Issue metadata
Sign in to add a comment
|
Crash in blink::StyleResolver::collectTreeBoundaryCrossingRulesV0CascadeOrder |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6649707041652736 Fuzzer: attekett_dom_fuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000024 Crash State: blink::StyleResolver::collectTreeBoundaryCrossingRulesV0CascadeOrder blink::StyleResolver::matchAuthorRulesV0 blink::StyleResolver::matchAuthorRules Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=427199:427353 Minimized Testcase (0.20 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96ISfmRB5Qg-35kQjuPwI1xlC0f42wfG6SyVvj5DCM7Zgf8ESDkmjQ_VC_pxGIvuECm0RvBfpfu2zNLIcFKiJT9eAZnMTiKtClSJ1SdHI_XnBXpKX29rWiy0OxDctaTUeZ01RigG8HJ0JtLhUzdCIy3w8vnCQ?testcase_id=6649707041652736 <style> dropdown-demo { } dropdown-demo::shadow > section { </style> <script> window.getSelection().modify("extend", "backward", "line") document.styleSheets[0].disabled=true;; </script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 27 2016
Looks like a dupe of 659481. Rune: this one has the same stack trace as the other one.
,
Oct 27 2016
yup.
,
Oct 28 2016
ClusterFuzz has detected this issue as fixed in range 427578:427987. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6649707041652736 Fuzzer: attekett_dom_fuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000024 Crash State: blink::StyleResolver::collectTreeBoundaryCrossingRulesV0CascadeOrder blink::StyleResolver::matchAuthorRulesV0 blink::StyleResolver::matchAuthorRules Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=427199:427353 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=427578:427987 Minimized Testcase (0.20 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96ISfmRB5Qg-35kQjuPwI1xlC0f42wfG6SyVvj5DCM7Zgf8ESDkmjQ_VC_pxGIvuECm0RvBfpfu2zNLIcFKiJT9eAZnMTiKtClSJ1SdHI_XnBXpKX29rWiy0OxDctaTUeZ01RigG8HJ0JtLhUzdCIy3w8vnCQ?testcase_id=6649707041652736 <style> dropdown-demo { } dropdown-demo::shadow > section { </style> <script> window.getSelection().modify("extend", "backward", "line") document.styleSheets[0].disabled=true;; </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mmohammad@chromium.org
, Oct 26 2016Status: Assigned (was: Untriaged)