New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 671322 link

Starred by 1 user
Status: Fixed
Owner:
r...@opera.com
NOT IN USE
Closed: Dec 2016
Cc:
meade@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::HTMLImportChild::ownerInserted

Project Member Reported by ClusterFuzz, Dec 5 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5639406087307264

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000003a4
Crash State:
  blink::HTMLImportChild::ownerInserted
  blink::LinkImport::ownerInserted
  blink::HTMLLinkElement::insertedInto
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=436227:436239

Minimized Testcase (0.41 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96_q5bzYgs0zySdchgR-s_k8GB8We_Xd9OgaYofGXt2BwMtjO_LZ_ErxbHlds77LtfZU__uuppJFpovhnEr-tkUWbxOGRbty2BN0KN4r_PhYs7f86hIFjeCfmo2_Mzycg0FkCpIatWWZu8lFTxIxgrwynf8iQ?testcase_id=5639406087307264
<link id="followingLink" rel="import" href="resources/not-slow.html">
<script> 
var test0=document.getElementById("followingLink")
var test4=test0.appendChild(document.createElement("textarea"))
var test7=test4.appendChild(document.createElement("select"))
var test8=test7.appendChild(document.createElement("font"))
var test9=test8.appendChild(document.createElement("p"))
test9.appendChild(test0.cloneNode());
</script>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by dtapu...@chromium.org, Dec 5 2016

Components: Blink>HTML

Comment 2 by mummare...@chromium.org, Dec 6 2016

Cc: r...@opera.com
Labels: M-57 Test-Predator-Correct
Owner: meade@chromium.org
Status: Assigned (was: Untriaged)

Author: rune
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/2e3e5148b008e60b37270fec3f6099914550a310
Time: Mon Dec 05 07:22:09 2016
Lines 57 of file HTMLImportChild.cpp which potentially caused crash are changed in this cl (frame #2, "blink::HTMLImportChild::ownerInserted").

Comment 3 by meade@chromium.org, Dec 6 2016 

Issue 671325 has been merged into this issue.

Comment 4 by meade@chromium.org, Dec 6 2016

Cc: meade@chromium.org
 Issue 671320  has been merged into this issue.

Comment 5 by meade@chromium.org, Dec 6 2016

Cc: -r...@opera.com
Owner: r...@opera.com
I think these are all the same issue, also you don't need to use asan to repro, although I'm a little surprised that it doesn't appear to be hitting the DCHECK at 
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/dom/Document.h?l=469. Perhaps the Document/StyleEngine as been destructed?

Received signal 11 SEGV_MAPERR 000000000688
#0 0x7f69dc45419e base::debug::StackTrace::StackTrace()
#1 0x7f69dc453cdf base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f69e1556330 <unknown>
#3 0x7f69d247491c WTF::VectorBufferBase<>::buffer()
#4 0x7f69d2756248 blink::Document::styleEngine()
#5 0x7f69d302a4fb blink::HTMLImportChild::ownerInserted()
#6 0x7f69d3035208 blink::LinkImport::ownerInserted()
#7 0x7f69d2f2be78 blink::HTMLLinkElement::insertedInto()
#8 0x7f69d2978c6a blink::ContainerNode::notifyNodeInsertedInternal()
#9 0x7f69d2977471 blink::ContainerNode::notifyNodeInserted()
#10 0x7f69d2975811 blink::ContainerNode::parserAppendChild()
#11 0x7f69d304bbe3 blink::insert()
#12 0x7f69d3045d97 blink::executeInsertTask()
#13 0x7f69d3045c96 blink::HTMLConstructionSite::executeTask()
#14 0x7f69d3046e08 blink::HTMLConstructionSite::executeQueuedTasks()
#15 0x7f69d30a3282 blink::HTMLTreeBuilder::constructTree()
#16 0x7f69d30569b1 blink::HTMLDocumentParser::constructTreeFromCompactHTMLToken()
#17 0x7f69d30565ad blink::HTMLDocumentParser::processTokenizedChunkFromBackgroundParser()
#18 0x7f69d3053b62 blink::HTMLDocumentParser::pumpPendingSpeculations()
#19 0x7f69d3058892 blink::HTMLDocumentParser::resumeParsingAfterScriptExecution()
#20 0x7f69d3058d5a blink::HTMLDocumentParser::executeScriptsWaitingForResources()
#21 0x7f69d29c0d8e blink::Document::executeScriptsWaitingForResources()
#22 0x7f69d2502cc7 _ZN4base8internal13FunctorTraitsIMN5blink14ScriptStreamerEFvvEvE6InvokeIRKNS2_21CrossThreadPersistentIS3_EEJEEEvS5_OT_DpOT0_
#23 0x7f69d29f439d _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN5blink8DocumentEFvvERKNS4_14WeakPersistentIS5_EEJEEEvOT_OT0_DpOT1_
#24 0x7f69d29f4322 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink8DocumentEFvvEJNS3_14WeakPersistentIS4_EEEEEFvvEE7RunImplIRKS6_RKSt5tupleIJS8_EEJLm0EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#25 0x7f69d29f426c _ZN4base8internal7InvokerINS0_9BindStateIMN5blink8DocumentEFvvEJNS3_14WeakPersistentIS4_EEEEEFvvEE3RunEPNS0_13BindStateBaseE
#26 0x7f69d62863eb base::internal::RunMixin<>::Run()
#27 0x7f69d6286381 WTF::Function<>::operator()()
#28 0x7f69d6285ea1 blink::TaskHandle::Runner::run()
#29 0x7f69d628705f _ZN4base8internal13FunctorTraitsIMN5blink10TaskHandle6RunnerEFvRKS3_EvE6InvokeIRKNS_7WeakPtrIS4_EEJS6_EEEvS8_OT_DpOT0_
#30 0x7f69d6286f3f _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN5blink10TaskHandle6RunnerEFvRKS5_ERKNS_7WeakPtrIS6_EEJS8_EEEvOT_OT0_DpOT1_
#31 0x7f69d6286eb3 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink10TaskHandle6RunnerEFvRKS4_EJNS_7WeakPtrIS5_EES4_EEEFvvEE7RunImplIRKS9_RKSt5tupleIJSB_S4_EEJLm0ELm1EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#32 0x7f69d6286dcc _ZN4base8internal7InvokerINS0_9BindStateIMN5blink10TaskHandle6RunnerEFvRKS4_EJNS_7WeakPtrIS5_EES4_EEEFvvEE3RunEPNS0_13BindStateBaseE
#33 0x7f69dc459fc1 _ZNO4base8internal8RunMixinINS_8CallbackIFvvELNS0_8CopyModeE0ELNS0_10RepeatModeE0EEEE3RunEv
#34 0x7f69dc459992 base::debug::TaskAnnotator::RunTask()
#35 0x7f69d65e499a blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#36 0x7f69d65e23c1 blink::scheduler::TaskQueueManager::DoWork()
#37 0x7f69d65eae5c _ZN4base8internal13FunctorTraitsIMN5blink9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEvE6InvokeIRKNS_7WeakPtrIS4_EEJRKS5_RKbEEEvS7_OT_DpOT0_
#38 0x7f69d65ead34 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN5blink9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbERKNS_7WeakPtrIS6_EEJRKS7_RKbEEEvOT_OT0_DpOT1_
#39 0x7f69d65eac94 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEJNS_7WeakPtrIS5_EES6_bEEEFvvEE7RunImplIRKS8_RKSt5tupleIJSA_S6_bEEJLm0ELm1ELm2EEEEvOT_OT0_NS_13IndexSequenceIJXspT1_EEEE
#40 0x7f69d65eab6c _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEJNS_7WeakPtrIS5_EES6_bEEEFvvEE3RunEPNS0_13BindStateBaseE
#41 0x7f69dc459fc1 _ZNO4base8internal8RunMixinINS_8CallbackIFvvELNS0_8CopyModeE0ELNS0_10RepeatModeE0EEEE3RunEv
#42 0x7f69dc459992 base::debug::TaskAnnotator::RunTask()
#43 0x7f69dc4ea8ba base::MessageLoop::RunTask()
#44 0x7f69dc4eab44 base::MessageLoop::DeferOrRunPendingTask()
#45 0x7f69dc4eae2e base::MessageLoop::DoWork()
#46 0x7f69dc502783 base::MessagePumpDefault::Run()
#47 0x7f69dc4ea43a base::MessageLoop::RunHandler()
#48 0x7f69dc597113 base::RunLoop::Run()
#49 0x7f69df148efc content::RendererMain()
#50 0x7f69df53ed0e content::RunZygote()
#51 0x7f69df53f0c0 content::RunNamedProcessTypeMain()
#52 0x7f69df541492 content::ContentMainRunnerImpl::Run()
#53 0x7f69df53e3b2 content::ContentMain()
#54 0x0000004945e9 main
#55 0x7f69cddb1f45 __libc_start_main
testcase.html
118 bytes View Download

Comment 7 by r...@opera.com, Dec 6 2016

Status: Started (was: Assigned)
Project Member

Comment 8 by bugdroid1@chromium.org, Dec 7 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8c3cb689223aefc7f9d620f318016ea0a28485da

commit 8c3cb689223aefc7f9d620f318016ea0a28485da
Author: rune <rune@opera.com>
Date: Wed Dec 07 07:25:21 2016

Use correct document for notifying of inserted import.

Notify the root document to update active stylesheets. If the import
child contains stylesheets, the StyleEngine for the import document
will be notified correctly.

Added a couple of sanity DCHECKs.

R=meade@chromium.org
BUG= 671322 

Review-Url: https://codereview.chromium.org/2551973003
Cr-Commit-Position: refs/heads/master@{#436887}

[add] https://crrev.com/8c3cb689223aefc7f9d620f318016ea0a28485da/third_party/WebKit/LayoutTests/fast/html/imports/import-child-null-document-crash.html
[modify] https://crrev.com/8c3cb689223aefc7f9d620f318016ea0a28485da/third_party/WebKit/Source/core/html/imports/HTMLImportChild.cpp

Comment 9 by r...@opera.com, Dec 7 2016

Status: Fixed (was: Started)
Project Member

Comment 10 by ClusterFuzz, Dec 8 2016 

ClusterFuzz has detected this issue as fixed in range 436872:436895.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5639406087307264

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000003a4
Crash State:
  blink::HTMLImportChild::ownerInserted
  blink::LinkImport::ownerInserted
  blink::HTMLLinkElement::insertedInto
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=436227:436239
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=436872:436895

Minimized Testcase (0.41 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96_q5bzYgs0zySdchgR-s_k8GB8We_Xd9OgaYofGXt2BwMtjO_LZ_ErxbHlds77LtfZU__uuppJFpovhnEr-tkUWbxOGRbty2BN0KN4r_PhYs7f86hIFjeCfmo2_Mzycg0FkCpIatWWZu8lFTxIxgrwynf8iQ?testcase_id=5639406087307264
<link id="followingLink" rel="import" href="resources/not-slow.html">
<script> 
var test0=document.getElementById("followingLink")
var test4=test0.appendChild(document.createElement("textarea"))
var test7=test4.appendChild(document.createElement("select"))
var test8=test7.appendChild(document.createElement("font"))
var test9=test8.appendChild(document.createElement("p"))
test9.appendChild(test0.cloneNode());
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment