New issue
Advanced search Search tips

Issue 682824 link

Starred by 1 user
Status: Verified
Owner:
bokan@chromium.org
Closed: Mar 2017
Cc:
ifratric@google.com
dcheng@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::FrameHost::globalRootScrollerController

Project Member Reported by ClusterFuzz, Jan 19 2017

Comment 1 by mummare...@chromium.org, Jan 19 2017

Components: Blink>Scroll
Labels: M-57 Test-Predator-Correct
Owner: bokan@chromium.org
Status: Assigned (was: Untriaged)
The result is a list of CLs that change the crashed files. 

Author: bokan
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/cc87319620d224e62ae3aac4f1c027f5afd7e392
Time: Tue Dec 06 21:12:30 2016
File FrameView.cpp is changed in this cl (and is part of stack frame #2, "blink::FrameView::dispose")
Minimum distance from crash line to modified line: 7. (file: FrameView.cpp, crashed on: 342, modified: 335).

Comment 2 by bokan@chromium.org, Jan 20 2017

Cc: dcheng@chromium.org
+dcheng@: Looks like we're still getting into FrameView::dispose with a detached FrameHost. Are you still the one to look at these Widget issues? (I also have another in  issue 677758 ).
Project Member

Comment 3 by ClusterFuzz, Mar 2 2017 

ClusterFuzz has detected this issue as fixed in range 453344:453359.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5829289405841408

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000038
Crash State:
  blink::FrameHost::globalRootScrollerController
  blink::FrameView::dispose
  blink::HTMLFrameOwnerElement::UpdateSuspendScope::performDeferredWidgetTreeOpera
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=436692:436770
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=453344:453359

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94jrmr7XLM60BegWHXrSQAJwQ2rpD3umrwtCSk7EyCeJdN0prInt1PlFlBbOoTAn8Bvr3ofTyIQ0Kpw-zUius6kHi4zcPInWpLosFgIuLy-QQtfoF6wfuu7jBn83sRQPcnIJIV8iZ0zQJHYAQXXYRk_xfHob_yOebXlXOKXtvCYTkOXLo66-Z1a-iTvsrAHFhihew63KD4ANWHtLypaV25unGMJzHWtxsdUgpOno3VGGFk3Q72t9FFpadJnnHjwOJXqItkaTd9hSsYgkAKqeBnZbeYK9y81sGZ4dXjjJQXYZsgddCweljv840_OUo9CLuj-cxixzsDRH-VQx9BJfMqWqn0HUQxs6nTCJA1D5q5iVBmbYK3IzmOrGPjZqyw4gcvhSvfIxDzZEWd5UW440DSSDJeMOw?testcase_id=5829289405841408


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Mar 2 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5829289405841408 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment