Crash in blink::PaintLayerScrollableArea::needsScrollbarReconstruction |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4697830553026560 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000042 Crash State: blink::PaintLayerScrollableArea::needsScrollbarReconstruction blink::PaintLayerScrollableArea::updateAfterLayout blink::LayoutBlockFlow::layoutBlock Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=451929:451968 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95X6TnWML7y9zlrwmPaolIxDnO6StsOKkTnGhwgHJsj9rYLwGA7oyeqRDts0XXZ5uk95-rC2xBLSq4mRWVSWSFEqKsSZx-eeH4nInahL1zJ9ZQsvqJXEJeeO9rSQqmZFF1pVM7on7rlSwwuD61D2kSb5FlXb-HI4W7MP5lpr9-9DSnNWznsUNsUsFMam-_bpRYU96Q4V-hpbsrlpCNPPeh6wCzLvLKN5PC8CTF7v-9HVmjl1RXZPU3GNefCU7cMxqFiKpZxANbYd34ZZQ62bCbtXNWJDA2K97c1c61iBXLaKTLUifyKhnuyLnUm7cJbL1iihK4y2ox15s_S_YgGYtdqKqX4QS04WuPzpCKvBpiFX-muJ1U?testcase_id=4697830553026560 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 1 2017
Looks like this is due to a null reference returned by PaintLayerScrollableArea::scrollbarStyleSource(). skobes@, you touched that code recently; can you take a look?
,
Mar 6 2017
,
Mar 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d23ef9b37d71d31b82613f8ddb8da614cd54c665 commit d23ef9b37d71d31b82613f8ddb8da614cd54c665 Author: skobes <skobes@chromium.org> Date: Tue Mar 07 18:31:17 2017 Fix null pointer dereference in PLSA's scrollbarStyleSource. The scroller inside the alt-text shadow tree created by HTMLImageFallbackHelper was trying to read scrollbar styles from the <img> element, which had no LayoutObject because it was styled with "display: contents". BUG= 697247 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Review-Url: https://codereview.chromium.org/2734993002 Cr-Commit-Position: refs/heads/master@{#455148} [add] https://crrev.com/d23ef9b37d71d31b82613f8ddb8da614cd54c665/third_party/WebKit/LayoutTests/fast/dom/shadow/img-display-contents-crash-expected.txt [add] https://crrev.com/d23ef9b37d71d31b82613f8ddb8da614cd54c665/third_party/WebKit/LayoutTests/fast/dom/shadow/img-display-contents-crash.html [modify] https://crrev.com/d23ef9b37d71d31b82613f8ddb8da614cd54c665/third_party/WebKit/Source/core/paint/PaintLayerScrollableArea.cpp
,
Mar 7 2017
,
Mar 8 2017
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions. Owners: amineer@(clank), cmasso@(bling), bhthompson@(cros), govind@(desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 8 2017
We are planning to cut Dev RC today (03/08) at 5.00 PM PST. Please merge the CL to M58 branch (3029) ASAP.
,
Mar 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bff179ffca3cc9e47629a280d8ffd40970bb2b38 commit bff179ffca3cc9e47629a280d8ffd40970bb2b38 Author: Steve Kobes <skobes@chromium.org> Date: Wed Mar 08 22:27:55 2017 Fix null pointer dereference in PLSA's scrollbarStyleSource. The scroller inside the alt-text shadow tree created by HTMLImageFallbackHelper was trying to read scrollbar styles from the <img> element, which had no LayoutObject because it was styled with "display: contents". BUG= 697247 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Review-Url: https://codereview.chromium.org/2734993002 Cr-Commit-Position: refs/heads/master@{#455148} (cherry picked from commit d23ef9b37d71d31b82613f8ddb8da614cd54c665) Review-Url: https://codereview.chromium.org/2736873006 . Cr-Commit-Position: refs/branch-heads/3029@{#71} Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471} [add] https://crrev.com/bff179ffca3cc9e47629a280d8ffd40970bb2b38/third_party/WebKit/LayoutTests/fast/dom/shadow/img-display-contents-crash-expected.txt [add] https://crrev.com/bff179ffca3cc9e47629a280d8ffd40970bb2b38/third_party/WebKit/LayoutTests/fast/dom/shadow/img-display-contents-crash.html [modify] https://crrev.com/bff179ffca3cc9e47629a280d8ffd40970bb2b38/third_party/WebKit/Source/core/paint/PaintLayerScrollableArea.cpp
,
Mar 8 2017
,
Mar 9 2017
ClusterFuzz has detected this issue as fixed in range 455091:455394. Detailed report: https://clusterfuzz.com/testcase?key=4697830553026560 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000042 Crash State: blink::PaintLayerScrollableArea::needsScrollbarReconstruction blink::PaintLayerScrollableArea::updateAfterLayout blink::LayoutBlockFlow::layoutBlock Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=451929:451968 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=455091:455394 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95X6TnWML7y9zlrwmPaolIxDnO6StsOKkTnGhwgHJsj9rYLwGA7oyeqRDts0XXZ5uk95-rC2xBLSq4mRWVSWSFEqKsSZx-eeH4nInahL1zJ9ZQsvqJXEJeeO9rSQqmZFF1pVM7on7rlSwwuD61D2kSb5FlXb-HI4W7MP5lpr9-9DSnNWznsUNsUsFMam-_bpRYU96Q4V-hpbsrlpCNPPeh6wCzLvLKN5PC8CTF7v-9HVmjl1RXZPU3GNefCU7cMxqFiKpZxANbYd34ZZQ62bCbtXNWJDA2K97c1c61iBXLaKTLUifyKhnuyLnUm7cJbL1iihK4y2ox15s_S_YgGYtdqKqX4QS04WuPzpCKvBpiFX-muJ1U?testcase_id=4697830553026560 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mummare...@chromium.org
, Mar 1 2017Labels: Test-Layout Test-Predator-Wrong M-58
Owner: szager@chromium.org
Status: Assigned (was: Untriaged)