New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 634506 link

Starred by 1 user
Status: Fixed
Owner:
hayato@chromium.org
Closed: Aug 2016
Cc:
mummare...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::ShadowRoot::ensureSlotAssignment

Project Member Reported by ClusterFuzz, Aug 4 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5737745731551232

Fuzzer: inferno_twister
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000005f
Crash State:
  blink::ShadowRoot::ensureSlotAssignment
  blink::SlotAssignment::slotAdded
  blink::HTMLSlotElement::insertedInto
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=409588:409589

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94Wx0WsceEdzztXDpZ9gVRchiXhvtm39KAw-6TpLVoq21oYN3Bxiv1psFC6P4u_5MvKhrbAAq3FyNyf6DeuYrNB5RoOzdLwkuO5pNxKU3F2CKnKwBeretG1vIWvqwsbq_MKGZ0ug6DjbU3xdLhfKhyQff1TR76qpiqUVePwRhhRC_Q7_F8?testcase_id=5737745731551232


Issue manually filed by: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Aug 4 2016

Components: Tools>Test>FindIt>NoResult
Labels: M-54 Te-Logged
Owner: hayato@chromium.org
Status: Assigned (was: Untriaged)
Through code search on file ShadowRoot.cpp, suspected cl is 
https://chromium.googlesource.com/chromium/src/+/affcdceef73880b9b2d3b7a889e9da01bca26b8b

hayato@, could you please take a look?

Comment 2 by hayato@chromium.org, Aug 10 2016

Status: Started (was: Assigned)

Comment 3 by hayato@chromium.org, Aug 10 2016

Components: Blink>WebComponents
Project Member

Comment 4 by bugdroid1@chromium.org, Aug 16 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b43d492d6fdd6c44cade1de7c976c402d440a665

commit b43d492d6fdd6c44cade1de7c976c402d440a665
Author: hayato <hayato@chromium.org>
Date: Tue Aug 16 07:17:42 2016

Fix a crash: SlotAssignment is unintentionally created for v0 shadow trees

HTMLSlotElement::insertedInto() creates SlotAssignment wrongly for a v0 shadow tree
because it does *not* check the type of the shadow root.

As a result, the entry for the slot would not be removed from the SlotAssignment
when the slot is removed from the shadow tree because HTMLSlotElement::removedFrom()
*does* check the type of the shadow root correctly.

This violates the assumption that a slot in an entry is always in a shadow root,
and hit the DCHECK, and causes a crash in a release build.

This CL fixes this unintentional wrong behavior.

BUG= 634506 

Review-Url: https://codereview.chromium.org/2241193004
Cr-Commit-Position: refs/heads/master@{#412184}

[add] https://crrev.com/b43d492d6fdd6c44cade1de7c976c402d440a665/third_party/WebKit/LayoutTests/shadow-dom/crashes/slots-in-v0-crash.html
[modify] https://crrev.com/b43d492d6fdd6c44cade1de7c976c402d440a665/third_party/WebKit/Source/core/dom/shadow/SlotAssignment.cpp
[modify] https://crrev.com/b43d492d6fdd6c44cade1de7c976c402d440a665/third_party/WebKit/Source/core/html/HTMLSlotElement.cpp

Comment 5 by hayato@chromium.org, Aug 17 2016

Status: Fixed (was: Started)

Comment 6 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>NoResult
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment