Hi, fs@:

There is a use after poison memory access issue here. I am not sure exactly where the poison happened. It seems that you are familiar with the related code. Could you please take a look into this? Thanks a lot.

There have been separate reports (663362, 663444, 663473, 663362). I'm going to go ahead and roll out this patch for now.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/11759c7f36706a115c03b9fc98a6060dd73a71e9

commit 11759c7f36706a115c03b9fc98a6060dd73a71e9
Author: pdr <pdr@chromium.org>
Date: Wed Nov 09 00:50:20 2016

Revert of Tracking filter mutation via SVGElementProxy (patchset #15 id:280001 of https://codereview.chromium.org/2401343002/ )

Reason for revert:
There are several reports of issues from this patch. Lets go ahead and roll out for now.

BUG= 663362 , 663444 , 663473 , 663362 

Original issue's description:
> Tracking reference filter mutation via SVGElementProxy
>
> This introduces SVGElementProxy - a new piece with the functionality of
> DocumentResourceReference and the ReferenceFilterBuilder merged. It
> provides the means to track clients of a certain element (only
> SVGFilterElements for now, but will likely be extended to other types if
> it ends up sticking.) An SVGElementProxy is created, and primarily owned,
> by CSSURIValue. The proxy also handles loading of a resource document, if
> requested.
>
> Clients are SVGResourceClients, like before, with methods/callbacks
> renamed. Some of the old functionality of SVGResourceClient has either
> been moved to clients, to the proxy or been replaced with different
> solutions.
>
> Mutations to the element/subtree is signaled separately from any
> potential changes to the actual reference (anything that might invalidate
> the element reference.)
>
> BUG= 439970 
> CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
>
> Committed: https://crrev.com/d36f8a8c9c4b7d757c0d8832e624be80c4465991
> Cr-Commit-Position: refs/heads/master@{#430550}

TBR=esprehn@chromium.org,fs@opera.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

BUG= 439970 , 663362 , 663444 , 663473 , 663362 

Review-Url: https://codereview.chromium.org/2482353002
Cr-Commit-Position: refs/heads/master@{#430800}

[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/css/CSSURIValue.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/css/CSSURIValue.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/css/resolver/ElementStyleResources.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/css/resolver/ElementStyleResources.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/css/resolver/FilterOperationResolver.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/dom/Document.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/dom/Element.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/dom/Element.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/dom/Node.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/dom/Node.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/dom/StyleChangeReason.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/dom/StyleChangeReason.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/fetch/BUILD.gn
[add] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/fetch/DocumentResourceReference.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/frame/FrameView.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/layout/svg/BUILD.gn
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceContainer.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceContainer.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceFilter.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceFilter.h
[add] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/layout/svg/ReferenceFilterBuilder.cpp
[add] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/layout/svg/ReferenceFilterBuilder.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/paint/FilterEffectBuilder.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/paint/PaintLayer.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/paint/PaintLayer.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/paint/PaintLayerFilterInfo.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/paint/PaintLayerFilterInfo.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/style/FilterOperation.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/style/FilterOperation.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/style/FilterOperations.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/style/FilterOperations.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/svg/BUILD.gn
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/svg/SVGDocumentExtensions.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/svg/SVGDocumentExtensions.h
[delete] https://crrev.com/b9b22b4b813671b5e461333a8bdfebcb1740a97e/third_party/WebKit/Source/core/svg/SVGElementProxy.cpp
[delete] https://crrev.com/b9b22b4b813671b5e461333a8bdfebcb1740a97e/third_party/WebKit/Source/core/svg/SVGElementProxy.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/svg/SVGFilterElement.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/svg/SVGFilterElement.h
[add] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/svg/SVGResourceClient.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/core/svg/SVGResourceClient.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/modules/canvas2d/CanvasRenderingContext2D.cpp
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/modules/canvas2d/CanvasRenderingContext2D.h
[modify] https://crrev.com/11759c7f36706a115c03b9fc98a6060dd73a71e9/third_party/WebKit/Source/modules/canvas2d/CanvasRenderingContext2DState.cpp

Removing RVG labels.

ClusterFuzz has detected this issue as fixed in range 369046:369094.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4719058089148416

Fuzzer: ochang_domfuzzer
Job Type: android_asan_chrome_x86
Platform Id: android:gce_x86:m

Crash Type: Use-after-poison READ 4
Crash Address: 0x323e527c
Crash State:
  blink::IdTargetObserverRegistry::removeObserver
  blink::IdTargetObserver::unregister
  blink::SVGElementProxy::removeClient
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=android_asan_chrome_x86&range=368802:368810
Fixed: https://cluster-fuzz.appspot.com/revisions?job=android_asan_chrome_x86&range=369046:369094

Minimized Testcase (0.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv947KSRHA3SaBWs9I0vsgpnazHElPJRJTBwF6Cga9NbBbtEjYHXwX03LOFQOY2-XZQZpl0Y-dltMUNlI5O_EdDrOUtfo7kfLvLRdlOm0kSjylZtBTMdsrt4vCjGxist_F3MGs8y5lXyEqm8z2TVrtDA-K1tchw?testcase_id=4719058089148416

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Marking as fixed because the CL was reverted.

 Issue 663688  has been merged into this issue.

Issue 663379 has been merged into this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot