Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in blink::PointerEventManager::setPointerCapture |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4678153853468672 Fuzzer: inferno_twister_custom_bundle Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: blink::PointerEventManager::setPointerCapture blink::ElementV8Internal::setPointerCaptureMethodCallback v8::internal::FunctionCallbackArguments::Call Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=411073:411126 Minimized Testcase (3.97 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97WJ0GizGyK3N8f0RazaZz9Ouvc21SS8MTFQgEvdBZtyFmjQ2-MhfRXPIcN8_tdxtpStdHLkAu9Z1LOabbRgldipCS7Z-Ce9VVmPEufFSO2xA07xUTetVOxkGQmjjKGmddBUTKrMR3ZUNFAvXvoxS7VaQZxzQ?testcase_id=4678153853468672 Issue manually filed by: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 26 2016
I believe that change is reverted. So that cannot be the reason I guess. I had seen this crash before. The problem is that this crash is irreproducible locally even though we used those settings given in the link. Beside the stack trace is impossible as the setPointerCapture function can only be called via EventHandler and not from V8 internal. Are you sure that is not caused by one of V8 roll outs?
,
Aug 26 2016
,
Aug 26 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 26 2016
This bug is coming back again and again! Do you know who we can ask about V8 and the fact that it jumped to blink::PointerEventManager::setPointerCapture in the stack trace without going through EventHandler class?
,
Aug 26 2016
,
Aug 27 2016
nzolghadr@, let's add more Blink folks here. Hopefully somebody may help to understand that.
,
Aug 28 2016
It seems Blink binding layer correctly generates code to call Element::setPointerCapture(). The stack might omit some functions due to compiler optimization. https://cs.chromium.org/chromium/src/out/Debug/gen/blink/bindings/core/v8/V8Element.cpp?sq=package:chromium&dr=CSs&rcl=1472383144&l=1043
,
Aug 29 2016
,
Sep 1 2016
,
Sep 6 2016
Friendly ping that M54 beta is coming up this Thursday 9/8 and this is currently a blocker. Please find an owner and get this fixed as soon as feasible.
,
Sep 7 2016
Moving to ReleaseBlock-Stable to keep track of this for M54
,
Sep 8 2016
@dtapuska, this bug seems to be going back again and again. So I guess it is consistently being reproduced. But none of us were able to reproduce this locally. How do you think we should proceed?
,
Sep 14 2016
ClusterFuzz has detected this issue as fixed in range 418377:418438. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4678153853468672 Fuzzer: inferno_twister_custom_bundle Job Type: linux_msan_chrome Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: blink::PointerEventManager::setPointerCapture blink::ElementV8Internal::setPointerCaptureMethodCallback v8::internal::FunctionCallbackArguments::Call Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=411073:411126 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=418377:418438 Minimized Testcase (3.97 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97WJ0GizGyK3N8f0RazaZz9Ouvc21SS8MTFQgEvdBZtyFmjQ2-MhfRXPIcN8_tdxtpStdHLkAu9Z1LOabbRgldipCS7Z-Ce9VVmPEufFSO2xA07xUTetVOxkGQmjjKGmddBUTKrMR3ZUNFAvXvoxS7VaQZxzQ?testcase_id=4678153853468672 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 14 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 14 2016
,
Sep 16 2016
,
Sep 17 2016
Your change meets the bar and is auto-approved for M54 (branch: 2840)
,
Sep 20 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 23 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 27 2016
,
Oct 7 2016
632105 looks to be the same issue and was marked as WontFix.
,
Oct 10 2016
,
Dec 21 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 26 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Aug 26 2016Owner: nzolghadr@chromium.org
Status: Assigned (was: Untriaged)