[ASSERT] (isStyleElement(ownerNode()) && m_contents->isCacheableForStyleElement()) || m_c |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6685318864699392 Fuzzer: attekett_dom_fuzzer Job Type: linux_debug_chrome Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: (isStyleElement(ownerNode()) && m_contents->isCacheableForStyleElement()) || m_c blink::CSSStyleSheet::willMutateRules blink::CSSStyleSheet::RuleMutationScope::RuleMutationScope Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=409458:409520 Minimized Testcase (0.31 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97NkYt_Vil5JpLOx3HHIYZJuJNIYjRBnNNxtvbrAKzL4_qo-be9QI_pJbPOT6UmUye1q0vVHWyBBaovGtjAsxoRR7oclTtvjyaMgq_qswBRAtEZvAhSCVb_xTxVGYpgavc_EVfiU0yq5ZGYH4AkZjwf_N-HPA?testcase_id=6685318864699392 <style id="style1"> @media all { .test { color: green;</style> <script> var styleSheet0 = document.styleSheets[0]; var test0=document.getElementById("style1") var test1=test0.appendChild(document.createElement("img")) styleSheet0.insertRule('select,wbr{fieldset:enabled.enabled; }'); </script> Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 7 2016
,
Aug 7 2016
,
Aug 7 2016
,
Aug 7 2016
,
Aug 8 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d70bbabbe7641c768c9c2667658b6e85a4accb09 commit d70bbabbe7641c768c9c2667658b6e85a4accb09 Author: rune <rune@opera.com> Date: Mon Aug 08 05:30:38 2016 Cached style element sheets may not have an owner node. The assert for cacheability of shared StyleSheetContents required the ownerNode to be a non-null style element. Referring to and modify a stylesheet is however possible after the style element has been removed and the ownerNode set to null. Change the assert to just check for the two types of cacheability. This was not triggered by stylesheets not having @media rules since the cacheability of linked resources would be true and made the assert true. Also, made the ASSERT a DCHECK along with the other ASSERTs in the modified file. R=meade@chromium.org BUG= 635022 Review-Url: https://codereview.chromium.org/2220863002 Cr-Commit-Position: refs/heads/master@{#410305} [add] https://crrev.com/d70bbabbe7641c768c9c2667658b6e85a4accb09/third_party/WebKit/LayoutTests/fast/css/modify-cached-detached-sheet-3.html [modify] https://crrev.com/d70bbabbe7641c768c9c2667658b6e85a4accb09/third_party/WebKit/Source/core/css/CSSStyleSheet.cpp
,
Aug 8 2016
,
Aug 9 2016
ClusterFuzz has detected this issue as fixed in range 410304:410309. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6685318864699392 Fuzzer: attekett_dom_fuzzer Job Type: linux_debug_chrome Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: (isStyleElement(ownerNode()) && m_contents->isCacheableForStyleElement()) || m_c blink::CSSStyleSheet::willMutateRules blink::CSSStyleSheet::RuleMutationScope::RuleMutationScope Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=409458:409520 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=410304:410309 Minimized Testcase (0.31 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97NkYt_Vil5JpLOx3HHIYZJuJNIYjRBnNNxtvbrAKzL4_qo-be9QI_pJbPOT6UmUye1q0vVHWyBBaovGtjAsxoRR7oclTtvjyaMgq_qswBRAtEZvAhSCVb_xTxVGYpgavc_EVfiU0yq5ZGYH4AkZjwf_N-HPA?testcase_id=6685318864699392 <style id="style1"> @media all { .test { color: green;</style> <script> var styleSheet0 = document.styleSheets[0]; var test0=document.getElementById("style1") var test1=test0.appendChild(document.createElement("img")) styleSheet0.insertRule('select,wbr{fieldset:enabled.enabled; }'); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mummare...@chromium.org
, Aug 5 2016Components: Blink>CSS
Labels: M-54 Te-Logged
Owner: haraken@chromium.org
Status: Assigned (was: Untriaged)