m_styleSheetCollectionMap.contains(&scope) in StyleEngine.cpp |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4885746315165696 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: m_styleSheetCollectionMap.contains(&scope) in StyleEngine.cpp blink::StyleEngine::markTreeScopeDirty blink::StyleEngine::removePendingSheet Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=327721:327734 Minimized Testcase (0.16 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94bnIUXwjto8WRHNuBNFY0yj5KS0crhowWKHTp_eBwUvwcktrcN_HujpKCioQ47muENNqgAcp4_0UmYnB2be_Sf2yAszlSWJKBL80zZxiKMvHJFO2m6F1yg6YUhTi3SPJ7asX5OG8ZDUDgJSJbf_klFXoS82A?testcase_id=4885746315165696 <marquee><body id=bodyElement><iframe id=iframe> </iframe> <script> var body = bodyElement; iframe.contentDocument.documentElement.appendChild(body); </script> Additional requirements: Requires HTTP Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 22 2016
,
Jan 5 2017
,
Jan 6 2017
,
Jan 6 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9ea74b3f541f6850a48f6a2b4d08f3d4de95dcf4 commit 9ea74b3f541f6850a48f6a2b4d08f3d4de95dcf4 Author: rune <rune@opera.com> Date: Fri Jan 06 20:28:55 2017 Use setNeedsActiveStyleUpdate instead of markTreeScopeDirty. setNeedsActiveStyleUpdate checks if the document is active before calling markTreeScopeDirty. This avoids marking shadow root tree scopes dirty for non-active documents which caused a DCHECK fail in markTreeScopeDirty. R=esprehn@chromium.org BUG= 676441 Review-Url: https://codereview.chromium.org/2611053004 Cr-Commit-Position: refs/heads/master@{#442028} [add] https://crrev.com/9ea74b3f541f6850a48f6a2b4d08f3d4de95dcf4/third_party/WebKit/LayoutTests/fast/dom/shadow/move-shadow-host-to-child-iframe-crash.html [modify] https://crrev.com/9ea74b3f541f6850a48f6a2b4d08f3d4de95dcf4/third_party/WebKit/Source/core/dom/StyleEngine.cpp
,
Jan 8 2017
,
Jan 12 2017
ClusterFuzz has detected this issue as fixed in range 441984:442831. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4885746315165696 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: m_styleSheetCollectionMap.contains(&scope) in StyleEngine.cpp blink::StyleEngine::markTreeScopeDirty blink::StyleEngine::removePendingSheet Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=327721:327734 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=441984:442831 Minimized Testcase (0.16 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94bnIUXwjto8WRHNuBNFY0yj5KS0crhowWKHTp_eBwUvwcktrcN_HujpKCioQ47muENNqgAcp4_0UmYnB2be_Sf2yAszlSWJKBL80zZxiKMvHJFO2m6F1yg6YUhTi3SPJ7asX5OG8ZDUDgJSJbf_klFXoS82A?testcase_id=4885746315165696 <marquee><body id=bodyElement><iframe id=iframe> </iframe> <script> var body = bodyElement; iframe.contentDocument.documentElement.appendChild(body); </script> Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||
►
Sign in to add a comment |
||||
Comment 1 by sigbjo...@opera.com
, Dec 22 2016