New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 676441 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
NOT IN USE
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

m_styleSheetCollectionMap.contains(&scope) in StyleEngine.cpp

Project Member Reported by ClusterFuzz, Dec 21 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4885746315165696

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  m_styleSheetCollectionMap.contains(&scope) in StyleEngine.cpp
  blink::StyleEngine::markTreeScopeDirty
  blink::StyleEngine::removePendingSheet
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=327721:327734

Minimized Testcase (0.16 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94bnIUXwjto8WRHNuBNFY0yj5KS0crhowWKHTp_eBwUvwcktrcN_HujpKCioQ47muENNqgAcp4_0UmYnB2be_Sf2yAszlSWJKBL80zZxiKMvHJFO2m6F1yg6YUhTi3SPJ7asX5OG8ZDUDgJSJbf_klFXoS82A?testcase_id=4885746315165696
<marquee><body id=bodyElement><iframe id=iframe>
  </iframe>
  <script>
var body = bodyElement;
iframe.contentDocument.documentElement.appendChild(body);
</script>


Additional requirements: Requires HTTP

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by sigbjo...@opera.com, Dec 22 2016

Components: Blink>CSS

Comment 2 by r...@opera.com, Dec 22 2016

Owner: r...@opera.com
Status: Assigned (was: Untriaged)

Comment 3 by r...@opera.com, Jan 5 2017

Status: Started (was: Assigned)
Project Member

Comment 5 by bugdroid1@chromium.org, Jan 6 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9ea74b3f541f6850a48f6a2b4d08f3d4de95dcf4

commit 9ea74b3f541f6850a48f6a2b4d08f3d4de95dcf4
Author: rune <rune@opera.com>
Date: Fri Jan 06 20:28:55 2017

Use setNeedsActiveStyleUpdate instead of markTreeScopeDirty.

setNeedsActiveStyleUpdate checks if the document is active before
calling markTreeScopeDirty. This avoids marking shadow root tree scopes
dirty for non-active documents which caused a DCHECK fail in
markTreeScopeDirty.

R=esprehn@chromium.org
BUG= 676441 

Review-Url: https://codereview.chromium.org/2611053004
Cr-Commit-Position: refs/heads/master@{#442028}

[add] https://crrev.com/9ea74b3f541f6850a48f6a2b4d08f3d4de95dcf4/third_party/WebKit/LayoutTests/fast/dom/shadow/move-shadow-host-to-child-iframe-crash.html
[modify] https://crrev.com/9ea74b3f541f6850a48f6a2b4d08f3d4de95dcf4/third_party/WebKit/Source/core/dom/StyleEngine.cpp

Comment 6 by r...@opera.com, Jan 8 2017

Status: Fixed (was: Started)
Project Member

Comment 7 by ClusterFuzz, Jan 12 2017

ClusterFuzz has detected this issue as fixed in range 441984:442831.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4885746315165696

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  m_styleSheetCollectionMap.contains(&scope) in StyleEngine.cpp
  blink::StyleEngine::markTreeScopeDirty
  blink::StyleEngine::removePendingSheet
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=327721:327734
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=441984:442831

Minimized Testcase (0.16 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94bnIUXwjto8WRHNuBNFY0yj5KS0crhowWKHTp_eBwUvwcktrcN_HujpKCioQ47muENNqgAcp4_0UmYnB2be_Sf2yAszlSWJKBL80zZxiKMvHJFO2m6F1yg6YUhTi3SPJ7asX5OG8ZDUDgJSJbf_klFXoS82A?testcase_id=4885746315165696
<marquee><body id=bodyElement><iframe id=iframe>
  </iframe>
  <script>
var body = bodyElement;
iframe.contentDocument.documentElement.appendChild(body);
</script>


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment