Crash in blink::LayoutObject::document |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6671544895143936 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000013 Crash State: blink::LayoutObject::document blink::ObjectPaintInvalidator::invalidateDisplayItemClient blink::PaintInvalidationCapableScrollableArea::willRemoveScrollbar Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=441038:441040 Minimized Testcase (1.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96o-NCzT22KoMVSu1mSZbNxkubzHqbDZQs6U8XFQA0iErbd74mFsgOuWPyf9SCmRtKxLYAQftV_lj_hhs4dymb9CSZgOhg2OuCHOILMYLtCRLfxsk1x_YGb-L55zqt3S9fFhqRpCB-wRan1uuVMs683x-vXroWmgspF75PO-QZG5-rJeaGn5NyIoIU59vHLeJgDAxmwYC6fF4X1JVmO2dF-hpjlrYhVGgY0QbwbE2LmtkApzgrpQcrkZHi4tKMv7vzHBBsrmb5YK9L0JYiceh9zmfaqekBBaLEnIsykyiNwQNXNwt3ajuFiLfEqZ47netHA_aJtvUpzQoS4Olr0ua2i2pOaFLY-m7YVfuAhWbBHZPo-P0ljhcA2Hg_2xYM-ErTMYQ25iTuNZgKV15nKcQl8k8uwdg?testcase_id=6671544895143936 Additional requirements: Requires Gestures Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 5 2017
Ugh, more deferred Widget destruction fun. +dcheng@ Haven't had time to look in depth yet but looks like we try to invalidate after removing a scrollbar contained by the destroyed widget and we touch a detached LayoutObject.
,
Feb 4 2017
ClusterFuzz testcase 6671544895143936 is flaky and no longer reproduces, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by dtapu...@chromium.org
, Jan 3 2017Components: Blink>Scroll
Owner: bokan@chromium.org
Status: Assigned (was: Untriaged)