layoutObject->isSVG() && (resourceType() != FilterResourceType || !layoutObject- |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5042832139354112 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: layoutObject->isSVG() && (resourceType() != FilterResourceType || !layoutObject- blink::LayoutSVGResourceContainer::registerResource blink::LayoutSVGResourceContainer::styleDidChange Sanitizer: address (ASAN) Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95iaVTleDmdruMf3BK-wz_yr9IkJRXMZaskQMDNAHcS0VTtpny71iVLysUuBaziKOmIypAw4gerHZTj1gMwYSbcYTsBI-hS9wqm2bu1DGyvIZgDXjNWBEshAvEEf9nNxWFH9sun_754vxCT21hQE2havMDga7AUlI0dg1NPuGmJ8rVevjXQic3A-B9AJOUmqBE3zenZvZaEF44bVzaJnrsXM6La7t0d3_qp211g5wFlmwpX53MrkekPW52IANBVIBU3dhLcPgWHtP6-7040yLILLzPf6VTp_RDlVeRR_i4EXRwytn8NIhvStvgcve-3V43alFwkrrTlcfNSisTiYdXWlAguhVx-BASPc_PoAwiZ6-MdXbQ?testcase_id=5042832139354112 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Feb 3 2017
This probably just needs an adjustment to the DCHECK. "Pending elements" can still be associated with "resource containers" with a non-matching type.
,
Feb 7 2017
Adjusting priority per c#2. Fixing component.
,
Feb 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/eeca548902f5508923a683529845f369cc392c6f commit eeca548902f5508923a683529845f369cc392c6f Author: fs <fs@opera.com> Date: Tue Feb 07 19:15:57 2017 Remove faulty assertion in LayoutSVGResourceContainer::registerResource When notifying pending elements we don't know what resource type the registration is for, so it's entirely plausible that the resource type is one that a possible client isn't really interested in (like a 'mask' ending up pointing to a <filter>, like in this particular case.) BUG= 687985 Review-Url: https://codereview.chromium.org/2680683003 Cr-Commit-Position: refs/heads/master@{#448688} [add] https://crrev.com/eeca548902f5508923a683529845f369cc392c6f/third_party/WebKit/LayoutTests/svg/masking/mask-valid-reference-wrong-element-type-crash-expected.txt [add] https://crrev.com/eeca548902f5508923a683529845f369cc392c6f/third_party/WebKit/LayoutTests/svg/masking/mask-valid-reference-wrong-element-type-crash.html [modify] https://crrev.com/eeca548902f5508923a683529845f369cc392c6f/third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceContainer.cpp
,
Feb 8 2017
ClusterFuzz has detected this issue as fixed in range 448608:448689. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5042832139354112 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: layoutObject->isSVG() && (resourceType() != FilterResourceType || !layoutObject- blink::LayoutSVGResourceContainer::registerResource blink::LayoutSVGResourceContainer::styleDidChange Sanitizer: address (ASAN) Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=448608:448689 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95iaVTleDmdruMf3BK-wz_yr9IkJRXMZaskQMDNAHcS0VTtpny71iVLysUuBaziKOmIypAw4gerHZTj1gMwYSbcYTsBI-hS9wqm2bu1DGyvIZgDXjNWBEshAvEEf9nNxWFH9sun_754vxCT21hQE2havMDga7AUlI0dg1NPuGmJ8rVevjXQic3A-B9AJOUmqBE3zenZvZaEF44bVzaJnrsXM6La7t0d3_qp211g5wFlmwpX53MrkekPW52IANBVIBU3dhLcPgWHtP6-7040yLILLzPf6VTp_RDlVeRR_i4EXRwytn8NIhvStvgcve-3V43alFwkrrTlcfNSisTiYdXWlAguhVx-BASPc_PoAwiZ6-MdXbQ?testcase_id=5042832139354112 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 8 2017
|
|||
►
Sign in to add a comment |
|||
Comment 1 by msrchandra@chromium.org
, Feb 2 2017Components: Blink>Layout
Labels: Test-Predator-Wrong
Owner: f...@opera.com
Status: Assigned (was: Untriaged)