Issue 713017 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	tkent@chromium.org
Closed:	Apr 2017
Components:	Blink>HTML>Details
EstimatedDays:	----
NextAction:	----
OS:	Windows
Pri:	1
Type:	Bug
Stability-Crash Reproducible Hotlist-SyzyASAN Clusterfuzz M-60 Test-Predator-Wrong

Crash in blink::Element::ensureUniqueElementData

Project Member Reported by ClusterFuzz, Apr 19 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6451564970770432

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000002f
Crash State:
  blink::Element::ensureUniqueElementData
  blink::Element::setInlineStyleProperty
  blink::Element::setInlineStyleProperty
  
Memory Tool: SYZYASAN

Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=370165:370699

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96sY8UBMZzbZaKBxRTjwKcTaJW6CyvY1C14Ge_UmOFk7TBAbMmlyPcFiHiIvF1uz59pJAXoLUwtURKxFZELzUTDRF-OguGefJEziTEUNCIZB5XsKKcPG6U302CV7O_MjlPCKOg3StC5Zcg1FiULKIHB5Y0ajNwLE0GsukJIE2_A3CejCEW0vfNqosm62PTiqOj6GRo9U6pdacbT6cl1t_t6Uz5LCPvIJhpYce8UQLJV_xQDmcY3TcdO2WX1JsE5yhrh0uLqJ7zX4Ox3ogGYYbbYm8WeQatK9Q6iLNFO_YbMgmg6QI8B9qxO7zNbaTKmFFMK_QxAhrk8oEe4YHtexgupl0k9m3k6t2KNB9SDyzdXuaQpwFordmnzqQE-3qr8B1U24UGvs-2JVXhZh0ZS_ymtQz2_8g?testcase_id=6451564970770432


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Apr 20 2017

Components: Blink>DOM
Labels: M-60 Test-Predator-Wrong
Owner: tkent@chromium.org
Status: Assigned (was: Untriaged)

Through code search on file HTMLDetailsElement.cpp, suspected CL is
https://chromium.googlesource.com/chromium/src/+/cdb6d2b9b6f94fb4ed02c0b315ad56c5bc5b5b89

Comment 2 by tkent@chromium.org, Apr 20 2017

Components: -Blink>DOM Blink>HTML>Details
Status: WontFix (was: Assigned)

The testcase uses window.internals.youngestShadowRoot(). We won't fix non-security crash by it.

Project Member

Comment 3 by ClusterFuzz, Apr 20 2017

ClusterFuzz has detected this issue as fixed in range 465765:465806.

Detailed report: https://clusterfuzz.com/testcase?key=6451564970770432

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000002f
Crash State:
  blink::Element::ensureUniqueElementData
  blink::Element::setInlineStyleProperty
  blink::Element::setInlineStyleProperty
  
Memory Tool: SYZYASAN

Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=370165:370699
Fixed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=465765:465806

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96sY8UBMZzbZaKBxRTjwKcTaJW6CyvY1C14Ge_UmOFk7TBAbMmlyPcFiHiIvF1uz59pJAXoLUwtURKxFZELzUTDRF-OguGefJEziTEUNCIZB5XsKKcPG6U302CV7O_MjlPCKOg3StC5Zcg1FiULKIHB5Y0ajNwLE0GsukJIE2_A3CejCEW0vfNqosm62PTiqOj6GRo9U6pdacbT6cl1t_t6Uz5LCPvIJhpYce8UQLJV_xQDmcY3TcdO2WX1JsE5yhrh0uLqJ7zX4Ox3ogGYYbbYm8WeQatK9Q6iLNFO_YbMgmg6QI8B9qxO7zNbaTKmFFMK_QxAhrk8oEe4YHtexgupl0k9m3k6t2KNB9SDyzdXuaQpwFordmnzqQE-3qr8B1U24UGvs-2JVXhZh0ZS_ymtQz2_8g?testcase_id=6451564970770432


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

►

Issue 713017 link

Issue metadata

Crash in blink::Element::ensureUniqueElementData

Issue description

Comment 1 by mummare...@chromium.org, Apr 20 2017

Comment 1 Deleted

Comment 2 by tkent@chromium.org, Apr 20 2017

Comment 2 Deleted

Comment 3 by ClusterFuzz, Apr 20 2017

Comment 3 Deleted

Sign in to add a comment