Issue metadata
Sign in to add a comment
|
Crash in blink::RuleFeatureSet::add |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4544782853734400 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x0000000000dc Crash State: blink::RuleFeatureSet::add blink::ScopedStyleResolver::collectFeaturesTo blink::StyleEngine::collectScopedStyleFeaturesTo Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=438143:438157 Minimized Testcase (1.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Iyb_FN22EyhZYdUvpDprOCwd6QmNIw_MPO2mClpjE-SpQrhdDjycuTCB5DIMe2rERpkrBYntLHoy_6xTyiX3un93r457jfPaQHDunyKc50uQuR6oHv8uWsnXSNdPlFHJNlZJnhfekVGcSSNvay0T6Bui9Tb8VHpU3P8QrW-_yqW7KxeqLWIbhmY213LPBtJ6k00S6AqYVl8eJTeYBa1gtTkL9knIDRJM20b61IMBvH26HlXTz9qqMJPSU9BM0Nzo2ZLptsmb8oVVSc946xDToPIbqoIyctbSKJhgDezTCPXS-V2BG0yyjFKZLJMBIwpV6OIOR1r_BRj15halN2XkJGC6zJX0s8abvhTLS_qvqQt_Y6g1UbkV96CvBBq7UAGm35RfgqpM2zHPVLG_YUBWG9XScbw?testcase_id=4544782853734400 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 5 2017
I was not able to reproduce building asan chrome on Linux with the same gn args as the fuzzer report says. I guess this can only be reproduced on Mac?
,
Jan 5 2017
Issue 678743 has a similar stack, but for Windows.
,
Jan 11 2017
,
Jan 11 2017
,
Jan 20 2017
,
Jan 23 2017
,
Jan 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/67cfc67e3b62993bb0df9395559e1d1a76d26213 commit 67cfc67e3b62993bb0df9395559e1d1a76d26213 Author: rune <rune@opera.com> Date: Wed Jan 25 13:09:54 2017 Return ActiveSheetsChanged when rulesets change in common prefix. When comparing old and new active sheets, we only append the added sheets to the ScopedStyleResolver if the old sheet vector is a prefix of the new sheets. However, that's not correct if any of the RuleSets in the common prefix changed due to media query changes or cssom modifications of a stylesheet. I can confirm that this fixes 681472. The other two issues in the BUG field look like duplicates, but I've not been able to reproduce them. R=meade@chromium.org,sashab@chromium.org BUG= 681472 , 677371 , 681882 Review-Url: https://codereview.chromium.org/2650743002 Cr-Commit-Position: refs/heads/master@{#446008} [add] https://crrev.com/67cfc67e3b62993bb0df9395559e1d1a76d26213/third_party/WebKit/LayoutTests/fast/css/null-ruleset-non-matching-media-crash.html [modify] https://crrev.com/67cfc67e3b62993bb0df9395559e1d1a76d26213/third_party/WebKit/Source/core/css/ActiveStyleSheets.cpp [modify] https://crrev.com/67cfc67e3b62993bb0df9395559e1d1a76d26213/third_party/WebKit/Source/core/css/ActiveStyleSheetsTest.cpp
,
Jan 26 2017
ClusterFuzz has detected this issue as fixed in range 445996:446011. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4544782853734400 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x0000000000dc Crash State: blink::RuleFeatureSet::add blink::ScopedStyleResolver::collectFeaturesTo blink::StyleEngine::collectScopedStyleFeaturesTo Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=438143:438157 Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=445996:446011 Minimized Testcase (1.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Iyb_FN22EyhZYdUvpDprOCwd6QmNIw_MPO2mClpjE-SpQrhdDjycuTCB5DIMe2rERpkrBYntLHoy_6xTyiX3un93r457jfPaQHDunyKc50uQuR6oHv8uWsnXSNdPlFHJNlZJnhfekVGcSSNvay0T6Bui9Tb8VHpU3P8QrW-_yqW7KxeqLWIbhmY213LPBtJ6k00S6AqYVl8eJTeYBa1gtTkL9knIDRJM20b61IMBvH26HlXTz9qqMJPSU9BM0Nzo2ZLptsmb8oVVSc946xDToPIbqoIyctbSKJhgDezTCPXS-V2BG0yyjFKZLJMBIwpV6OIOR1r_BRj15halN2XkJGC6zJX0s8abvhTLS_qvqQt_Y6g1UbkV96CvBBq7UAGm35RfgqpM2zHPVLG_YUBWG9XScbw?testcase_id=4544782853734400 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 26 2017
,
Jan 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4833c6af7aed66bb1fc500f45f43d6476b890b86 commit 4833c6af7aed66bb1fc500f45f43d6476b890b86 Author: Rune Lillesveen <rune@opera.com> Date: Thu Jan 26 13:59:56 2017 Return ActiveSheetsChanged when rulesets change in common prefix. When comparing old and new active sheets, we only append the added sheets to the ScopedStyleResolver if the old sheet vector is a prefix of the new sheets. However, that's not correct if any of the RuleSets in the common prefix changed due to media query changes or cssom modifications of a stylesheet. I can confirm that this fixes 681472. The other two issues in the BUG field look like duplicates, but I've not been able to reproduce them. R=meade@chromium.org,sashab@chromium.org BUG= 681472 , 677371 , 681882 Review-Url: https://codereview.chromium.org/2650743002 Cr-Commit-Position: refs/heads/master@{#446008} (cherry picked from commit 67cfc67e3b62993bb0df9395559e1d1a76d26213) Review-Url: https://codereview.chromium.org/2655283002 . Cr-Commit-Position: refs/branch-heads/2987@{#102} Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} [add] https://crrev.com/4833c6af7aed66bb1fc500f45f43d6476b890b86/third_party/WebKit/LayoutTests/fast/css/null-ruleset-non-matching-media-crash.html [modify] https://crrev.com/4833c6af7aed66bb1fc500f45f43d6476b890b86/third_party/WebKit/Source/core/css/ActiveStyleSheets.cpp [modify] https://crrev.com/4833c6af7aed66bb1fc500f45f43d6476b890b86/third_party/WebKit/Source/core/css/ActiveStyleSheetsTest.cpp |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by durga.behera@chromium.org
, Dec 29 2016Labels: M-57
Owner: r...@opera.com
Status: Assigned (was: Untriaged)