Crash in blink::RootInlineBox::closestLeafChildForLogicalLeftPosition |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5431974748749824 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000000000d Crash State: blink::RootInlineBox::closestLeafChildForLogicalLeftPosition blink::nextLinePosition blink::SelectionModifier::modifyMovingForward Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=433020:433172 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94e3BFg2RY4nl8j39pXgU9wYvOLy4HR7ORUYcMoKYrZSmSYSvkCXDLnGmYvwSRJ2_q2gex8v6dvWyHRfEM6MMGVo0FHU9L1rWvr09VPmSdF4pICnG-Y4DG3Q_x5cTgjmhiqVdyvOydohLZrd2PB2E_F-TJc63N2VKEaZv0V1IG3jo6flGCOfOhx31sPkGvjmeRmPzBUTxLcNMhFcu4oHDOUchf8mwRXxQL9IAMoQ1fMjfzXbxkMJCe3z929n7Lnbm0-GGDMhoGA8ctP3RAzPo2xT0j9JRd1eekQOk7jrUcc75iso-SEcPvOwBxZmWWjglVLyW-JKMcgwUdf6PR7CEg3SjNZ92S4cd775xKU0fpT-0ZekH0?testcase_id=5431974748749824 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 2 2017
Not my change, I can recreate after reverting it. yosin@ - you have a few CLs in regression range. Can you take a look? I've kicked off another blame task on clusterfuzz just in case.
,
Mar 2 2017
,
Mar 6 2017
,
Mar 6 2017
,
Mar 8 2017
Not a security issue (null-deref) nor seen in the wild. We're reworking selections for LayoutNG, it is probably not worth fixing this until then.
,
Mar 9 2017
ClusterFuzz has detected this issue as fixed in range 455091:455394. Detailed report: https://clusterfuzz.com/testcase?key=5431974748749824 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000000000d Crash State: blink::RootInlineBox::closestLeafChildForLogicalLeftPosition blink::nextLinePosition blink::SelectionModifier::modifyMovingForward Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=433020:433172 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=455091:455394 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94e3BFg2RY4nl8j39pXgU9wYvOLy4HR7ORUYcMoKYrZSmSYSvkCXDLnGmYvwSRJ2_q2gex8v6dvWyHRfEM6MMGVo0FHU9L1rWvr09VPmSdF4pICnG-Y4DG3Q_x5cTgjmhiqVdyvOydohLZrd2PB2E_F-TJc63N2VKEaZv0V1IG3jo6flGCOfOhx31sPkGvjmeRmPzBUTxLcNMhFcu4oHDOUchf8mwRXxQL9IAMoQ1fMjfzXbxkMJCe3z929n7Lnbm0-GGDMhoGA8ctP3RAzPo2xT0j9JRd1eekQOk7jrUcc75iso-SEcPvOwBxZmWWjglVLyW-JKMcgwUdf6PR7CEg3SjNZ92S4cd775xKU0fpT-0ZekH0?testcase_id=5431974748749824 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Mar 1 2017Components: Blink>Layout
Labels: Test-Layout Test-Predator-Wrong M-57
Owner: robhogan@chromium.org
Status: Assigned (was: Untriaged)