New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 714421 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Closed: Apr 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Cannot find inner editor under INPUT after UA shadow DOM tampered by TestRunner

Project Member Reported by ClusterFuzz, Apr 23 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5056727658790912

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::Node::CanParticipateInFlatTree
  blink::Document::NeedsLayoutTreeUpdateForNode
  blink::Document::UpdateStyleAndLayoutTreeForNode
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=447544:447851

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5056727658790912


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: msrchandra@chromium.org
Components: Blink>Editing
Labels: Test-Predator-Correct-CLs M-58
Owner: r...@chromium.org
Status: Assigned (was: Untriaged)
Assigning to concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: rego
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/03bd67fe0ded2c7031eb1c3efb39150056737492
Time: Thu Feb 02 08:40:23 2017
Lines 807-815 of file SpellChecker.cpp which potentially caused crash are changed in this cl (frame #6, "RemoveSpellingAndGrammarMarkers").
Minimum distance from crash line to modified line: 0. (file: SpellChecker.cpp, crashed on: 807, modified: 807).

@rego -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by r...@igalia.com, Apr 24 2017

Owner: r...@igalia.com

Comment 3 by r...@igalia.com, Apr 24 2017

This can be a duplicated of  bug #688218 , but I never managed to reproduce it so I don't know.

Regarding this new bug report I cannot reproduce this issue on Linux. I'll try to find some time to test it on Mac too.
I guess using a pre-built binary from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html
should be valid to reproduce the problem.
Am I missing something?
Summary: Cannot find inner editor under INPUT after UA shadow DOM tampered by TestRunner (was: Crash in blink::Node::CanParticipateInFlatTree)
Can repro on Linux with content_shell and --run-layout-test flag.

The crash is due to tampering the id of the inner editor of an INPUT, making TextControlElement::InnerEditorElement() return null, resulting a nullptr deref.

I don't think this is really a bug -- only TestRunner has the power to tamper a UA shadom DOM with JavaScript, and any code using TestRunner is considered testing code.

Can we stop ClusterFuzz from generating incorrect testing code?

Comment 5 by r...@igalia.com, Apr 25 2017

Status: WontFix (was: Assigned)
Thanks @xiaochengh I can reproduce it now with "--run-layout-test" too.

I'm attaching a reduced test case, but the issue is basically what @xiaochengh described. So I guess we can close this as "Won't Fix".
bug-714421-reduced.html
212 bytes View Download
Project Member

Comment 6 by ClusterFuzz, May 12 2017

Labels: OS-Windows
Project Member

Comment 7 by ClusterFuzz, May 26 2017

Labels: OS-Linux
Project Member

Comment 8 by ClusterFuzz, May 27 2017

ClusterFuzz has detected this issue as fixed in range 474922:474938.

Detailed report: https://clusterfuzz.com/testcase?key=5056727658790912

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  blink::Node::CanParticipateInFlatTree
  blink::Document::NeedsLayoutTreeUpdateForNode
  blink::Document::UpdateStyleAndLayoutTreeForNode
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=447544:447851
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=474922:474938

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5056727658790912


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment