Crash in blink::ObjectPaintInvalidator::invalidateDisplayItemClient |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5429457415569408 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000020 Crash State: blink::ObjectPaintInvalidator::invalidateDisplayItemClient blink::PaintInvalidationCapableScrollableArea::willRemoveScrollbar blink::FrameView::ScrollbarManager::destroyScrollbar Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=400445:400609 Minimized Testcase (2.81 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94pDsVZ96MhpH0empuleMrL7F6xWF7QhV40HCHiWZvsZAYd7bNnpWT-6HYPnP8AhhZswaGnzWIUySmu2x6OQajDFqfziOWYHjsreNNdHoYujXtwtYVWDF4onjc9tnazJ7HSzxUsJwHS2Oake7I5VvvPc47jZA?testcase_id=5429457415569408 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 1 2016
This can be reproduced with a local build with gn args: proprietary_codecs = true ffmpeg_branding = "Chrome" It crashes on every the third reload of the page. The root cause seems that the FrameView for the embed object is in a bad state when the embed's type is set to NONE.
,
Dec 1 2016
With a debug build, the test crashes on an assertion failure: ASSERTION FAILED: m_frame->view() == this ../../third_party/WebKit/Source/core/frame/FrameView.cpp(1080) : void blink::FrameView::layout() 1 0x7ff15b679040 blink::FrameView::layout() 2 0x7ff15bc6bb99 blink::LayoutPart::updateWidgetGeometry() 3 0x7ff15b681854 blink::FrameView::updateWidgets() 4 0x7ff15b67546c blink::FrameView::updateWidgetsTimerFired(blink::TimerBase*) 5 0x7ff15ad8ab91 6 0x7ff16569fa8d blink::TimerBase::runInternal() It seems that the FrameView has been in bad state before layout.
,
Dec 1 2016
This is an issue about embed/media LocalFrame/Document/FrameView in a particular sequence. 1. The <embed> element creates a new LocalFrame frame1 for the media player, and the loader starts to load the src data url; 2. frame1 creates frameView1; 3. The <embed> element's "type" is set to "NULL" by the script in the test; 4. frame1 creates frameView2 for the new type, while frameView1 is still alive and references frame1; 5. The loader continues to load the data url which is fed to the original media player document and frameView1 and trigger layout of frameView1; 6. frameView1 crashes because its frame has switched to frameView2.
,
Feb 3 2017
,
Mar 9 2017
ClusterFuzz has detected this issue as fixed in range 455091:455392. Detailed report: https://clusterfuzz.com/testcase?key=5429457415569408 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000020 Crash State: blink::ObjectPaintInvalidator::invalidateDisplayItemClient blink::PaintInvalidationCapableScrollableArea::willRemoveScrollbar blink::FrameView::ScrollbarManager::destroyScrollbar Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=400445:400609 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=455091:455392 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94pDsVZ96MhpH0empuleMrL7F6xWF7QhV40HCHiWZvsZAYd7bNnpWT-6HYPnP8AhhZswaGnzWIUySmu2x6OQajDFqfziOWYHjsreNNdHoYujXtwtYVWDF4onjc9tnazJ7HSzxUsJwHS2Oake7I5VvvPc47jZA?testcase_id=5429457415569408 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 9 2017
ClusterFuzz testcase 5429457415569408 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 16 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Nov 22 2016Labels: M-55 Test-Predator-Correct
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Untriaged)