New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 698776 link

Starred by 1 user
Status: Verified
Owner:
ksakamoto@chromium.org
Closed: Mar 2017
Cc:
ksakamoto@chromium.org
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::Document::updateStyleAndLayout

Project Member Reported by ClusterFuzz, Mar 6 2017

Comment 1 by mummare...@chromium.org, Mar 6 2017

Components: Blink>Fonts
Labels: Test-Predator-Correct-CLs M-58
Owner: ksakamoto@chromium.org
Status: Assigned (was: Untriaged)
The result is a list of CLs that change the crashed files. 

Author: ksakamoto
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/42bd5bf1a4db228077a4b44c70bff956470f0a75
Time: Mon Mar 06 10:46:09 2017
Lines 248-252 of file FontFaceSet.cpp which potentially caused crash are changed in this cl (frame #3, "blink::FontFaceSet::ready").
Minimum distance from crash line to modified line: 0. (file: FontFaceSet.cpp, crashed on: 248, modified: 248).

ksakamoto@, could you please take a look?
Thank you.

Comment 2 by ksakamoto@chromium.org, Mar 7 2017

Components: -Blink>Fonts Blink>WebFonts
Labels: -M-58 M-59
Status: Started (was: Assigned)

Comment 3 by ksakamoto@chromium.org, Mar 8 2017

Cc: ksakamoto@chromium.org
 Issue 699281  has been merged into this issue.
Project Member

Comment 4 by bugdroid1@chromium.org, Mar 8 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ac3c0012ce426716061dc073928f701fd64ff712

commit ac3c0012ce426716061dc073928f701fd64ff712
Author: ksakamoto <ksakamoto@chromium.org>
Date: Wed Mar 08 02:20:40 2017

Fix crash in FontFaceSet::ready

This fixes a crash introduced by http://crrev.com/2722493002.
FontFaceSet can outlive Document, so aliveness check is needed before
touching the document.

BUG= 698776 

Review-Url: https://codereview.chromium.org/2737733002
Cr-Commit-Position: refs/heads/master@{#455349}

[modify] https://crrev.com/ac3c0012ce426716061dc073928f701fd64ff712/third_party/WebKit/Source/core/css/FontFaceSet.cpp
Project Member

Comment 5 by ClusterFuzz, Mar 9 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5706417924472832 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 6 by ClusterFuzz, Mar 10 2017 

ClusterFuzz has detected this issue as fixed in range 455091:455389.

Detailed report: https://clusterfuzz.com/testcase?key=5687456348504064

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x0000000001d0
Crash State:
  blink::Document::updateStyleAndLayout
  blink::FontFaceSet::ready
  blink::V8FontFaceSet::readyAttributeGetterCallback
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=454844:454847
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=455091:455389

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95BlaQ3-0AlAeoKe9a4z3x68tQqiCG-7uDrvaVJf-Wm7fi5cRZWWoBViruceVS1FK1XinInC8Dx2DwWM2ySrsswWbLDuV3C0cYuGfkbGX4640xtpKLF91bLs1_eZwRmN1KfMfxvmvOa-6mWGp0iT10fNym4Thmo4WVScZj54SeP0t_OSk8GCaAW-mAZ2fXIVmiVigSWf6WNs-VNF0g6tAOv_kbE39wUgRVy8kStaowVCR_6i0HjM-Mxju6VlWGPxV1G1yfHPrXO42A3d4LCBgUvSjHqXe67qwWLfmPxRiDZntScElH34Tl0-gLW2Xgwl9Z_6FkJOf61OM9xjuEoNVgGeChExGaVA-ybgcETYdb5C8jQl54?testcase_id=5687456348504064


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 7 by ksakamoto@chromium.org, Apr 20 2017

Cc: msrchandra@chromium.org
 Issue 713053  has been merged into this issue.
Project Member

Comment 8 by ClusterFuzz, Apr 20 2017

Labels: OS-Windows

Sign in to add a comment