event.type() != WebInputEvent::MouseDown || PointIsWithinContents(web_mouse.x, w |
||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5163009518600192 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: CHECK failure Crash Address: Crash State: event.type() != WebInputEvent::MouseDown || PointIsWithinContents(web_mouse.x, w content::SyntheticGestureTargetBase::DispatchInputEventToPlatform content::SyntheticGestureTargetMac::DispatchInputEventToPlatform Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=398628:398731 Minimized Testcase (0.24 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv9545Zi4_tYt0Omb0WQ5bcbCwY4lz4Cj5bvjj-XcdbjS0b6kW-o3Jv2sFkJM3D4npGCirjNFVCOOEZxwVZkhvUYODM9QCOMer5ADjkS688MnGIH2RAV8Jk4oaV8rJuHE74hryjEsDZafIHKRAD0Lw6nUiFJ3CWgYAax31xodlF8D7WKcp4-ymcfXE2cvR1wCkTYVI2IMniHWNpyH8nyj5wUfePKb5eeuaBZOJvCPQ-WfpzqH9qDwtylV1LZhmLtMuEMRpf13Yfl1Ynb33xNucS9nd831PKnL-UkSNPMnflK22G4js2u0MjRwrRAg8qoNuPMa_T-HUm0PsRfd8x6r0q_LEAZyIMWdHcaUGmRdZwSCEzKIC5A?testcase_id=5163009518600192 <div id=box><script> var targetRect = box.getBoundingClientRect(); var offset = 18446744073709551422; var x = targetRect.left + offset; var y = targetRect.top + offset; chrome.gpuBenchmarking.tap(x, y, function() { }); </script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 24 2017
I do not think the above Cls has any relations with the crashed code. I think the crash happen for reasons when you tap on somewhere out of the range. The test which calls this chrome.gpuBenchmarking.tap action with an invalid position will cause this crash, so the crash should happen.
,
May 3 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/eb843b0448b95be3dbbb5b398237a86c3861b078 commit eb843b0448b95be3dbbb5b398237a86c3861b078 Author: dtapuska <dtapuska@chromium.org> Date: Wed May 03 18:00:52 2017 Assert the location is correct when processing a tap request. Check that the position is correct when executing the GPU benchmark Tap request if it isn't throw an exception. BUG= 683503 Review-Url: https://codereview.chromium.org/2838393002 Cr-Commit-Position: refs/heads/master@{#469032} [modify] https://crrev.com/eb843b0448b95be3dbbb5b398237a86c3861b078/content/renderer/gpu/gpu_benchmarking_extension.cc [modify] https://crrev.com/eb843b0448b95be3dbbb5b398237a86c3861b078/third_party/WebKit/LayoutTests/fast/events/synthetic-events/tap-on-scaled-screen.html
,
May 4 2017
ClusterFuzz has detected this issue as fixed in range 469008:469064. Detailed report: https://clusterfuzz.com/testcase?key=5163009518600192 Fuzzer: inferno_twister Job Type: mac_asan_content_shell Platform Id: mac Crash Type: CHECK failure Crash Address: Crash State: event.type() != WebInputEvent::MouseDown || PointIsWithinContents(web_mouse.x, w content::SyntheticGestureTargetBase::DispatchInputEventToPlatform content::SyntheticGestureTargetMac::DispatchInputEventToPlatform Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=398628:398731 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=469008:469064 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5163009518600192 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 4 2017
ClusterFuzz testcase 5163009518600192 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||
►
Sign in to add a comment |
||
Comment 1 by tapted@chromium.org
, Jan 24 2017Components: Blink>Input
Owner: lanwei@chromium.org
Status: Assigned (was: Untriaged)