!contentFrame() in HTMLFrameElementBase.cpp |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6008894708252672 Fuzzer: bj_broddelwerk Job Type: linux_cfi_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !contentFrame() in HTMLFrameElementBase.cpp blink::HTMLFrameElementBase::didNotifySubtreeInsertionsToDocument blink::ContainerNode::insertNodeVector<> Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=436277:436347 Minimized Testcase (2.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94blQdCxkBOHmMLJTuI9_wS2Sumkl0goQjcGEVZ7eU-9XiJaK9N2EsG3Q-qeevUO1AeozK9mvtHUr7oyrFi2Dxlk6UF15eYA_GUHk20jH7fNMx7ZhsLAvJuUMFrA4HmBeosz-kb7G4cvPCkgOcnGo7UoxZgAg?testcase_id=6008894708252672 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 23 2016
Find it did not provide any possible suspects. From CL assigning to the concern owner -- https://chromium.googlesource.com/chromium/src/+log/d43013c5d52b5cefb20b2f4537d8b48ebe6c0ac4..37f5bc05d896e5328d3cb5484240e7fc9015963b?pretty=fuller Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/baf4f1f0cca9c704ff01de23e9360a1deef00cb4 @jochen -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Dec 23 2016
Seems like insertAdjacentHTML ends up loading iframes twice?
,
Dec 23 2016
Issue 675068 has been merged into this issue.
,
Jan 9 2017
Issue 675025 has been merged into this issue.
,
Jan 9 2017
Users experienced this crash on the following builds: Android Dev 57.0.2970.0 - 3.37 CPM, 110 reports, 37 clients (signature blink::HTMLFrameElementBase::didNotifySubtreeInsertionsToDocument) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Jan 10 2017
Issue 679201 has been merged into this issue.
,
Jan 10 2017
For reference, here's a really simple snippet that tickles this bug:
<script>
var d = document.createElement('div');
var i0 = d.appendChild(document.createElement('iframe'));
var i1 = d.appendChild(document.createElement('iframe'));
i0.src = "javascript:parent.i1.src='https://www.google.com'";
document.documentElement.appendChild(d);
</script>
from https://codereview.chromium.org/2497133002/#msg9
,
Mar 15 2017
Taking a look.
,
Mar 25 2017
ClusterFuzz has detected this issue as fixed in range 459433:459517. Detailed report: https://clusterfuzz.com/testcase?key=6008894708252672 Fuzzer: bj_broddelwerk Job Type: linux_cfi_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !contentFrame() in HTMLFrameElementBase.cpp blink::HTMLFrameElementBase::didNotifySubtreeInsertionsToDocument blink::ContainerNode::insertNodeVector<> Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=436277:436347 Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=459433:459517 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97T9sOU5q2w-AX0paYTNSW0t7-sphm_nGH4JAV4gvJ4bYZTXSp7fOPiVVpymVxu84kIY290a8dNxkdhgiz5iyOWVE709sY7PTsBclTPZBpOWKekKJ_Lt37KsdZEbitI-q27tO_59sl3tbGjNVXReJpbxKNgFTLCvHRQHtvg6YY7R5PgRX82V_LbHbdsNDYZZ3y5lOTSbrSP3wkoGb07yJMPPF1oO3sRaFNhVIbeLGoAIpvpxD8WCe8oGsr28_Ygc_BGFCpCmpsN9fIEFbhaz6vdjfYIHZwrKCPQxo24rkSZEwSbLIt7CG5zFkzwgdD3NUjPw_D6WTPFZiGZk5P_bKLoAS-XnW0zt2V-jpoRSQ4ht149rGOOTNybhjzqGZCuJ7RX8VIc0y8OHcd0cKf1rdqucnfKWg?testcase_id=6008894708252672 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 25 2017
ClusterFuzz testcase 6008894708252672 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by dtapu...@chromium.org
, Dec 19 2016