Crash in blink::getTypeExtension |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4947764393017344 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::getTypeExtension blink::Document::createElement blink::DocumentV8Internal::createElementMethodCallbackForMainWorld Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=428077:428329 Minimized Testcase (0.18 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96dgozDO9R9hfYjZKd73QBIEPnApPCIjNCaQW1LJ2ojyAfggbs6zhnlEbvCJeYZvlop2P8k5ziVKIzxzly4SxWzmgvXUarF9CrRgiId8b4GraIoH7hnTtz4Oe-KLWlaARmmQFgcSXbJn-jrGsAgtVjOd7LuQA?testcase_id=4947764393017344 <script> var fakestring = {toString: function() { document.body.firstChild, 'Element'; return "1" }} /* Element*/ var var00262 = document.createElement("option",fakestring); </script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 24 2016
,
Nov 24 2016
Might have been caused by e8d4a1b8a06a252894820686f1570f5943bb5947 or b2bda38bd5c73eeaed5198d7440cf5ddffe3a9c5 .
,
Nov 24 2016
From find it results, assigning the issue to concern owner -- The result is a list of CLs that change the crashed files. Author: a.obzhirov Project: chromium Changelist: https://chromium.googlesource.com/chromium/src/+/fc17d505758c284f99624ac69b6e2fb72ea7b623 Time: Thu Oct 27 19:33:32 2016 Lines 706, 736-741 of file Document.cpp which potentially caused crash are changed in this cl (frame #3, "blink::getTypeExtension"; frame #4, "blink::Document::createElement"). Minimum distance from crash line to modified line: 0. (file: Document.cpp, crashed on: 704, modified: 704). @a.obzhirov -- Could you please look into the issue, kindly re-assign if this is not related to your change. Thank You.
,
Nov 25 2016
Hi, will check.
,
Nov 25 2016
,
Nov 25 2016
I've made a first fix:
diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp
index 32dd75a..6eb5002 100644
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -702,7 +702,9 @@ String getTypeExtension(Document* document,
if (impl.hasIs())
return impl.is();
- return toCoreString(dict.v8Value()->ToString());
+ v8::Local<v8::String> string = dict.v8Value()->ToString();
+ if (!string.IsEmpty())
+ return toCoreString(string);
}
return emptyString();
It's fixed the original crash but now the problem has moved to another place :)
and I am getting new crash log
Received signal 11 SEGV_MAPERR 000000000000
#0 0x7eff9b701d7e base::debug::StackTrace::StackTrace()
#1 0x7eff9b70216d base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7eff9b402330 <unknown>
#3 0x7eff9773aead v8::internal::GlobalHandles::MakeWeak()
#4 0x7eff9549e32f blink::V8DOMWrapper::associateObjectWithWrapper()
#5 0x7eff95509712 blink::Node::associateWithWrapper()
#6 0x7eff954feb4d blink::Node::wrap()
#7 0x7eff95f3b527 blink::v8SetReturnValueForMainWorld<>()
#8 0x7eff95f3c354 blink::DocumentV8Internal::createElementMethodCallbackForMainWorld()
#9 0x7eff97319b7d v8::internal::FunctionCallbackArguments::Call()
#10 0x7eff973bdc27 v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#11 0x7eff973be50e v8::internal::Builtin_HandleApiCall()
Which tells me there is something wrong with createElement(localName, exceptionState) result which is strange.
Will continue investigation to get the patch fixing the all crashes.
,
Nov 25 2016
I have a fix now, will submit with the test today.
,
Nov 26 2016
,
Feb 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/91ce1ab1209aaec1750eb1c1c3b77d606333abe1 commit 91ce1ab1209aaec1750eb1c1c3b77d606333abe1 Author: a.obzhirov <a.obzhirov@samsung.com> Date: Thu Feb 02 18:48:32 2017 Crash in blink::getTypeExtension BUG= 666610 Review-Url: https://codereview.chromium.org/2530243002 Cr-Commit-Position: refs/heads/master@{#447807} [add] https://crrev.com/91ce1ab1209aaec1750eb1c1c3b77d606333abe1/third_party/WebKit/LayoutTests/fast/dom/custom/crash-in-getTypeExtension.html [modify] https://crrev.com/91ce1ab1209aaec1750eb1c1c3b77d606333abe1/third_party/WebKit/Source/core/dom/Document.cpp
,
Feb 3 2017
ClusterFuzz has detected this issue as fixed in range 447773:447836. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4947764393017344 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::getTypeExtension blink::Document::createElement blink::DocumentV8Internal::createElementMethodCallbackForMainWorld Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=428077:428329 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=447773:447836 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96dgozDO9R9hfYjZKd73QBIEPnApPCIjNCaQW1LJ2ojyAfggbs6zhnlEbvCJeYZvlop2P8k5ziVKIzxzly4SxWzmgvXUarF9CrRgiId8b4GraIoH7hnTtz4Oe-KLWlaARmmQFgcSXbJn-jrGsAgtVjOd7LuQA?testcase_id=4947764393017344 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 3 2017
ClusterFuzz testcase 4947764393017344 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ajha@chromium.org
, Nov 18 2016Labels: M-56