New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634483 link

Starred by 1 user
Status: WontFix
Owner:
yosin@chromium.org
Closed: Nov 2016
Cc:
mummare...@chromium.org
hayato@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::Node::isChildOfV1ShadowHost

Project Member Reported by ClusterFuzz, Aug 4 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5996768129187840

Fuzzer: marcin_towalski_cm
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::Node::isChildOfV1ShadowHost
  blink::FlatTreeTraversal::traverseSiblings
  blink::comparePositionsInFlatTree
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=402485:402738

Minimized Testcase (0.60 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97qmRLRTiDKehW7v23rs5hyXURIoaoVkOgHwBb6ctBXosaz7TixKCJ3jAHpP56hD0gWgmnhv36Gswj3BvJIOuflQXPYC8VH918xj451bavcXQVe-rFAtbP9qNZBwloziah21wgvPWThCJCuRqzCb35fizz0kA?testcase_id=5996768129187840
<script>nodes = new Array();
function run(){
 nodes[3] = document.getElementById("nod3"); 
 nodes[24] = document.getElementById("nod24"); 
 nodes[25] = document.getElementById("nod25"); 
 nodes[30] = document.getElementById("nod30"); 
 nodes[25].selectionEnd=1073741825; 
 document.execCommand('InsertText') 
 nodes[24].appendChild(nodes[25]) 
 nodes[3].appendChild(nodes[24]) 
 document.execCommand('undo') 
 document.execCommand('Italic') 
}
document.addEventListener("DOMContentLoaded", run);</script>
<table id="nod3" " ></table>
<slot id="nod24" " </slot>
<input id="nod25"</input>
<main id="nod30" " </main>


Issue manually filed by: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Aug 4 2016

Components: Blink>DOM
Labels: findit-wrong Te-Logged M-53
Owner: hayato@chromium.org
Status: Assigned (was: Untriaged)

Author: hayato
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/fa296ea635357362e48bd203888ae44854d8e748
Time: Tue Jan 12 03:29:07 2016
The CL last changed line 982 of file Node.cpp, which is stack frame 5.

Author: hayato
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/fa296ea635357362e48bd203888ae44854d8e748
Time: Tue Jan 12 03:29:07 2016
The CL last changed line 988 of file Node.cpp, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>DOM
Project Member

Comment 2 by sheriffbot@chromium.org, Aug 5 2016

Labels: -M-53 M-54 MovedFrom-53
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 3 by hayato@chromium.org, Aug 10 2016

Status: Started (was: Assigned)

Comment 4 by hayato@chromium.org, Aug 10 2016

Cc: hayato@chromium.org
Components: -Blink>DOM Blink>Editing>Command
Owner: yosin@chromium.org
Status: Assigned (was: Started)
I chatted with yosin@ about this issue.
Project Member

Comment 5 by ClusterFuzz, Aug 24 2016 

ClusterFuzz has detected this issue as fixed in range 413688:413717.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5996768129187840

Fuzzer: marcin_towalski_cm
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::Node::isChildOfV1ShadowHost
  blink::FlatTreeTraversal::traverseSiblings
  blink::comparePositionsInFlatTree
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=402485:402738
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=413688:413717

Minimized Testcase (0.60 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97qmRLRTiDKehW7v23rs5hyXURIoaoVkOgHwBb6ctBXosaz7TixKCJ3jAHpP56hD0gWgmnhv36Gswj3BvJIOuflQXPYC8VH918xj451bavcXQVe-rFAtbP9qNZBwloziah21wgvPWThCJCuRqzCb35fizz0kA?testcase_id=5996768129187840
<script>nodes = new Array();
function run(){
 nodes[3] = document.getElementById("nod3"); 
 nodes[24] = document.getElementById("nod24"); 
 nodes[25] = document.getElementById("nod25"); 
 nodes[30] = document.getElementById("nod30"); 
 nodes[25].selectionEnd=1073741825; 
 document.execCommand('InsertText') 
 nodes[24].appendChild(nodes[25]) 
 nodes[3].appendChild(nodes[24]) 
 document.execCommand('undo') 
 document.execCommand('Italic') 
}
document.addEventListener("DOMContentLoaded", run);</script>
<table id="nod3" " ></table>
<slot id="nod24" " </slot>
<input id="nod25"</input>
<main id="nod30" " </main>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Aug 24 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 7 by durga.behera@chromium.org, Aug 25 2016

Labels: ClusterFuzz-Wrong
Status: Assigned (was: Verified)
Re-opening this issue as Clusterfuzz has detected this crash again and last tested version is 414128 against the above clusterfuzz comment fixed in range 413688:413717.
Project Member

Comment 8 by ClusterFuzz, Aug 25 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4994428584591360

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::Node::isChildOfV1ShadowHost
  blink::FlatTreeTraversal::traverseSiblings
  blink::comparePositionsInFlatTree
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=402485:402738

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96vIqaKllCFOIzEndSuPFvfC0vvLafLEOvIbYTf9SfGJAAz5d5OsgxlGBEjKavKXXm8CGFqasQb_O0xqpKn0BnHU3s-Rg_9rMda5VpeR-AAwuIBikDV0H0adfsHHg3tWy-ftv5NQz-QArO8krcTmX8VAjJNAw?testcase_id=4994428584591360


Additional requirements: Requires Gestures

Issue manually filed by: durga.behera

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 9 by ClusterFuzz, Sep 10 2016 

ClusterFuzz has detected this issue as fixed in range 415918:415934.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4994428584591360

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::Node::isChildOfV1ShadowHost
  blink::FlatTreeTraversal::traverseSiblings
  blink::comparePositionsInFlatTree
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=402485:402738
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=415918:415934

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96vIqaKllCFOIzEndSuPFvfC0vvLafLEOvIbYTf9SfGJAAz5d5OsgxlGBEjKavKXXm8CGFqasQb_O0xqpKn0BnHU3s-Rg_9rMda5VpeR-AAwuIBikDV0H0adfsHHg3tWy-ftv5NQz-QArO8krcTmX8VAjJNAw?testcase_id=4994428584591360


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Sep 14 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6497063020003328

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000008
Crash State:
  blink::Node::isChildOfV1ShadowHost
  blink::FlatTreeTraversal::traverseSiblings
  blink::comparePositionsInFlatTree
  

Minimized Testcase (0.33 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95xQmLr-EXaVhUHBcPbhWQ3l9_dY4tzdPQ9EZtXwXYOGlQurM-Pp2H2Xxj5kXjpFT0u6_RVY1WYDdrrUsGdLl66VuZPa8DJTt7OmdK3kSEDWcFpgZBNvsDSLNsVy6dRnwTa9ueEtUCUFlQ7UUHJkm9YYubjGA?testcase_id=6497063020003328
<script>nodes = new Array();
function run(){
 nodes[3] = document.getElementById("nod3"); 
 nodes[24] = document.getElementById("nod24"); 
 nodes[3].appendChild(nodes[24]) 
}
document.addEventListener("DOMContentLoaded", run);</script> {
; <table "="" id="nod3"></table>
<slot id="nod24" "="" <="" slot="">
<input input="" <="" id="nod25">


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 11 by ClusterFuzz, Oct 18 2016 

ClusterFuzz has detected this issue as fixed in range 425616:425627.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6497063020003328

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000008
Crash State:
  blink::Node::isChildOfV1ShadowHost
  blink::FlatTreeTraversal::traverseSiblings
  blink::comparePositionsInFlatTree
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=425616:425627

Minimized Testcase (0.33 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95xQmLr-EXaVhUHBcPbhWQ3l9_dY4tzdPQ9EZtXwXYOGlQurM-Pp2H2Xxj5kXjpFT0u6_RVY1WYDdrrUsGdLl66VuZPa8DJTt7OmdK3kSEDWcFpgZBNvsDSLNsVy6dRnwTa9ueEtUCUFlQ7UUHJkm9YYubjGA?testcase_id=6497063020003328
<script>nodes = new Array();
function run(){
 nodes[3] = document.getElementById("nod3"); 
 nodes[24] = document.getElementById("nod24"); 
 nodes[3].appendChild(nodes[24]) 
}
document.addEventListener("DOMContentLoaded", run);</script> {
; <table "="" id="nod3"></table>
<slot id="nod24" "="" <="" slot="">
<input input="" <="" id="nod25">


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 13 by yosin@chromium.org, Nov 28 2016

Status: Fixed (was: Assigned)

Comment 14 by tkent@chromium.org, Nov 28 2016

Status: WontFix (was: Fixed)

Comment 15 by infe...@chromium.org, Sep 18 2017

Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Sign in to add a comment