Issue metadata
Sign in to add a comment
|
Crash in blink::LocalFrame::document |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5879802211074048 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000170 Crash State: blink::LocalFrame::document blink::Worklet::Worklet blink::AnimationWorklet::create Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=409223:409458 Minimized Testcase (1.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95vHJcblFtiKC5q5aPrh3l4Xn5RQHF4v42MKvAukt0zhpQQWd_1QqmJs01kO8p_NcT1AczDEtKTbj-HlXKM8SUkrV9I6GUg7uAP3d0a2arNz1WDs3SSVrYt_FPW6z5wgAOm6Z2ZELV3mpkN71FE5f24BZSvIA?testcase_id=5879802211074048 Filer: ranjitkan See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4f70f4aa155228044960e6521266c22e9f4e5539 commit 4f70f4aa155228044960e6521266c22e9f4e5539 Author: glebl <glebl@chromium.org> Date: Fri Aug 05 02:51:47 2016 Check that the local frame is not null before instantiating AnimationWorklet. This patch fixes the crash in blink::LocalFrame::document. See https://cluster-fuzz.appspot.com/testcase?key=5879802211074048 for more details. This is simlar to what we already do in WindowPaintWorklet::paintWorklet. BUG= 567358 , 634253 Review-Url: https://codereview.chromium.org/2212003002 Cr-Commit-Position: refs/heads/master@{#409973} [modify] https://crrev.com/4f70f4aa155228044960e6521266c22e9f4e5539/third_party/WebKit/Source/modules/compositorworker/WindowAnimationWorklet.cpp
,
Aug 5 2016
,
Aug 5 2016
ClusterFuzz has detected this issue as fixed in range 409937:409973. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5879802211074048 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000170 Crash State: blink::LocalFrame::document blink::Worklet::Worklet blink::AnimationWorklet::create Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=409223:409458 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=409937:409973 Minimized Testcase (1.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95vHJcblFtiKC5q5aPrh3l4Xn5RQHF4v42MKvAukt0zhpQQWd_1QqmJs01kO8p_NcT1AczDEtKTbj-HlXKM8SUkrV9I6GUg7uAP3d0a2arNz1WDs3SSVrYt_FPW6z5wgAOm6Z2ZELV3mpkN71FE5f24BZSvIA?testcase_id=5879802211074048 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by ranjitkan@chromium.org
, Aug 4 2016Components: Tools>Test>FindIt>CorrectResult
Labels: -Type-Bug M-54 Findit-for-crash Te-Logged Type-Bug-Regression
Owner: glebl@chromium.org
Status: Assigned (was: Untriaged)