New issue
Advanced search Search tips

Issue 633530 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 2017
Cc:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Crash in WTF::RefPtr<WTF::StringImpl>::operator=

Project Member Reported by ClusterFuzz, Aug 2 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4783166500110336

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000000f
Crash State:
  WTF::RefPtr<WTF::StringImpl>::operator=
  blink::DataTransfer::setDestinationOperation
  blink::EventHandler::dragSourceEndedAt
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=409094:409122

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96ML_O2Z1ijMNy3UPvW3Z9oF-5PtAtxJHkl8Po-w1fPrL6S2E0PY6G1KgvYlYbT2xJZARDWTT52E7gWCdLKKe9we92orhR6-1HWylKtVS5HAUJjNI5d9BdcjjDaoSv4eLHBPyf2seNaXlQBCPq-z0AVkuOXiw?testcase_id=4783166500110336


Filer: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: nyerramilli@chromium.org
Components: Tools>Test>FindIt>WrongResult
Labels: findit-wrong Te-Logged
Owner: dcheng@chromium.org
Status: Assigned (was: Untriaged)
providing Findit results for internal purpose:

Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: lukasza
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/335bb76db170d76ba46fa003a8838255a5d46187
Time: Fri Apr 22 16:44:03 2016
The CL last changed line 2683 of file event_sender.cc, which is stack frame 6.

Suspected Project: chromium

using code search, seeing some changes to EventHandler.cpp in
https://chromium.googlesource.com/chromium/src/+/c6dbdbb5994554bcb90de049a61a1ae1c73d13cd

dcheng @, Could you please check the above issue & help us in finding an owner it its not yours.
Project Member

Comment 2 by ClusterFuzz, Aug 11 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5797667043278848

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000000f
Crash State:
  WTF::RefPtr<WTF::StringImpl>::operator=
  blink::DataTransfer::setDestinationOperation
  blink::EventHandler::dragSourceEndedAt
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=411291:411299

Minimized Testcase (0.50 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95Kb-0lym-p6GUJzLT6EiVGCTuGXB_kjwMLwZz4D_KLmRn8zFE5Ht6k0ZjQ146brEcvF07KpRdln11zImin0VCB_MEsTiy45Zq861xCEy1ghMGX13wJrv10r_1NX0QKSQN6_SqZQh3IaG-hoMIiPf_IM57GMw?testcase_id=5797667043278848
<script>
eventSender.beginDragWithFiles(['resources']);
window.onload = function() {
  if (!window.testRunner)
    return;
    __f_2();
  
}
function __f_2() {
  var __v_3 = document.getElementById("link").offsetLeft;
  var __v_2 = document.getElementById("link").offsetTop;
  eventSender.mouseMoveTo(__v_3, __v_2);
  eventSender.mouseDown();
  eventSender.mouseMoveTo(__v_3, __v_2 + 1);
  eventSender.mouseUp();
}
</script>
 <a href="reset-drag-on-mouse-down.html?second" id="link">
    test link


Issue manually filed by: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 3 by dcheng@chromium.org, Sep 15 2016

I haven't looked in detail, but I think this is another one of the "start a drag while you're dragging" bugs.
Components: -Tools>Test>FindIt>WrongResult
Labels: Test-Predator-Wrong
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by ClusterFuzz, Jan 18 2017

ClusterFuzz has detected this issue as fixed in range 443972:443977.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5797667043278848

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000000f
Crash State:
  WTF::RefPtr<WTF::StringImpl>::operator=
  blink::DataTransfer::setDestinationOperation
  blink::EventHandler::dragSourceEndedAt
  
Memory Tool: SYZYASAN

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=411291:411299
Fixed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=443972:443977

Minimized Testcase (0.50 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95Kb-0lym-p6GUJzLT6EiVGCTuGXB_kjwMLwZz4D_KLmRn8zFE5Ht6k0ZjQ146brEcvF07KpRdln11zImin0VCB_MEsTiy45Zq861xCEy1ghMGX13wJrv10r_1NX0QKSQN6_SqZQh3IaG-hoMIiPf_IM57GMw?testcase_id=5797667043278848
<script>
eventSender.beginDragWithFiles(['resources']);
window.onload = function() {
  if (!window.testRunner)
    return;
    __f_2();
  
}
function __f_2() {
  var __v_3 = document.getElementById("link").offsetLeft;
  var __v_2 = document.getElementById("link").offsetTop;
  eventSender.mouseMoveTo(__v_3, __v_2);
  eventSender.mouseDown();
  eventSender.mouseMoveTo(__v_3, __v_2 + 1);
  eventSender.mouseUp();
}
</script>
 <a href="reset-drag-on-mouse-down.html?second" id="link">
    test link


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Jan 30 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5797667043278848 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment