Crash in blink::StyleRuleBase::createCSSOMWrapper |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5324554287448064 Fuzzer: inferno_twister Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000003 Crash State: blink::StyleRuleBase::createCSSOMWrapper blink::StyleRuleBase::createCSSOMWrapper blink::CSSStyleSheet::item Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=421755:421761 Minimized Testcase (1.89 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94i8smCIdfEu8SAas9byojiR67JbhKq62NYeH4tGzqxKMF36SOkFT0izNnkm0htWAPB7e1JhQNobg_sDODPAwLhSt4Aesyvd7CSXYwVxirHmX-0w07byxv6gFqCJ0sA0ep3A6ZHN4J3e1dkLgFIWje9Wb8ULQ?testcase_id=5324554287448064 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 20 2016
meade@, can you triage this?
,
Oct 25 2016
Tim, Elliott, I don't really know what to do with this - I'm traveling right now so I don't have access to my windows machine. Interestingly the regressed range doesn't include any blink CLs, despite it looking like a nullptr in blink::StyleRuleBase::createCSSOMWrapper. I stared at the code for a bit, and it seems like the this pointer must be null, which I don't really understand how that could happen...? Help?
,
Oct 25 2016
You could try bisecting manually, it repros for me on Dev on Linux
<style>@namespace a "a"; div { }</style>
<style>@namespace a "a"; div { }</style>
<script>
document.styleSheets[0].deleteRule(1);
document.styleSheets[0].cssRules[0];
</script>
,
Oct 25 2016
That test is so simple I don't think it's worth bisecting, just try to fix that test case. :)
,
Oct 25 2016
oh, I see. I'll take a look.
,
Oct 28 2016
Hey Tim, I still wasn't able to find the cause of this. I mucked around in gdb for a while, and eventually discovered two weird things In the first (and should be only?) wrapperDeleteRule, m_namespaceRules[0].get() is already null. https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/css/StyleSheetContents.cpp?l=279 If I then break inside ruleAt, the behaviour of m_namespaceRules in gdb is weird: I can use the [] operator on m_childRules, but not m_namespaceRules... https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/css/StyleSheetContents.cpp?l=187 Any ideas?
,
Oct 28 2016
I guess this is because StyleSheetContents::StyleSheetContents(const StyleSheetContents& o) isn't copying namespace rules.
,
Oct 31 2016
,
Nov 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ca04090e0b051b730f9dc8823f0bba151ebb5bcb commit ca04090e0b051b730f9dc8823f0bba151ebb5bcb Author: meade <meade@chromium.org> Date: Tue Nov 01 06:18:15 2016 Copy m_namespaceRules when copying StyleSheetContents to avoid crashing. BUG= 657457 Review-Url: https://codereview.chromium.org/2459843002 Cr-Commit-Position: refs/heads/master@{#428946} [add] https://crrev.com/ca04090e0b051b730f9dc8823f0bba151ebb5bcb/third_party/WebKit/LayoutTests/fast/css/access-namespace-rule-after-delete-rule.html [modify] https://crrev.com/ca04090e0b051b730f9dc8823f0bba151ebb5bcb/third_party/WebKit/Source/core/css/StyleRule.cpp [modify] https://crrev.com/ca04090e0b051b730f9dc8823f0bba151ebb5bcb/third_party/WebKit/Source/core/css/StyleRuleNamespace.h [modify] https://crrev.com/ca04090e0b051b730f9dc8823f0bba151ebb5bcb/third_party/WebKit/Source/core/css/StyleSheetContents.cpp
,
Nov 1 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by mmohammad@chromium.org
, Oct 20 2016Status: assigned (was: Untriaged)