Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5196501707128832 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: isSVGRoot computeTransformToSVGRoot blink::SVGLayoutSupport::mapToVisualRectInAncestorSpace Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=449612:449646 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96ZzKLt1y6lRQLPwZdEwsx65MHTXmpvWf8TdUt1dMt0qyL7AzYBo1H5wQoV6go3GU-WSVHaqcS0OVwDk60wT2msnT97ylilk85Y6KvVRwnGGMynA8TAofHBI9cqr6J0TAPOKruVdmJbhUN4l5iHmaDnY5Zcz_eQJYaj4h-wSWY-8k4CHw3cZYNty7yMY3DO824-kvB8OCe6EK_SQwF8SePS6gPJbMLQ5R4cDbulay4NAm2uRjsjdNHfx4c1Kd2aiTZvX1iHN0oX7Te9vzBkxWFeyc6QVhfTFzANVAMhanHEE-cMESgosdi_xPPpbzGQ24hYSp4DkjhVkKAl4KuVsMkjmLoH4xlkudX30vvZeiwXaGpwlF4N2mjQBpETuEjFfkytuE1I8VDz6DR15RL6OBYkX23AoQ?testcase_id=5196501707128832 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Findit did not find any culprit results. assigning to /src/third_party/WebKit/Source/core/layout/OWNERS, request to check the issue and help.
28ec0e0c2425d480693e8d40510b8093cef1f89f seems most likely in that range. ecobos could you take a look?
Gah, SVGStopElement :(. I'll submit a patch in a few minutes.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d6df828820be4b0f22b9bed959fb2bd93f84b331 commit d6df828820be4b0f22b9bed959fb2bd93f84b331 Author: ecobos <ecobos@igalia.com> Date: Mon Feb 13 13:44:00 2017 Don't unconditionally generate a layout object for SVG <stop> elements. This is (really!) the last overload missed in https://crrev.com/28ec0e0c2425d480693e8d40510b8093cef1f89f BUG= 691205 Review-Url: https://codereview.chromium.org/2689083004 Cr-Commit-Position: refs/heads/master@{#449942} [delete] https://crrev.com/7f58024526f7dfa06703d876beac569242299357/third_party/WebKit/LayoutTests/svg/crash-svg-marker-in-html.html [add] https://crrev.com/d6df828820be4b0f22b9bed959fb2bd93f84b331/third_party/WebKit/LayoutTests/svg/svg-in-html.html [modify] https://crrev.com/d6df828820be4b0f22b9bed959fb2bd93f84b331/third_party/WebKit/Source/core/svg/SVGStopElement.cpp
Issue 691245 has been merged into this issue.
Issue 691338 has been merged into this issue.
ClusterFuzz testcase 6330276168073216 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
ClusterFuzz has detected this issue as fixed in range 449936:449972. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5196501707128832 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: isSVGRoot computeTransformToSVGRoot blink::SVGLayoutSupport::mapToVisualRectInAncestorSpace Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=449612:449646 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=449936:449972 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96ZzKLt1y6lRQLPwZdEwsx65MHTXmpvWf8TdUt1dMt0qyL7AzYBo1H5wQoV6go3GU-WSVHaqcS0OVwDk60wT2msnT97ylilk85Y6KvVRwnGGMynA8TAofHBI9cqr6J0TAPOKruVdmJbhUN4l5iHmaDnY5Zcz_eQJYaj4h-wSWY-8k4CHw3cZYNty7yMY3DO824-kvB8OCe6EK_SQwF8SePS6gPJbMLQ5R4cDbulay4NAm2uRjsjdNHfx4c1Kd2aiTZvX1iHN0oX7Te9vzBkxWFeyc6QVhfTFzANVAMhanHEE-cMESgosdi_xPPpbzGQ24hYSp4DkjhVkKAl4KuVsMkjmLoH4xlkudX30vvZeiwXaGpwlF4N2mjQBpETuEjFfkytuE1I8VDz6DR15RL6OBYkX23AoQ?testcase_id=5196501707128832 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by nyerramilli@google.com
, Feb 13 2017Components: Blink>SVG
Labels: Test-Predator-Wrong-CLs M-58
Owner: fmalita@chromium.org
Status: Assigned (was: Untriaged)