Crash in blink::RuleFeatureSet::add |
||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4662619744239616 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0000000000dc Crash State: blink::RuleFeatureSet::add blink::ScopedStyleResolver::collectFeaturesTo blink::StyleEngine::collectScopedStyleFeaturesTo Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=438123:438157 Minimized Testcase (0.53 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96He-Hs_QZYd0hagge2ueVDnTJSUKYRseEsMnCyuMLmeQNK4DJhlgeJF-5j0MFuVa2OSL4uQah2fxQNJ7PCD_uAgG-UQ1ZeEFiKnhP1Nu6zEAM8UOw3tJJhGU-Qja8dydClsc4nwk3MVjJxLOZbfRkV8Zwd-A?testcase_id=4662619744239616 <style type="text/css"> @media braille { </style> <script> function elementCenter(e) { return { x: e.offsetLeft + e.offsetWidth / 2, y: e.offsetTop + e.offsetHeight / 2 } } ; </script> <button id="enter" onclick="document.body.webkitRequestFullScreen()"> <script> enterButton = document.getElementById('enter'); var enterButtonCenter = elementCenter(enterButton); eventSender.mouseMoveTo(enterButtonCenter.x, enterButtonCenter.y); eventSender.mouseDown(); eventSender.mouseUp(); </script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 19 2016
Assigning to style TL for further triage.
,
Dec 19 2016
Crashes spiked in M-57 from chrome version: 57.0.2954.0 and is #1 renderer crash on the latest canary(57.0.2954.0) of Mac. Link to the crashes: ==================== https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ARuleFeatureSet%3A%3Aadd%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D Considering below as the changelog: =================================== https://chromium.googlesource.com/chromium/src/+log/57.0.2953.0..57.0.2954.0?pretty=fuller&n=10000 Suspecting: https://codereview.chromium.org/2557533005 by rune@. rune@: Could you please take a look at these crashes. Thank you!
,
Dec 19 2016
Users experienced this crash on the following builds: Win Canary 57.0.2955.0 - 0.57 CPM, 7 reports, 7 clients (signature blink::RuleFeatureSet::add) Mac Canary 57.0.2955.0 - 31.17 CPM, 63 reports, 41 clients (signature blink::RuleFeatureSet::add) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Dec 19 2016
Pinged (sashab@ - reviewer of the above CL) offline and waiting for the reply. Thank you!
,
Dec 19 2016
Sorry - I didn't review that CL, best to let esprehn@ take a look. I get the feeling that is the correct CL, though. Rune@ might be able to debug.
,
Dec 20 2016
Full stack, the crash looks like a nullptr crept in somewhere probably from that empty media query block? That does look like the right CL. There's a null check here: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/css/resolver/ScopedStyleResolver.cpp?dr=C&sq=package:chromium&rcl=1482150271&l=96 which should prevent an entry in m_authorStyleSheets with a null RuleSet, but if anything calls clearRuleSet() that can make the ->ruleSet() getter return null even if the entry in the ActiveStyleSheetVector still has one. We probably need to plumb that ruleset around somewhere or add some more null checks? The problem is when redoing the sheet collection process when we've already done the initial pass adding sheets I think. #0 0x12d9e799 in end third_party/WebKit/Source/wtf/HashTable.h:713:39 #1 0x12d9e799 in begin third_party/WebKit/Source/wtf/HashTable.h:710 #2 0x12d9e799 in begin third_party/WebKit/Source/wtf/HashMap.h:393 #3 0x12d9e799 in blink::RuleFeatureSet::add(blink::RuleFeatureSet const&) third_party/WebKit/Source/core/css/RuleFeature.cpp:887 #4 0xb88cd7c in blink::ScopedStyleResolver::collectFeaturesTo(blink::RuleFeatureSet&, blink::HeapHashSet<blink::Member<blink::StyleSheetContents const>, WTF::MemberHash<blink::StyleSheetContents const>, WTF::HashTraits<blink::Member<blink::StyleSheetContents const> > >&) const third_party/WebKit/Source/core/css/resolver/ScopedStyleResolver.cpp:120:16 #5 0xbc4e27e in blink::StyleEngine::collectScopedStyleFeaturesTo(blink::RuleFeatureSet&) const third_party/WebKit/Source/core/dom/StyleEngine.cpp:569:39 #6 0x12d46632 in blink::CSSGlobalRuleSet::update(blink::Document&) third_party/WebKit/Source/core/css/CSSGlobalRuleSet.cpp:66:26 #7 0xba550e1 in setContainsFullScreenElement third_party/WebKit/Source/core/dom/Element.cpp:3364:28 #8 0xba550e1 in blink::Element::setContainsFullScreenElementOnAncestorsCrossingFrameBoundaries(bool) third_party/WebKit/Source/core/dom/Element.cpp:3393 #9 0xbacdb34 in blink::Fullscreen::didEnterFullscreen() third_party/WebKit/Source/core/dom/Fullscreen.cpp:661:9 #10 0xa63f0c3 in blink::FullscreenController::didEnterFullscreen() third_party/WebKit/Source/web/FullscreenController.cpp:88:21 #11 0x9781bb1 in content::RenderWidget::Resize(content::ResizeParams const&) content/renderer/render_widget.cc:0:21 #12 0x974e820 in content::RenderViewImpl::OnResize(content::ResizeParams const&) content/renderer/render_view_impl.cc:2339:17
,
Dec 20 2016
This is mine, for sure.
,
Dec 20 2016
,
Dec 20 2016
,
Dec 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0c3e8777424678b81c5306e832391050f65cb170 commit 0c3e8777424678b81c5306e832391050f65cb170 Author: rune <rune@opera.com> Date: Tue Dec 20 13:16:09 2016 Don't update global ruleset when active style is dirty. CSSGlobalRuleSet should always be collected as part of the active style update. RuleSets may have been cleared from StyleSheetContents as a result of media query changes for instance. For the given issue, we tried to limit to a global ruleset when lazy- loading fullscreen UA style, but as part of going fullscreen we had already cleared rule sets for stylesheets with media queries due to the media feature change. BUG= 675439 Review-Url: https://codereview.chromium.org/2590793003 Cr-Commit-Position: refs/heads/master@{#439781} [add] https://crrev.com/0c3e8777424678b81c5306e832391050f65cb170/third_party/WebKit/LayoutTests/fullscreen/full-screen-ruleset-crash.html [modify] https://crrev.com/0c3e8777424678b81c5306e832391050f65cb170/third_party/WebKit/Source/core/dom/StyleEngine.cpp [modify] https://crrev.com/0c3e8777424678b81c5306e832391050f65cb170/third_party/WebKit/Source/core/dom/StyleEngine.h
,
Dec 20 2016
,
Dec 20 2016
Issue 675542 has been merged into this issue.
,
Dec 21 2016
Thanks Rune, this saved me from digging into issue 675542 !
,
Dec 21 2016
ClusterFuzz has detected this issue as fixed in range 439765:439794. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4662619744239616 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0000000000dc Crash State: blink::RuleFeatureSet::add blink::ScopedStyleResolver::collectFeaturesTo blink::StyleEngine::collectScopedStyleFeaturesTo Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=438123:438157 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=439765:439794 Minimized Testcase (0.53 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96He-Hs_QZYd0hagge2ueVDnTJSUKYRseEsMnCyuMLmeQNK4DJhlgeJF-5j0MFuVa2OSL4uQah2fxQNJ7PCD_uAgG-UQ1ZeEFiKnhP1Nu6zEAM8UOw3tJJhGU-Qja8dydClsc4nwk3MVjJxLOZbfRkV8Zwd-A?testcase_id=4662619744239616 <style type="text/css"> @media braille { </style> <script> function elementCenter(e) { return { x: e.offsetLeft + e.offsetWidth / 2, y: e.offsetTop + e.offsetHeight / 2 } } ; </script> <button id="enter" onclick="document.body.webkitRequestFullScreen()"> <script> enterButton = document.getElementById('enter'); var enterButtonCenter = elementCenter(enterButton); eventSender.mouseMoveTo(enterButtonCenter.x, enterButtonCenter.y); eventSender.mouseDown(); eventSender.mouseUp(); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by tkent@chromium.org
, Dec 18 2016