New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 669847 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

!element || (element->isClearButtonElement()) in ClearButtonElement.h

Project Member Reported by ClusterFuzz, Nov 30 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5588823921917952

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !element || (element->isClearButtonElement()) in ClearButtonElement.h
  blink::MultipleFieldsTemporalInputTypeView::clearButtonElement
  blink::MultipleFieldsTemporalInputTypeView::updateClearButtonVisibility
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=434865:434912

Minimized Testcase (1.41 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96JQXwuPzsPiPUPrdzfv9bySmgrFgQrtErw4JwsYJmnNNJ67TS8VCPcewVMutEimjUbivRaoRexLPWN71wNhmmX9aD_Z6cqTEi_X7oGj1TUqjs0jQyHT4p4DVxj4tkQXmqbYmELmeSyQPD6gYMKV7VGnuP84g?testcase_id=5588823921917952

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by ajha@chromium.org, Nov 30 2016

Components: Blink>Input
Labels: M-57
Components: -Blink>Input Blink>Forms

Comment 3 by tkent@chromium.org, Dec 1 2016

Owner: tkent@chromium.org
Status: Assigned (was: Untriaged)

Comment 4 by tkent@chromium.org, Dec 2 2016

Cc: yosin@chromium.org kochi@chromium.org
Minimum repro:

<script>
function jsfuzzer() {
 document.body.style.display = "none";
 input.value = "23:59";
}
</script>
<body onload=jsfuzzer()>
<style></style>
<input id="input" type="time" autofocus onblur="this.type = 'search';">

DateTimeEditElement::layout() carefully moves element focus to avoid to dispatch focus/blur events on the host element. However,

1. |document.body.style.display = "none"| doesn't remove focus from |input| immediately.  It just schedules delaying focusability check.
2. DateTimeEditElement::layout() recreates UA shadow elements, but it fails to focus on new UA shadow element because the host is not focusable. So, 'blur' is dispatched in the function unexpectedly.

Project Member

Comment 6 by ClusterFuzz, Dec 14 2016

ClusterFuzz has detected this issue as fixed in range 435261:438085.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5588823921917952

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !element || (element->isClearButtonElement()) in ClearButtonElement.h
  blink::MultipleFieldsTemporalInputTypeView::clearButtonElement
  blink::MultipleFieldsTemporalInputTypeView::updateClearButtonVisibility
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=434865:434912
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Minimized Testcase (1.41 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96JQXwuPzsPiPUPrdzfv9bySmgrFgQrtErw4JwsYJmnNNJ67TS8VCPcewVMutEimjUbivRaoRexLPWN71wNhmmX9aD_Z6cqTEi_X7oGj1TUqjs0jQyHT4p4DVxj4tkQXmqbYmELmeSyQPD6gYMKV7VGnuP84g?testcase_id=5588823921917952

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 7 by tkent@chromium.org, Dec 14 2016

Status: Fixed (was: Assigned)

Sign in to add a comment