New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 686424 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::SVGElement::applyActiveWebAnimations

Project Member Reported by ClusterFuzz, Jan 28 2017

Issue description

Comment 1 by tkent@chromium.org, Jan 30 2017

Components: Blink>SVG
Blame result seems wrong. I've requested a new blame run.

Leaving Untriaged until we get more info,

Comment 3 by f...@opera.com, Feb 1 2017

Owner: f...@opera.com
Status: Assigned (was: Untriaged)

Comment 4 by f...@opera.com, Feb 1 2017

The (innermost) crashstack here is very similar to that of  issue 686915  - i.e it's a flush of "pending" Web Animations. It's very likely that the fix is the same in both cases.

Comment 5 by f...@opera.com, Feb 10 2017

Cc: msrchandra@chromium.org f...@opera.com alancutter@chromium.org
 Issue 686915  has been merged into this issue.

Comment 6 by f...@opera.com, Feb 10 2017

Cc: mummare...@chromium.org
 Issue 690126  has been merged into this issue.
Project Member

Comment 7 by bugdroid1@chromium.org, Feb 15 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/49bd1e63cb077e88db6d89f5a3db801dec55e743

commit 49bd1e63cb077e88db6d89f5a3db801dec55e743
Author: fs <fs@opera.com>
Date: Wed Feb 15 14:24:38 2017

Don't clear 'web animations dirty' flag if we have no rare data

If an SVGElement has an instantiated ElementAnimations object and
animation time has progressed, but no actual animation has been applied
(and hence no SVGElementRareData has been created), we don't need to
clear the dirty bit in the rare data.
The initial trigger for this seems to be the Element.computedName
implementation for a detached node, which tries to compute style in
this case, triggering a DCHECK in Node::containingTreeScope when doing
so.

BUG= 686424 

Review-Url: https://codereview.chromium.org/2689713003
Cr-Commit-Position: refs/heads/master@{#450689}

[add] https://crrev.com/49bd1e63cb077e88db6d89f5a3db801dec55e743/third_party/WebKit/LayoutTests/svg/animations/animval-web-animations-flush-crash.html
[modify] https://crrev.com/49bd1e63cb077e88db6d89f5a3db801dec55e743/third_party/WebKit/Source/core/svg/SVGElement.cpp
[modify] https://crrev.com/49bd1e63cb077e88db6d89f5a3db801dec55e743/third_party/WebKit/Source/modules/accessibility/AXObject.cpp

Comment 8 by f...@opera.com, Feb 21 2017

Status: Fixed (was: Assigned)
Project Member

Comment 9 by ClusterFuzz, Apr 19 2017

ClusterFuzz has detected this issue as fixed in range 450686:450691.

Detailed report: https://clusterfuzz.com/testcase?key=4634710421798912

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000003c
Crash State:
  blink::SVGElement::applyActiveWebAnimations
  blink::SVGLengthTearOff::hasExposedLengthUnit
  blink::SVGLengthTearOff::unitType
  
Memory Tool: SYZYASAN

Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=446719:446721
Fixed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=450686:450691

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv965Yyi8o3UEYyLdPTNCuiNFt_VYvswz4Umuku8dR0JIcELlELuNgCentcK0fK-LKHn2WBTndLpzA2GCT55rNs8ajm4Ggo1pEZa7XqgZzsh51zVgAtDUIDrSbnz6uXletyOI4KoSYG2JmYwI72ZLqG5DoPb8IHs_LWxIrRIxK_O8H1NO4U_n0syuT_cdyUIQJRP6JrPsyX9BZdjNy2OBP490dDSldXFqY57RdVHjGHu9brK3ypx67v3BsxkKPyeoGGwyWIHHm-VAXa1bNurtMHEvFJQ9KpN52CwmOhD35aWdYV-s5BVM1SlSIweAufbJc9HwQhBV3z2D2FJwfjTRKzDvPirTxEFpRLbrpQ341a90QL8StKs?testcase_id=4634710421798912


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment