Issue metadata
Sign in to add a comment
|
DOM tree corruption
Reported by
wadih.ma...@gmail.com,
Jan 5 2017
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Steps to reproduce the problem: 1.open http://localhost/poc.html 2.click on the button "manipulate...". This should lead to a crash, meaning that the detached document is still in an active state What is the expected behavior? When a document is detached, it shouldn't remain in an active state. What went wrong? The print job from flash is executed during the detachment of one of child frames containing an embed swf. This causes the document of this frame to stay in an active state even when all detachments are done and bing.com is loaded. This can be seen in the POC: innerText() causes a crash in needslayout(), meaning that the manipulated document is still considered as active. Did this work before? N/A Chrome version: 55.0.2883.87 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 24.0 r0
,
Jan 5 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5947060080869376
,
Jan 5 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4708967440973824
,
Jan 9 2017
Thanks for your report. When I'm trying to reproduce the issue, the browser is tries to save 'empty.swf' file and warns me that it can be dangerous. Is it expected behavior? Should I accept it or reject? After waiting for bing.com page to be loaded (~1-2 minutes), I click on "manipulate ..." button and nothing happens. Also please notice that Flash is disabled by default: https://blog.google/products/chrome/flash-and-chrome/
,
Jan 9 2017
empty.swf should be executed. Do you get the alert "Flash required" ? I updated chrome to version 55 and Flash is still enabled by default. I forgot to mention that this poc works in Linux too.
,
Jan 9 2017
In my tests, the browser never tried to save the 'empty.swf' file.
,
Jan 17 2017
Sorry for the delayed reply. I am able to get the poc running, but clicking the button doesn't lead to a crash for me. Re: comment 4, you may have needed to host this on a web server or run with --allow-file-access-from-files. Do you have any crash report IDs from chrome://crashes/ related to this, or have a more consistent PoC that leads to the crash? If not, we may not be able to act on this.
,
Jan 17 2017
,
Jan 17 2017
This is the crash i get, demonstrating that one of the document remains active (the stack is in the attachment): 0:012> g (1268.16a8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=00000002 ecx=00000000 edx=00000001 esi=47ee3e30 edi=00000000 eip=6957a22e esp=002bd78c ebp=002bd7a4 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 chrome_child!blink::FrameView::needsLayout [inlined in chrome_child!blink::FrameView::needsLayout]: 6957a22e 8b8194000000 mov eax,dword ptr [ecx+94h] ds:002b:00000094=????????
,
Jan 17 2017
In main.html, if you replace 'sleep(5000)' with 'alert(1)', maybe will it work for you?
,
Jan 24 2017
Thank you for providing more feedback. Adding requester "mbarbella@chromium.org" for another review and adding "Needs-Review" label for tracking. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 25 2017
,
Jan 26 2017
,
Jan 27 2017
Either when running from a local server or with --allow-file-access-from-files, empty.swf is triggering a download for me as well. +eae: since you're more familiar with this code than me, maybe the repro will make more sense to you?
,
Jan 27 2017
Unable to reproduce and neither can clusterfuzz. Closing.
,
May 6 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jan 5 2017