27764435114 Author: meade <meade@chromium.org> Date: Wed Aug 10 08:55:31 2016 Allow use of @apply and custom properties in InlineStylePropertyMap::getProperties() BUG= 631368 Review-Url: https://codereview.chromium.org/2227503002 Cr-Commit-Position: refs/heads/master@{#411011} [modify] https://crrev.com/05df3156828407c7a51f8af78d4ba27764435114/third_party/WebKit/LayoutTests/typedcssom/inlinestyle/inlineStylePropertyMap_getProperties.html [modify] https://crrev.com/05df3156828407c7a51f8af78d4ba27764435114/third_party/WebKit/Source/core/css/cssom/InlineStylePropertyMap.cpp
,
Aug 10 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 10 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 11 2016
,
Nov 17 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by rnimmagadda@chromium.org
, Jul 26 2016Labels: -Pri-1 -Type-Bug M-54 findit-wrong Te-Logged Pri-2 Type-Bug-Regression
Owner: esprehn@chromium.org
Status: Assigned (was: Untriaged)