Crash in blink::Element::attachLayoutTree |
||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6327826381012992 Fuzzer: inferno_twister Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x000000fb Crash State: blink::Element::attachLayoutTree blink::HTMLSlotElement::attachLayoutTree blink::ContainerNode::attachLayoutTree Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=414808:414882 Minimized Testcase (0.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94JIt-O_V7ko9DYkZYCV1_qE4H0ximzasZi5bDKsRjEbydpg6LqJ7gZwWH6Mpm-q0mAhM8a0-wJKJo-RPTfaR0htAcuH7S310EeyovnK45cBJWdI7fVGIpbUuzJ4Q9eOiSScZDCEP2Nx6A9dUthCf_tK2PT5g?testcase_id=6327826381012992 Issue manually filed by: msrchandra See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 30 2016
Okay. I will take a look tomorrow.
,
Aug 31 2016
,
Aug 31 2016
,
Sep 2 2016
,
Sep 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4ab3573f362bbb835b25567448cc2c4b77427e12 commit 4ab3573f362bbb835b25567448cc2c4b77427e12 Author: hayato <hayato@chromium.org> Date: Mon Sep 05 03:42:02 2016 Check the next chain of a slotchange event correctly on a slotchange at a fallback slot When a slotchange event happens at a fallback slot, HTMLSlotElement::enqueueSlotChangeEvent() does not check the condition of the next chain of a slotchange correctly. It only checks whether the parent is a shadow host or not. Instead of its own incomplete check logic, we should re-use Node::checkSlotChange() here. This also fixes a crash, reported by bug 642303 , because needsDistributionRecalc flag is set correctly by detecting the next chain of a slotchange event. BUG= 642303 Review-Url: https://codereview.chromium.org/2306643004 Cr-Commit-Position: refs/heads/master@{#416491} [modify] https://crrev.com/4ab3573f362bbb835b25567448cc2c4b77427e12/third_party/WebKit/LayoutTests/shadow-dom/slotchange.html [modify] https://crrev.com/4ab3573f362bbb835b25567448cc2c4b77427e12/third_party/WebKit/Source/core/dom/Node.h [modify] https://crrev.com/4ab3573f362bbb835b25567448cc2c4b77427e12/third_party/WebKit/Source/core/html/HTMLSlotElement.cpp
,
Sep 5 2016
Should be fixed.
,
Oct 18 2016
still observing this issue please see the below comment.Thanks
,
Oct 18 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5983258070482944 Fuzzer: inferno_twister_custom_bundle Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN WRITE Crash Address: 0x00000000018c Crash State: blink::Element::attachLayoutTree blink::HTMLSlotElement::attachLayoutTree blink::ContainerNode::attachLayoutTree Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=425616:425627 Minimized Testcase (4.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Rq69x2enZXkBv_-i_GvOG-cVuuhsf7eah1WDe-q-hTuAfkGtNUUdkrViohceVu9-G_NTpJc8MNvoeYPTVODJcu1qX61IpzwMjkkV1NIGIVHQTsoewjCekQYoonAJlUIkU7aFrppdYO5cRAHcdrZ8KhSbyZA?testcase_id=5983258070482944 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 18 2016
,
Oct 24 2016
,
Oct 24 2016
,
Oct 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/980a85e4e0dd7504cd00cb9dacf7d2b06347a24f commit 980a85e4e0dd7504cd00cb9dacf7d2b06347a24f Author: hayato <hayato@chromium.org> Date: Wed Oct 26 09:40:58 2016 Do not use outdated m_distributedNodes of slots in non-shadow trees HTMLSlotElement::m_distributedNodes might be outdated for slots in non-shadow trees. There are other places where outdated m_distributedNodes might be used, which could be addressed in another CL. BUG= 642303 Review-Url: https://codereview.chromium.org/2452473003 Cr-Commit-Position: refs/heads/master@{#427650} [add] https://crrev.com/980a85e4e0dd7504cd00cb9dacf7d2b06347a24f/third_party/WebKit/LayoutTests/shadow-dom/crashes/slots-in-document-tree-crash.html [modify] https://crrev.com/980a85e4e0dd7504cd00cb9dacf7d2b06347a24f/third_party/WebKit/Source/core/dom/Node.cpp [modify] https://crrev.com/980a85e4e0dd7504cd00cb9dacf7d2b06347a24f/third_party/WebKit/Source/core/html/HTMLSlotElement.cpp
,
Oct 27 2016
This should be fixed.
,
Oct 28 2016
ClusterFuzz has detected this issue as fixed in range 427578:427987. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5983258070482944 Fuzzer: inferno_twister_custom_bundle Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN WRITE Crash Address: 0x00000000018c Crash State: blink::Element::attachLayoutTree blink::HTMLSlotElement::attachLayoutTree blink::ContainerNode::attachLayoutTree Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=425616:425627 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=427578:427987 Minimized Testcase (4.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Rq69x2enZXkBv_-i_GvOG-cVuuhsf7eah1WDe-q-hTuAfkGtNUUdkrViohceVu9-G_NTpJc8MNvoeYPTVODJcu1qX61IpzwMjkkV1NIGIVHQTsoewjCekQYoonAJlUIkU7aFrppdYO5cRAHcdrZ8KhSbyZA?testcase_id=5983258070482944 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by msrchandra@chromium.org
, Aug 30 2016Labels: findit-wrong Te-Logged
Owner: hayato@chromium.org
Status: Assigned (was: Untriaged)