New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 642028 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment

Use-of-uninitialized-value in void WTF::copyToVector<WTF::HashSet<blink::LayoutObject*, WTF::PtrHash<blink::La

Project Member Reported by ClusterFuzz, Aug 29 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5588676535123968

Fuzzer: inferno_twister
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  void WTF::copyToVector<WTF::HashSet<blink::LayoutObject*, WTF::PtrHash<blink::La
  blink::DepthOrderedLayoutObjectList::ordered
  blink::FrameView::layoutOrthogonalWritingModeRoots
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=407480:407711

Minimized Testcase (1.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97QYPT-X8ybO6FaH-5yX9zgNUBycJQqWKLx4wd1oMJZdOddwPTvix9gFQSnQuWzQZ4BUczcNMFeiqmeoejlHmni5Lezb5DKdraH0E5PRR-8wIPR68SBm6H_E47e0bMWyNTR9eaK6jHLonDqhTPOhXgjNEQvMA?testcase_id=5588676535123968

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: robho...@gmail.com
Components: Blink>Layout
Labels: -OS-Linux OS-All Pri-1
Owner: robhogan@chromium.org
Status: Assigned (was: Untriaged)
Author: robhogan
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/67818d55a1b15b97a96b7a74814e822024b0a346
Time: Mon Jul 25 19:53:06 2016
File LayoutBlockFlow.cpp is changed in this cl (and is part of stack frame #1, "blink::LayoutBlockFlow::removeChild")
Minimum distance from crash line to modified line: 10. (file: LayoutBlockFlow.cpp, crashed on: 2451, modified: 2441).

Suspected Project: chromium
Suspected Component: Blink>Layout
Owner: kojii@chromium.org
kojii: this looks like another orthogonal writing mode root one. Can you take a look?
Project Member

Comment 3 by sheriffbot@chromium.org, Aug 30 2016

Labels: M-54
Project Member

Comment 4 by sheriffbot@chromium.org, Aug 30 2016

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by kojii@chromium.org, Aug 31 2016

Status: Started (was: Assigned)
Thank you robhogan, double-layout from scrollbar again, looks like the previous fix was not complete.
Project Member

Comment 6 by bugdroid1@chromium.org, Aug 31 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/146cecaf22dca2a82fa102c46441af6bd79dffa0

commit 146cecaf22dca2a82fa102c46441af6bd79dffa0
Author: kojii <kojii@chromium.org>
Date: Wed Aug 31 17:39:01 2016

Fix removeChildNode to unmark orthogonal writing mode roots when !notifyLayoutObject

removeChildNode() does not notify willBeRemovedFromTree() when
!notifyLayoutObject. This can leave orthogonal writing mode roots
marked after the removal of the child.

This patch unmarks them even when !notifyLayoutObject.

This fixes annonymous boxes left marked in fullscreen. It is still
correct for LayoutFullscreen to have the same writing-mode as parent,
but DCHECK was removed because it doesn't leave boxes unmarked any
longer, and ensuring that against dynamic changes requires more work.

BUG= 642028 

Review-Url: https://codereview.chromium.org/2296973003
Cr-Commit-Position: refs/heads/master@{#415675}

[modify] https://crrev.com/146cecaf22dca2a82fa102c46441af6bd79dffa0/third_party/WebKit/Source/core/frame/FrameView.cpp
[modify] https://crrev.com/146cecaf22dca2a82fa102c46441af6bd79dffa0/third_party/WebKit/Source/core/layout/LayoutObjectChildList.cpp

Project Member

Comment 7 by ClusterFuzz, Sep 1 2016

ClusterFuzz has detected this issue as fixed in range 415621:415737.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5588676535123968

Fuzzer: inferno_twister
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  void WTF::copyToVector<WTF::HashSet<blink::LayoutObject*, WTF::PtrHash<blink::La
  blink::DepthOrderedLayoutObjectList::ordered
  blink::FrameView::layoutOrthogonalWritingModeRoots
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=407480:407711
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=415621:415737

Minimized Testcase (1.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97QYPT-X8ybO6FaH-5yX9zgNUBycJQqWKLx4wd1oMJZdOddwPTvix9gFQSnQuWzQZ4BUczcNMFeiqmeoejlHmni5Lezb5DKdraH0E5PRR-8wIPR68SBm6H_E47e0bMWyNTR9eaK6jHLonDqhTPOhXgjNEQvMA?testcase_id=5588676535123968

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 8 by kojii@chromium.org, Sep 1 2016

Labels: Merge-Request-54
Status: Fixed (was: Started)
Project Member

Comment 9 by sheriffbot@chromium.org, Sep 1 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 10 by dimu@chromium.org, Sep 1 2016

Labels: -Merge-Request-54 Merge-Approved-54 Hotlist-Merge-Approved
Your change meets the bar and is auto-approved for M54 (branch: 2840)
Project Member

Comment 11 by bugdroid1@chromium.org, Sep 2 2016

Labels: -merge-approved-54 merge-merged-2840
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/39e06039f343ece335a0eaf610d2ce577f110a6c

commit 39e06039f343ece335a0eaf610d2ce577f110a6c
Author: Koji Ishii <kojii@chromium.org>
Date: Fri Sep 02 05:00:11 2016

Merge 2840: Fix removeChildNode to unmark orthogonal writing mode roots when !notifyLayoutObject

removeChildNode() does not notify willBeRemovedFromTree() when
!notifyLayoutObject. This can leave orthogonal writing mode roots
marked after the removal of the child.

This patch unmarks them even when !notifyLayoutObject.

This fixes annonymous boxes left marked in fullscreen. It is still
correct for LayoutFullscreen to have the same writing-mode as parent,
but DCHECK was removed because it doesn't leave boxes unmarked any
longer, and ensuring that against dynamic changes requires more work.

BUG= 642028 

Review-Url: https://codereview.chromium.org/2296973003
Cr-Commit-Position: refs/heads/master@{#415675}
(cherry picked from commit 146cecaf22dca2a82fa102c46441af6bd79dffa0)

Review URL: https://codereview.chromium.org/2304833002 .

Cr-Commit-Position: refs/branch-heads/2840@{#119}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/39e06039f343ece335a0eaf610d2ce577f110a6c/third_party/WebKit/Source/core/frame/FrameView.cpp
[modify] https://crrev.com/39e06039f343ece335a0eaf610d2ce577f110a6c/third_party/WebKit/Source/core/layout/LayoutObjectChildList.cpp

Project Member

Comment 12 by bugdroid1@chromium.org, Oct 27 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/39e06039f343ece335a0eaf610d2ce577f110a6c

commit 39e06039f343ece335a0eaf610d2ce577f110a6c
Author: Koji Ishii <kojii@chromium.org>
Date: Fri Sep 02 05:00:11 2016

Merge 2840: Fix removeChildNode to unmark orthogonal writing mode roots when !notifyLayoutObject

removeChildNode() does not notify willBeRemovedFromTree() when
!notifyLayoutObject. This can leave orthogonal writing mode roots
marked after the removal of the child.

This patch unmarks them even when !notifyLayoutObject.

This fixes annonymous boxes left marked in fullscreen. It is still
correct for LayoutFullscreen to have the same writing-mode as parent,
but DCHECK was removed because it doesn't leave boxes unmarked any
longer, and ensuring that against dynamic changes requires more work.

BUG= 642028 

Review-Url: https://codereview.chromium.org/2296973003
Cr-Commit-Position: refs/heads/master@{#415675}
(cherry picked from commit 146cecaf22dca2a82fa102c46441af6bd79dffa0)

Review URL: https://codereview.chromium.org/2304833002 .

Cr-Commit-Position: refs/branch-heads/2840@{#119}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/39e06039f343ece335a0eaf610d2ce577f110a6c/third_party/WebKit/Source/core/frame/FrameView.cpp
[modify] https://crrev.com/39e06039f343ece335a0eaf610d2ce577f110a6c/third_party/WebKit/Source/core/layout/LayoutObjectChildList.cpp

Project Member

Comment 13 by sheriffbot@chromium.org, Dec 8 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment