Issue metadata
Sign in to add a comment
|
Crash in blink::MatchRequest::MatchRequest |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6387185524932608 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x0000015b Crash State: blink::MatchRequest::MatchRequest blink::ScopedStyleResolver::collectMatchingAuthorRules blink::StyleResolver::matchAuthorRulesV0 Memory Tool: SYZYASAN Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=443991:443998 Minimized Testcase (0.83 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96sq7jz4nAOMWdqDcSBv1UAVUG9y1Z56GTc5_EFc8CU6A4Jg-fDD7gSuBpFm1-Sg1e6M89gAM0tuhxhn2J7YzRmnQzRtCJX0gOAeeUdqqm2qrGrtbW_4OJsLysKANx-dGSkRpNcp8YLno_9apbi3vU1y4ouEr__dxc0j9upS1g0s6l_hcJfAZtEK-OLp9frJO9fqNLAxU1cdPFSti6kzxqlfWme_x_NGl4QvDXVsteDkuhiY2jfM9wp1hk9s4rA90cteb-250g7iNvzg4Fs5adO5wt4MVPJem4ZmdTVXAPJ6YyRdYpYX_eZIFOU9poMSAA9QsV5EwU1Tcm1QYzib_l2f5uZn_l9JmxxPfiEiqcPBPaFoA8?testcase_id=6387185524932608 <style> #htmlvar00009 { mix-blend-mode: hard-light;</style> <script> function jsfuzzer() { var htmlvar00028 = document.createElement("style"); //HTMLStyleElement /* StyleSheetList*/ var var00030 = document.styleSheets; /* StyleSheet*/ var var00029 = var00030.item(80%var00030.length); /* MediaList*/ var var00028 = var00029.media; var00028.mediaText = String.fromCharCode( 45); if(htmlvar00015) htmlvar00015.appendChild(htmlvar00028); /* CSSRuleList*/ var var00047 = window.getMatchedCSSRules(htmlvar00009); /* CSSRule*/ var var00046 = var00047.item(97%var00047.length); /* CSSStyleSheet*/ var var00045 = var00046.parentStyleSheet; /* long*/ var var00044 = var00045.addRule(); document.linkColor = String.fromCharCode( 35898); } </script> <body onload=jsfuzzer()> <table> <th id="htmlvar00009"> <dir id="htmlvar00015"> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 23 2017
,
Jan 23 2017
,
Jan 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/67cfc67e3b62993bb0df9395559e1d1a76d26213 commit 67cfc67e3b62993bb0df9395559e1d1a76d26213 Author: rune <rune@opera.com> Date: Wed Jan 25 13:09:54 2017 Return ActiveSheetsChanged when rulesets change in common prefix. When comparing old and new active sheets, we only append the added sheets to the ScopedStyleResolver if the old sheet vector is a prefix of the new sheets. However, that's not correct if any of the RuleSets in the common prefix changed due to media query changes or cssom modifications of a stylesheet. I can confirm that this fixes 681472. The other two issues in the BUG field look like duplicates, but I've not been able to reproduce them. R=meade@chromium.org,sashab@chromium.org BUG= 681472 , 677371 , 681882 Review-Url: https://codereview.chromium.org/2650743002 Cr-Commit-Position: refs/heads/master@{#446008} [add] https://crrev.com/67cfc67e3b62993bb0df9395559e1d1a76d26213/third_party/WebKit/LayoutTests/fast/css/null-ruleset-non-matching-media-crash.html [modify] https://crrev.com/67cfc67e3b62993bb0df9395559e1d1a76d26213/third_party/WebKit/Source/core/css/ActiveStyleSheets.cpp [modify] https://crrev.com/67cfc67e3b62993bb0df9395559e1d1a76d26213/third_party/WebKit/Source/core/css/ActiveStyleSheetsTest.cpp
,
Jan 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4833c6af7aed66bb1fc500f45f43d6476b890b86 commit 4833c6af7aed66bb1fc500f45f43d6476b890b86 Author: Rune Lillesveen <rune@opera.com> Date: Thu Jan 26 13:59:56 2017 Return ActiveSheetsChanged when rulesets change in common prefix. When comparing old and new active sheets, we only append the added sheets to the ScopedStyleResolver if the old sheet vector is a prefix of the new sheets. However, that's not correct if any of the RuleSets in the common prefix changed due to media query changes or cssom modifications of a stylesheet. I can confirm that this fixes 681472. The other two issues in the BUG field look like duplicates, but I've not been able to reproduce them. R=meade@chromium.org,sashab@chromium.org BUG= 681472 , 677371 , 681882 Review-Url: https://codereview.chromium.org/2650743002 Cr-Commit-Position: refs/heads/master@{#446008} (cherry picked from commit 67cfc67e3b62993bb0df9395559e1d1a76d26213) Review-Url: https://codereview.chromium.org/2655283002 . Cr-Commit-Position: refs/branch-heads/2987@{#102} Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943} [add] https://crrev.com/4833c6af7aed66bb1fc500f45f43d6476b890b86/third_party/WebKit/LayoutTests/fast/css/null-ruleset-non-matching-media-crash.html [modify] https://crrev.com/4833c6af7aed66bb1fc500f45f43d6476b890b86/third_party/WebKit/Source/core/css/ActiveStyleSheets.cpp [modify] https://crrev.com/4833c6af7aed66bb1fc500f45f43d6476b890b86/third_party/WebKit/Source/core/css/ActiveStyleSheetsTest.cpp
,
Jan 27 2017
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mummare...@chromium.org
, Jan 17 2017Labels: Test-Predator-Wrong M-57
Owner: meade@chromium.org
Status: Assigned (was: Untriaged)