New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 693848 link

Starred by 1 user
Status: Fixed
Owner:
hirosh...@chromium.org
Closed: Feb 2017
Cc:
msrchandra@chromium.org
mac-bugs-priority@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::FrameView::invalidatePaintForTickmarks

Project Member Reported by ClusterFuzz, Feb 18 2017

Comment 1 by msrchandra@chromium.org, Feb 20 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Correct-CLs M-58
Owner: hirosh...@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: hiroshige
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/f768d0e471877996cf0dd06f2a3b1cb9ba49c6be
Time: Fri Nov 04 09:33:28 2016
File Internals.cpp is changed in this cl (and is part of stack frame #3, "blink::Internals::addTextMatchMarker")
Minimum distance from crash line to modified line: 37. (file: Internals.cpp, crashed on: 1034, modified: 997).

@hiroshige -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by hirosh...@chromium.org, Feb 21 2017

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Feb 22 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/68ca487c1e84a61cbcf3995637376d45bc1ff01b

commit 68ca487c1e84a61cbcf3995637376d45bc1ff01b
Author: hiroshige <hiroshige@chromium.org>
Date: Wed Feb 22 08:29:22 2017

FrameView can be null in addTextMatchMaker() after appendChild(iframe)

Range's owner document's FrameView can be cleared after the iframe
to which the range belongs to is appendChild()ed.
This CL fixes Internals::addTextMatchMarker() to handle such cases.

BUG= 693848 

Review-Url: https://codereview.chromium.org/2706913003
Cr-Commit-Position: refs/heads/master@{#451929}

[modify] https://crrev.com/68ca487c1e84a61cbcf3995637376d45bc1ff01b/third_party/WebKit/Source/core/testing/Internals.cpp
Project Member

Comment 4 by ClusterFuzz, Feb 22 2017 

ClusterFuzz has detected this issue as fixed in range 451926:451960.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5415145204613120

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000400
Crash State:
  blink::FrameView::invalidatePaintForTickmarks
  blink::Internals::addTextMatchMarker
  blink::V8Internals::addTextMatchMarkerMethodCallback
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=429839:429929
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=451926:451960

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94nN20Ee9BhbrDNw4eSdMapCWr1Gtdh3crbARwAjGnFFnlUTOWtZM_3eyvXj7CvjclmsjBzlTVPlJr7OLIiZoI3K9AELlPx8cEfxAt0eESnuiqXfj2s9tLSLVoHyUrmiBeld7mP-PW6_jj5mKwn3d1OD1bX4uNM2H5Jad67wT88b1NyebO3vEmjeXsc2GcXOh7N_CTQogYnupficb_IF6isX5FIPuUqj9ma7jMxjyB5fQQJhOvlE7dhopIReDKXyN2d5G4a0zRyFoZe0tlONWdW7L0oPO8X2ulHB6CRz7sQhKfALlVNEWy943RXWiRBbCCC1WY1RJJgvzettvTKTOgvSHIYL9cvpIezw3nyW5Vsdl89Rr26mS_U4W_eL_XHpVLqMa4oZwFF-K2cSX6lMhJ99MjeBw?testcase_id=5415145204613120


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 5 by hirosh...@chromium.org, Feb 22 2017

Status: Fixed (was: Started)

Sign in to add a comment