New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 709801 link

Starred by 1 user
Status: Duplicate
Merged: issue 709798
Owner:
wangxianzhu@chromium.org
Closed: Apr 2017
Cc:
ifratric@google.com
msrchandra@chromium.org
vmp...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::LayoutRect blink::PaintInvalidator::mapLocalRectToVisualRectInBacking<bli

Project Member Reported by ClusterFuzz, Apr 9 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5840823901224960

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::LayoutRect blink::PaintInvalidator::mapLocalRectToVisualRectInBacking<bli
  blink::PaintInvalidatorContext::mapLocalRectToVisualRectInBacking
  blink::invalidatePaintOfScrollbarIfNeeded
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=458746:463137

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94UZ2Dr4Gial7H-8-ny_QlJwncXS1G9nxHP5F5p3gm3ljI-3uVk311SzQqoQVQkvKVGKHWkMCCNSYIdOOsttb4UJYJ-0arIU32lxXTicCe5ALCa-U--LqVyIqXDh1yXS5EBdn8fGeeqhYQOuQtxFvHEn0J0xMabWmlOBTYw_Nwlz9FyfmY0rLpAiXXbtbBH3CQ8k-iFmtZTG4p5MHXYReZQlq8alTIrds8DWa9L4Od8t2QSuHw5NSC2j8eOTRJiUDbuAYlcFgqXL3Ntm-g6Cz3dZBlg8D-qzFsA4XGr0qQqNZ9N-IoJmv8Dcd2osm9LdD_DcmszUJ8Hb1qnjSoukiTtc5OdcsFqsqT8izdqi27yIirBaFyssEBP0hfPfvbmIYK-1ebL2TUSt5ZmqonRtLQdAnQ3pw?testcase_id=5840823901224960


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Apr 10 2017

Cc: msrchandra@chromium.org
Components: Blink>Scroll
Labels: Test-Predator-Correct-CLs M-59
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/d2819bd5ebfb32f0866d92ad6e62a45499e05517
Time: Tue Apr 04 23:13:31 2017
Lines 98, 172-173 of file PaintInvalidationCapableScrollableArea.cpp which potentially caused crash are changed in this cl (frame #5, "blink::invalidatePaintOfScrollbarIfNeeded"; frame #6, "blink::PaintInvalidationCapableScrollableArea::invalidatePaintOfScrollControlsIfNeeded"). 

Lines 112, 153 of file PaintInvalidator.cpp which potentially caused crash are changed in this cl (frame #2, "blink::LayoutRect blink::PaintInvalidator::mapLocalRectToVisualRectInBacking"; frame #3, "blink::PaintInvalidatorContext::mapLocalRectToVisualRectInBacking").
Minimum distance from crash line to modified line: 0. (file: PaintInvalidationCapableScrollableArea.cpp, crashed on: 172, modified: 172). 

Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/81f28ed19f771fe93406496d1d23da137abcd602
Time: Sun Apr 02 21:45:28 2017
Lines 98, 172-173 of file PaintInvalidationCapableScrollableArea.cpp which potentially caused crash are changed in this cl (frame #5, "blink::invalidatePaintOfScrollbarIfNeeded"; frame #6, "blink::PaintInvalidationCapableScrollableArea::invalidatePaintOfScrollControlsIfNeeded"). 

Lines 109, 152 of file PaintInvalidator.cpp which potentially caused crash are changed in this cl (frame #2, "blink::LayoutRect blink::PaintInvalidator::mapLocalRectToVisualRectInBacking"; frame #3, "blink::PaintInvalidatorContext::mapLocalRectToVisualRectInBacking").
Minimum distance from crash line to modified line: 0. (file: PaintInvalidationCapableScrollableArea.cpp, crashed on: 172, modified: 172). 

Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/2fe8244b452ab0942eaf2508b638c353e740e1ea
Time: Wed Mar 22 23:06:52 2017
Lines 112, 154-155 of file PaintInvalidator.cpp which potentially caused crash are changed in this cl (frame #2, "blink::LayoutRect blink::PaintInvalidator::mapLocalRectToVisualRectInBacking"; frame #3, "blink::PaintInvalidatorContext::mapLocalRectToVisualRectInBacking").
Minimum distance from crash line to modified line: 0. (file: PaintInvalidator.cpp, crashed on: 110, modified: 110). 

Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/b87cdfa7b1b594a30a76793904cf916c06048721
Time: Wed Mar 22 22:04:04 2017
Lines 156, 165 of file PaintInvalidator.cpp which potentially caused crash are changed in this cl (frame #3, "blink::PaintInvalidatorContext::mapLocalRectToVisualRectInBacking").
Minimum distance from crash line to modified line: 0. (file: PaintInvalidator.cpp, crashed on: 165, modified: 165).

@wangxianzhu -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by wangxianzhu@chromium.org, Apr 17 2017

Components: -Blink>Scroll Blink>Paint>Invalidation
Mergedinto: 709798
Status: Duplicate (was: Assigned)
Project Member

Comment 3 by ClusterFuzz, Apr 19 2017 

ClusterFuzz has detected this issue as fixed in range 465403:465427.

Detailed report: https://clusterfuzz.com/testcase?key=5840823901224960

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::LayoutRect blink::PaintInvalidator::mapLocalRectToVisualRectInBacking<bli
  blink::PaintInvalidatorContext::mapLocalRectToVisualRectInBacking
  blink::invalidatePaintOfScrollbarIfNeeded
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=458746:463137
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=465403:465427

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94UZ2Dr4Gial7H-8-ny_QlJwncXS1G9nxHP5F5p3gm3ljI-3uVk311SzQqoQVQkvKVGKHWkMCCNSYIdOOsttb4UJYJ-0arIU32lxXTicCe5ALCa-U--LqVyIqXDh1yXS5EBdn8fGeeqhYQOuQtxFvHEn0J0xMabWmlOBTYw_Nwlz9FyfmY0rLpAiXXbtbBH3CQ8k-iFmtZTG4p5MHXYReZQlq8alTIrds8DWa9L4Od8t2QSuHw5NSC2j8eOTRJiUDbuAYlcFgqXL3Ntm-g6Cz3dZBlg8D-qzFsA4XGr0qQqNZ9N-IoJmv8Dcd2osm9LdD_DcmszUJ8Hb1qnjSoukiTtc5OdcsFqsqT8izdqi27yIirBaFyssEBP0hfPfvbmIYK-1ebL2TUSt5ZmqonRtLQdAnQ3pw?testcase_id=5840823901224960


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment