Crash in blink::Range::checkExtractPrecondition |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5686324939194368 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::Range::checkExtractPrecondition blink::Range::extractContents blink::RangeV8Internal::extractContentsMethodCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=397981:397991 Minimized Testcase (1.63 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96mbMUjNYNez4VKgeTdfC3rffir3ToEJVLrMSyvjaD4b1_xW5rGsDrXrS6IkGVY03Ntqym5DHJKubX-1fr1U-IWmH7cbK-ubzl5dsTwOcoeodRaac6qiCiFlOop6isECHVFwFcBXAvWL9rKTvKt6jdo1qJMkg?testcase_id=5686324939194368 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 30 2016
Assigning to the concern owner from find it, The result is a list of CLs that change the crashed files. Author: yosin Project: chromium Changelist: https://chromium.googlesource.com/chromium/src/+/023a90124852ea2ceab04d4a5662e1dcb5caba68 Time: Mon Jun 06 06:48:29 2016 File Range.cpp is changed in this cl (and is part of stack frame #1, "blink::Range::checkExtractPrecondition"; frame #2, "blink::Range::extractContents") Minimum distance from crash line to modified line: 17. (file: Range.cpp, crashed on: 1359, modified: 1342). @yosin -- Could you please look into the issue, kindly re-assign if this is not related to your change. Thank You.
,
Dec 1 2016
DOM tree at assertion: SEBODY EMBED id="htmlvar00003" #shadow-root CONTENT #text "\n" KEYGEN #shadow-root SELECT #shadow-root CONTENT OPTION #shadow-root #text "2048 (High Grade)" #text "2048 (High Grade)" OPTION #shadow-root #text "1024 (Medium Grade)" #text "1024 (Medium Grade)" #text "\nbase" start offset: 4, end offset: 4 <
,
Dec 1 2016
This is cause of "error" event (synchronous)[1] handler on VIDEO element which is dispatched by Node::insertBefore() of following code in Range::insertNode()
container = m_start.container();
container->insertBefore(
newNode, NodeTraversal::childAt(*container, m_start.offset()),
exceptionState);
[1] https://html.spec.whatwg.org/multipage/webappapis.html#runtime-script-errors
,
Dec 22 2016
ClusterFuzz has detected this issue as fixed in range 440205:440286. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5686324939194368 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_asan_chrome_media Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::Range::checkExtractPrecondition blink::Range::extractContents blink::RangeV8Internal::extractContentsMethodCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=397981:397991 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=440205:440286 Minimized Testcase (1.63 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96mbMUjNYNez4VKgeTdfC3rffir3ToEJVLrMSyvjaD4b1_xW5rGsDrXrS6IkGVY03Ntqym5DHJKubX-1fr1U-IWmH7cbK-ubzl5dsTwOcoeodRaac6qiCiFlOop6isECHVFwFcBXAvWL9rKTvKt6jdo1qJMkg?testcase_id=5686324939194368 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 22 2016
ClusterFuzz testcase 5686324939194368 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ajha@chromium.org
, Nov 30 2016Labels: M-55