Direct-leak in blink::InvalidationSet& blink::ensureInvalidationSet<WTF::HashMap<blink::CSSSele |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5446283219435520 Fuzzer: tokenfuzz_pdf_curated Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Direct-leak Crash Address: Crash State: blink::InvalidationSet& blink::ensureInvalidationSet<WTF::HashMap<blink::CSSSele blink::RuleFeatureSet::add blink::StyleResolver::collectFeatures Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94DUppnZRjn0bcwe4erJowMFLwdTGLmbh9xt5g6CvJmkT_M422TLp7RmPHi2vXjOJAZ-CGBLsuU3gzVwkyfyvjvVl4rD0WGNBvAjq6L1xkgcnWrRuOIACUcEFHcBkeQBA0FEmKdWPQQX9YXA7Uv5Gx7khLWzXGl-Z5hm6zyNV5a6gkSZJc?testcase_id=5446283219435520 Additional requirements: Requires Gestures Issue manually filed by: alancutter See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 24 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5489596823764992 Fuzzer: attekett_dom_fuzzer Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Direct-leak Crash Address: Crash State: blink::InvalidationSet& blink::ensureInvalidationSet<WTF::HashMap<blink::CSSSele blink::RuleFeatureSet::invalidationSetForSelector blink::RuleFeatureSet::extractInvalidationSetFeatures Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94Tx8gn7w4ScD-am-BpHiXGw9_Zqho5VawMVTjaREtL1c30zCTAAMQxr2mDWVr0fIMKyeQoOBWie7N7EDuV4ETPJBTEp15tqQKsw34ghVnBUFZ74bG1r-By_gbK2n0IqvZMVT6S3TXshq1782h2ktKjjKv14QGZJCH0dX_e1BS5NJTmvjM?testcase_id=5489596823764992 Additional requirements: Requires Gestures Issue manually filed by: alancutter See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 24 2016
Can confirm that I dont see a green square with the test case attached in Comment 2
,
Aug 30 2016
,
Sep 1 2016
If I leave the test case from #2 open, I observe the following crash: Received signal 11 SEGV_ACCERR 201d2a8f4000 #0 0x7facba396697 base::debug::(anonymous namespace)::StackDumpSignalHandler() #1 0x7facb7eb4330 <unknown> #2 0x7facbc0b46d0 blink::TraceTrait<>::trace<>() #3 0x7facb9f89f09 blink::ThreadHeap::processMarkingStack() #4 0x7facb9f894be blink::ThreadHeap::collectGarbage() #5 0x7facb9f8d3d5 blink::NormalPageArena::outOfLineAllocate() #6 0x7facbc3a5399 blink::ThreadHeap::allocate<>() #7 0x7facbc3a324e blink::RuleSet::findBestRuleSetAndAdd() #8 0x7facbc3a3672 blink::RuleSet::addRule() #9 0x7facbc4084e8 blink::StyleResolver::collectFeatures() #10 0x7facbc408279 blink::StyleResolver::finishAppendAuthorStyleSheets() #11 0x7facbc1b4672 blink::StyleEngine::appendActiveAuthorStyleSheets() #12 0x7facbc1b477b blink::StyleEngine::createResolver() #13 0x7facbc14407c blink::Document::updateStyle() #14 0x7facbc14122f blink::Document::updateStyleAndLayoutTree() #15 0x7facbbf288c1 blink::WebViewImpl::textInputType() #16 0x7facbbf284ac blink::WebViewImpl::textInputInfo() #17 0x7facbccbebcc content::RenderWidget::UpdateTextInputState() #18 0x7facbccbe2ca content::RenderWidget::WillBeginCompositorFrame() #19 0x7facbac55d8a cc::ProxyMain::BeginMainFrame() #20 0x7facbac5ef50 _ZN4base8internal7InvokerINS0_9BindStateIMN2cc9ProxyMainEFvSt10unique_ptrINS3_28BeginMainFrameAndCommitStateESt14default_deleteIS6_EEEJNS_7WeakPtrIS4_EENS0_13PassedWrapperIS9_EEEEEFvvEE7RunImplIRKSB_RKSt5tupleIJSD_SF_EEJLm0ELm1EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE #21 0x7facba4089d3 base::debug::TaskAnnotator::RunTask() #22 0x7facbbec7337 blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue() #23 0x7facbbec6146 blink::scheduler::TaskQueueManager::DoWork() #24 0x7facba4089d3 base::debug::TaskAnnotator::RunTask() #25 0x7facba3ace85 base::MessageLoop::RunTask() #26 0x7facba3ad1a8 base::MessageLoop::DeferOrRunPendingTask() #27 0x7facba3ad4eb base::MessageLoop::DoWork() #28 0x7facba3ae59a base::MessagePumpDefault::Run() #29 0x7facba3c655e base::RunLoop::Run() #30 0x7facbccc7e6b content::RendererMain() #31 0x7facba0682e1 content::RunZygote() #32 0x7facba0693c7 content::ContentMainRunnerImpl::Run() #33 0x7facba067eb0 content::ContentMain() #34 0x7facb8e062ab ChromeMain #35 0x7facb1d2ff45 __libc_start_main #36 0x7facb8e0617d <unknown> r8: 0000000000000000 r9: 0000000000080000 r10: 0000000000000001 r11: 0000000000000202 r12: 000032518d766038 r13: 0000000000000001 r14: 00001f6b7146cb40 r15: 00001f6b7146cb48 di: 00001f6b7146cb40 si: 000032518d766038 bp: 00007ffd2556c420 bx: 0000201d2a8f4000 dx: 00007facb9f8e8be ax: 0000000000000000 cx: 00001f6b70a0e708 sp: 00007ffd2556c3f0 ip: 00007facbc0b46d0 efl: 0000000000010202 cgf: 0000000000000033 erf: 0000000000000004 trp: 000000000000000e msk: 0000000000000000 cr2: 0000201d2a8f4000 [end of stack trace]
,
Sep 1 2016
Another observed crash: Received signal 11 SEGV_ACCERR 1e74f2613000 #0 0x7facba396697 base::debug::(anonymous namespace)::StackDumpSignalHandler() #1 0x7facb7eb4330 <unknown> #2 0x7facbc0b46d0 blink::TraceTrait<>::trace<>() #3 0x7facb9f89f09 blink::ThreadHeap::processMarkingStack() #4 0x7facb9f894be blink::ThreadHeap::collectGarbage() #5 0x7facb9f8c196 blink::LargeObjectArena::allocateLargeObjectPage() #6 0x7facb9f8d2b4 blink::NormalPageArena::outOfLineAllocate() #7 0x7facbc3a250e WTF::Vector<>::reserveCapacity() #8 0x7facbc3a2483 WTF::Vector<>::appendSlowCase<>() #9 0x7facbc3a00fb blink::RuleFeatureSet::collectFeaturesFromRuleData() #10 0x7facbc3a364a blink::RuleSet::addRule() #11 0x7facbc4084e8 blink::StyleResolver::collectFeatures() #12 0x7facbc408279 blink::StyleResolver::finishAppendAuthorStyleSheets() #13 0x7facbc1b4672 blink::StyleEngine::appendActiveAuthorStyleSheets() #14 0x7facbc1b477b blink::StyleEngine::createResolver() #15 0x7facbc14407c blink::Document::updateStyle() #16 0x7facbc14122f blink::Document::updateStyleAndLayoutTree() #17 0x7facbbf288c1 blink::WebViewImpl::textInputType() #18 0x7facbbf284ac blink::WebViewImpl::textInputInfo() #19 0x7facbccbebcc content::RenderWidget::UpdateTextInputState() #20 0x7facbccbe2ca content::RenderWidget::WillBeginCompositorFrame() #21 0x7facbac55d8a cc::ProxyMain::BeginMainFrame() #22 0x7facbac5ef50 _ZN4base8internal7InvokerINS0_9BindStateIMN2cc9ProxyMainEFvSt10unique_ptrINS3_28BeginMainFrameAndCommitStateESt14default_deleteIS6_EEEJNS_7WeakPtrIS4_EENS0_13PassedWrapperIS9_EEEEEFvvEE7RunImplIRKSB_RKSt5tupleIJSD_SF_EEJLm0ELm1EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE #23 0x7facba4089d3 base::debug::TaskAnnotator::RunTask() #24 0x7facbbec7337 blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue() #25 0x7facbbec6146 blink::scheduler::TaskQueueManager::DoWork() #26 0x7facba4089d3 base::debug::TaskAnnotator::RunTask() #27 0x7facba3ace85 base::MessageLoop::RunTask() #28 0x7facba3ad1a8 base::MessageLoop::DeferOrRunPendingTask() #29 0x7facba3ad4eb base::MessageLoop::DoWork() #30 0x7facba3ae59a base::MessagePumpDefault::Run() #31 0x7facba3c655e base::RunLoop::Run() #32 0x7facbccc7e6b content::RendererMain() #33 0x7facba0682e1 content::RunZygote() #34 0x7facba0693c7 content::ContentMainRunnerImpl::Run() #35 0x7facba067eb0 content::ContentMain() #36 0x7facb8e062ab ChromeMain #37 0x7facb1d2ff45 __libc_start_main #38 0x7facb8e0617d <unknown> r8: 0000000000000000 r9: 0000000000080000 r10: 0000000000000001 r11: 0000000000000202 r12: 00003cbcd0d45d98 r13: 0000000000000001 r14: 00003891b85f41e0 r15: 00003891b85f41e8 di: 00003891b85f41e0 si: 00003cbcd0d45d98 bp: 00007ffd2556c420 bx: 00001e74f2613000 dx: 00007facb9f8e8be ax: 0000000000000000 cx: 00003891b7c0d5b0 sp: 00007ffd2556c3f0 ip: 00007facbc0b46d0 efl: 0000000000010202 cgf: 0000000000000033 erf: 0000000000000004 trp: 000000000000000e msk: 0000000000000000 cr2: 00001e74f2613000 [end of stack trace]
,
Sep 2 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a042e2557c51f8f9f71ea2e00e4ac1016426b242 commit a042e2557c51f8f9f71ea2e00e4ac1016426b242 Author: ericwilligers <ericwilligers@chromium.org> Date: Fri Sep 02 09:33:00 2016 CSS: Additional asserts for style invalidation RuleFeatureSet::add now verifies that we aren't adding to ourselves. Our hash sets now verify during insertion that our keys are not empty strings or PseudoUnknown (0). BUG=412572, 640486 Review-Url: https://codereview.chromium.org/2303443003 Cr-Commit-Position: refs/heads/master@{#416220} [modify] https://crrev.com/a042e2557c51f8f9f71ea2e00e4ac1016426b242/third_party/WebKit/Source/core/css/RuleFeature.cpp [modify] https://crrev.com/a042e2557c51f8f9f71ea2e00e4ac1016426b242/third_party/WebKit/Source/core/css/invalidation/InvalidationSet.cpp
,
Oct 7 2016
I haven't been able to reproduce this since https://codereview.chromium.org/2377953003 landed.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by alancutter@chromium.org
, Aug 24 2016