New issue
Advanced search Search tips

Issue 683503 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: May 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug



Sign in to add a comment

event.type() != WebInputEvent::MouseDown || PointIsWithinContents(web_mouse.x, w

Project Member Reported by ClusterFuzz, Jan 21 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5163009518600192

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: CHECK failure
Crash Address: 
Crash State:
  event.type() != WebInputEvent::MouseDown || PointIsWithinContents(web_mouse.x, w
  content::SyntheticGestureTargetBase::DispatchInputEventToPlatform
  content::SyntheticGestureTargetMac::DispatchInputEventToPlatform
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=398628:398731

Minimized Testcase (0.24 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv9545Zi4_tYt0Omb0WQ5bcbCwY4lz4Cj5bvjj-XcdbjS0b6kW-o3Jv2sFkJM3D4npGCirjNFVCOOEZxwVZkhvUYODM9QCOMer5ADjkS688MnGIH2RAV8Jk4oaV8rJuHE74hryjEsDZafIHKRAD0Lw6nUiFJ3CWgYAax31xodlF8D7WKcp4-ymcfXE2cvR1wCkTYVI2IMniHWNpyH8nyj5wUfePKb5eeuaBZOJvCPQ-WfpzqH9qDwtylV1LZhmLtMuEMRpf13Yfl1Ynb33xNucS9nd831PKnL-UkSNPMnflK22G4js2u0MjRwrRAg8qoNuPMa_T-HUm0PsRfd8x6r0q_LEAZyIMWdHcaUGmRdZwSCEzKIC5A?testcase_id=5163009518600192
<div id=box><script>
var targetRect = box.getBoundingClientRect();
var offset = 18446744073709551422;
var x = targetRect.left + offset;
var y = targetRect.top + offset;
        chrome.gpuBenchmarking.tap(x, y, function() {
        });
</script>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by tapted@chromium.org, Jan 24 2017

Cc: dtapu...@chromium.org
Components: Blink>Input
Owner: lanwei@chromium.org
Status: Assigned (was: Untriaged)
[mac triage] lanwei@ please take a look

bisect is large - https://chromium.googlesource.com/chromium/src/+log/5c74a3e8cf2b24e16b9834c46ea2d08140846d21..933a86fd42dda0f14901786a64a0a58271621b2a?pretty=fuller

suspects

commit	3f5cea527647ebc8c505b1932d680854e162d82f	
author	dtapuska <dtapuska@chromium.org>	Wed Jun 08 22:59:17 2016
committer	Commit bot <commit-bot@chromium.org>	Wed Jun 08 23:01:06 2016
Remove enable/disable wheel gestures setting.

Since wheel gesture based scrolling has shipped and the code has been
removed from blink we can remove the runtime setting.

BUG= 598798 
CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel

Review-Url: https://codereview.chromium.org/2047093002
Cr-Commit-Position: refs/heads/master@{#398716}


commit	c5707d4d2131cf90f2fe8c9887a1c95c83a12812	
author	lanwei <lanwei@chromium.org>	Wed Jun 08 22:50:00 2016
committer	Commit bot <commit-bot@chromium.org>	Wed Jun 08 22:52:30 2016
Use monotonic time to record the touch input latency in Blink.

Since PlatformEvent uses monotonical time stamp, we should use monotonicallyIncreasingTime
instead of currentTime to record the touch event latency in Blink.

BUG= 617984 

Review-Url: https://codereview.chromium.org/2044923004
Cr-Commit-Position: refs/heads/master@{#398712}


commit	74a646d254f3836d7df802857b5a926adc4ec87b	
author	lanwei <lanwei@chromium.org>	Wed Jun 08 19:16:55 2016
committer	Commit bot <commit-bot@chromium.org>	Wed Jun 08 19:19:51 2016
We did not set the pointer type for WebMouseEvent, which is created from NSEvent in
WebMouseEventBuilder::Build. Now we set the pointer type based on the NSEvent's
type to see if it is a tablet event or subtype of a mouse event to see its input device.

Reference:
https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/EventOverview/EventObjectsTypes/EventObjectsTypes.html#//apple_ref/doc/uid/10000060i-CH4-SW4

BUG= 615122 

Review-Url: https://codereview.chromium.org/2022843002
Cr-Commit-Position: refs/heads/master@{#398635}

Comment 2 by lanwei@chromium.org, Jan 24 2017

I do not think the above Cls has any relations with the crashed code. I think the crash happen for reasons when you tap on somewhere out of the range. The test which calls this chrome.gpuBenchmarking.tap action with an invalid position will cause this crash, so the crash should happen.
Project Member

Comment 3 by bugdroid1@chromium.org, May 3 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eb843b0448b95be3dbbb5b398237a86c3861b078

commit eb843b0448b95be3dbbb5b398237a86c3861b078
Author: dtapuska <dtapuska@chromium.org>
Date: Wed May 03 18:00:52 2017

Assert the location is correct when processing a tap request.

Check that the position is correct when executing the GPU benchmark
Tap request if it isn't throw an exception.

BUG= 683503 

Review-Url: https://codereview.chromium.org/2838393002
Cr-Commit-Position: refs/heads/master@{#469032}

[modify] https://crrev.com/eb843b0448b95be3dbbb5b398237a86c3861b078/content/renderer/gpu/gpu_benchmarking_extension.cc
[modify] https://crrev.com/eb843b0448b95be3dbbb5b398237a86c3861b078/third_party/WebKit/LayoutTests/fast/events/synthetic-events/tap-on-scaled-screen.html

Project Member

Comment 4 by ClusterFuzz, May 4 2017

ClusterFuzz has detected this issue as fixed in range 469008:469064.

Detailed report: https://clusterfuzz.com/testcase?key=5163009518600192

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: CHECK failure
Crash Address: 
Crash State:
  event.type() != WebInputEvent::MouseDown || PointIsWithinContents(web_mouse.x, w
  content::SyntheticGestureTargetBase::DispatchInputEventToPlatform
  content::SyntheticGestureTargetMac::DispatchInputEventToPlatform
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=398628:398731
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=469008:469064

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5163009518600192


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, May 4 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5163009518600192 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment