New issue
Advanced search Search tips

Issue 688218 link

Starred by 1 user
Status: Fixed
Owner:
r...@igalia.com
Closed: Mar 2017
Cc:
xiaoche...@chromium.org
r...@igalia.com
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::Node::canParticipateInFlatTree

Project Member Reported by ClusterFuzz, Feb 3 2017

Comment 1 by mummare...@chromium.org, Feb 3 2017

Components: Blink>Layout
Labels: Test-Predator-Correct-CLs M-58
Owner: r...@chromium.org
Status: Assigned (was: Untriaged)
The result is a list of CLs that change the crashed files. 

Author: rego
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/03bd67fe0ded2c7031eb1c3efb39150056737492
Time: Thu Feb 02 08:40:23 2017
Lines 811-821 of file SpellChecker.cpp which potentially caused crash are changed in this cl (frame #6, "removeSpellingAndGrammarMarkers").
Minimum distance from crash line to modified line: 0. (file: SpellChecker.cpp, crashed on: 811, modified: 811).

Comment 2 by r...@chromium.org, Feb 3 2017

Cc: r...@igalia.com
Components: -Blink>Layout Blink>Editing>Spellcheck
Labels: Needs-Feedback
Owner: r...@igalia.com
Sorry but I cannot reproduce this issue.

I've followed the instructions at:
https://www.chromium.org/developers/testing/addresssanitizer

I've tried with a local build using this arguments:
  is_asan = true
  enable_nacl = false
  is_debug = false

And also downloading an already built binary from:
https://commondatastorage.googleapis.com/chromium-browser-asan/index.html

Could you please explain me the steps required to reproduce this? Thanks!
Project Member

Comment 3 by ClusterFuzz, Mar 9 2017 

ClusterFuzz has detected this issue as fixed in range 455091:455394.

Detailed report: https://clusterfuzz.com/testcase?key=6022310034407424

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::Node::canParticipateInFlatTree
  blink::Document::needsLayoutTreeUpdateForNode
  blink::Document::updateStyleAndLayoutTreeForNode
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=447544:447732
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=455091:455394

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97wBjzTfAAJOLMWu0BQJv5olGBV9Y8EqggFidQgRs7lY0M7k-Ph68fP-rVS_1UXsOQgC9qnZLI08gGIB-EX63QaagyO2ZkA5Tut-KbaXuSg5B_ExbyCf5BwTGZBprYgUeL4q-r89BuV0zZrC4YnL3jnjsFtvvgp3ZpSTfK6KIpcH3G5Un8wKv5iXuxdc6JdIpgZCz9shYjSjESL-KJQbYL-OOi3zIzCaIx06wSZkmLxEoIK2gH9ln_RXaUHnHI8j_U27KkcdOeV1GaY6XFq4bpXK8eVcHd4ooRPTqaDbOymVN3w6VEyEBOzo9ru3A4m8P4fWBxtvHezF1RRVehCoiBL6DrLMpYq6u4lrMQ3nr3_mtkpgHOlUWP-Wz0CnrDN31UiWUmiRs5-YEGas1jg7quW9Wx0Gg?testcase_id=6022310034407424


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 4 by r...@igalia.com, Mar 9 2017

Cc: xiaoche...@chromium.org
Status: Fixed (was: Assigned)
I never managed to reproduce this, so I don't know if this was fixed or not.

Maybe some of the last changes by @xiaocheng fixed this:
* https://codereview.chromium.org/2734013002
* https://codereview.chromium.org/2740503002

Anyway I guess we can close this at this point.

Comment 5 by xiaoche...@chromium.org, Mar 9 2017 

My changes are irrelevant...

Comment 6 by r...@igalia.com, Apr 25 2017 

The issue was only reproducible with --run-layout-test as it uses: window.internals.shadowRoot().

Anyway this seems not a bug, but a bad test case from clusterfuzz. See  bug #714421  for more information.

Sign in to add a comment