Crash in blink::Node::unregisterMutationObserver |
||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5062413525450752 Fuzzer: inferno_twister Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000008 Crash State: blink::Node::unregisterMutationObserver blink::MutationObserverRegistration::unregister blink::MutationObserver::disconnect Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=426136:426137 Minimized Testcase (0.33 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95bjj-5v7GgSvtq-QDLmkai4woIPt8l5BgJJQROaY5ndCJA002FlzeH7KmDWpTwhscnCHC9ne24Fu5L6gYvCCjNB2N2PQJCfri0GIUCpHWppdnQtFbt6pE9RRDmJaM8Qp7mem54flSRuDre6My6FjxPd743_g?testcase_id=5062413525450752 <title id=tCF1> </title> <script> function forceGC() { try{gc(); } catch(e) {; } } mtObserver6 = new MutationObserver(function() {}) mtObserver6.observe(tCF1, { characterDataOldValue: false}) function tCF_custom_1() { tCF1.parentNode.removeChild(tCF1); forceGC(); mtObserver6.disconnect() } ; forceGC(); tCF_custom_1() </script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 20 2016
I'm not an owner of MutationObserver please find an appropriate owner, thanks.
,
Oct 20 2016
aseemgarg@ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !
,
Oct 20 2016
Sorry. I have no idea what this is about.
,
Oct 20 2016
,
Nov 10 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 28 2016
,
Nov 28 2016
,
Nov 28 2016
It seems this crash affects real users. https://crash.corp.google.com/browse?stbtiq=unregisterMutationObserver
,
Nov 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/afe73aec9717475be1979d3a052cb3fd81da8e17 commit afe73aec9717475be1979d3a052cb3fd81da8e17 Author: tkent <tkent@chromium.org> Date: Mon Nov 28 08:07:52 2016 MutationObserver: Fix a null-pointer dereference in MutationObserverRegistration::unregister. Before Oilpan was enabled, MutationObserverRegistration couldn't outlive m_registrationNode. After enabling Oilpan, it's possible that a MutationObserverRegsitration outlives its m_registrationNode. Reproducible scenario: - No Persistent/Member references to both of objects, - No pointer to the m_registrationNode on the stack, - A pointer to the MutationObserveRegistration exists on the stack, and - Conservative GC is executed. BUG= 657613 Review-Url: https://codereview.chromium.org/2532003002 Cr-Commit-Position: refs/heads/master@{#434616} [modify] https://crrev.com/afe73aec9717475be1979d3a052cb3fd81da8e17/third_party/WebKit/Source/core/BUILD.gn [modify] https://crrev.com/afe73aec9717475be1979d3a052cb3fd81da8e17/third_party/WebKit/Source/core/dom/MutationCallback.h [modify] https://crrev.com/afe73aec9717475be1979d3a052cb3fd81da8e17/third_party/WebKit/Source/core/dom/MutationObserver.h [modify] https://crrev.com/afe73aec9717475be1979d3a052cb3fd81da8e17/third_party/WebKit/Source/core/dom/MutationObserverRegistration.cpp [modify] https://crrev.com/afe73aec9717475be1979d3a052cb3fd81da8e17/third_party/WebKit/Source/core/dom/MutationObserverRegistration.h [add] https://crrev.com/afe73aec9717475be1979d3a052cb3fd81da8e17/third_party/WebKit/Source/core/dom/MutationObserverTest.cpp
,
Nov 28 2016
|
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by mmohammad@chromium.org
, Oct 19 2016Owner: danakj@chromium.org
Status: Assigned (was: Untriaged)