Issue metadata
Sign in to add a comment
|
CHECK failure: list_node in LayoutListItem.cpp
Reported by
sjh...@gmail.com,
May 21 2017
|
||||||||||||||||||||||
Issue description
VULNERABILITY DETAILS
void LayoutListItem::UpdateListMarkerNumbers() {
// If distribution recalc is needed, updateListMarkerNumber will be re-invoked
// after distribution is calculated.
if (GetNode()->GetDocument().ChildNeedsDistributionRecalc())
return;
Node* list_node = EnclosingList(this);
CHECK(list_node); // --- [1] | list_node | NULL.
bool is_list_reversed = false;
HTMLOListElement* o_list_element =
isHTMLOListElement(list_node) ? toHTMLOListElement(list_node) : 0;
if (o_list_element) {
o_list_element->ItemCountChanged();
is_list_reversed = o_list_element->IsReversed();
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/layout/LayoutListItem.cpp?q=UpdateListMarkerNumbers+package:%5Echromium$&l=526
VERSION
Chrome Version: asan-win32-release-473419
Operating System: Windows 10
REPRODUCTION CASE
attach to crash_chrome.html file.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
(344.2b8c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=04be9ee0 ecx=00000008 edx=1f66105c esi=04be9fe0 edi=3097d3bc
eip=165a023d esp=04be9de0 ebp=04bea038 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
chrome_child!blink::Node::GetStyleChangeType+0x13 [inlined in chrome_child!blink::LayoutListItem::UpdateListMarkerNumbers+0x34f]:
165a023d 8b09 mov ecx,dword ptr [ecx] ds:002b:00000008=????????
4:076> kb
ChildEBP RetAddr Args to Child
(Inline) -------- -------- -------- -------- chrome_child!blink::Node::GetStyleChangeType+0x13 [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\Node.h @ 464]
(Inline) -------- -------- -------- -------- chrome_child!blink::Node::NeedsAttach+0x13 [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\Node.h @ 458]
04bea038 164ed67e 41b58ab3 1ed111c0 164ed0a4 chrome_child!blink::LayoutListItem::UpdateListMarkerNumbers+0x34f [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\layout\LayoutListItem.cpp @ 531]
04bea49c 1648b990 09b46720 06b33740 00000001 chrome_child!blink::LayoutObjectChildList::RemoveChildNode+0x5da [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\layout\LayoutObjectChildList.cpp @ 92]
04bea4b4 16385f11 06b33740 41b58ab3 1ecd0ced chrome_child!blink::LayoutObject::RemoveChild+0x3e [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\layout\LayoutObject.cpp @ 344]
04beaad4 164ad271 06b33740 41b58ab3 1ed027da chrome_child!blink::LayoutBlockFlow::RemoveChild+0x537 [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\layout\LayoutBlockFlow.cpp @ 3098]
(Inline) -------- -------- -------- -------- chrome_child!blink::LayoutObject::Remove+0x4a [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\layout\LayoutObject.h @ 1552]
04beac88 162ab23a 04beacc0 06b33740 04bead14 chrome_child!blink::LayoutObject::WillBeDestroyed+0x32b [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\layout\LayoutObject.cpp @ 2627]
04beac98 162fa8be 41b58ab3 1ecc6360 162fa632 chrome_child!blink::LayoutBoxModelObject::WillBeDestroyed+0x154 [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\layout\LayoutBoxModelObject.cpp @ 258]
04bead14 1659fddd 06b33740 00d666e8 09b46700 chrome_child!blink::LayoutBox::WillBeDestroyed+0x28c [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\layout\LayoutBox.cpp @ 151]
04bead28 164b0b0a 04beae40 04bead40 04beae98 chrome_child!blink::LayoutListItem::WillBeDestroyed+0x47 [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\layout\LayoutListItem.cpp @ 82]
04bead38 164b08fe 41b58ab3 1ed02865 164b03b4 chrome_child!blink::LayoutObject::Destroy+0x30 [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\layout\LayoutObject.cpp @ 2911]
04beae98 1a8ba107 5f3c2268 0be7844d 04beaf00 chrome_child!blink::LayoutObject::DestroyAndCleanupAnonymousWrappers+0x54a [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\layout\LayoutObject.cpp @ 2907]
04beaeb4 1a75c1d9 04beb140 41b58ab3 2014290d chrome_child!blink::Node::DetachLayoutTree+0x115 [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\Node.cpp @ 1003]
04beaf54 1a846cd3 04beb140 41b58ab3 2018f1b9 chrome_child!blink::ContainerNode::DetachLayoutTree+0x1d9 [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\ContainerNode.cpp @ 835]
04beb014 1a9e5555 04beb140 41b58ab3 202334e0 chrome_child!blink::Element::DetachLayoutTree+0x48f [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\Element.cpp @ 1829]
(Inline) -------- -------- -------- -------- chrome_child!blink::Node::LazyReattachIfAttached+0xc8 [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\Node.h @ 1021]
04beb1f8 1a84c88b 5f3c2ed8 00000003 04beb280 chrome_child!blink::ElementShadow::AddShadowRoot+0x991 [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\shadow\ElementShadow.cpp @ 59]
04beb210 1a84d299 00000003 04beb310 41b58ab3 chrome_child!blink::Element::CreateShadowRootInternal+0x8d [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\Element.cpp @ 2344]
04beb2cc 19b98547 0ee0a810 04beb370 04beb310 chrome_child!blink::Element::attachShadow+0x991 [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\dom\Element.cpp @ 2318]
(Inline) -------- -------- -------- -------- chrome_child!blink::ElementV8Internal::attachShadowMethod+0x4ff [C:\b\c\b\Win_ASan_Release\src\out\Release\gen\blink\bindings\core\v8\V8Element.cpp @ 1303]
04beb414 0ffffd26 04beb4d0 41b58ab3 1d4e6060 chrome_child!blink::V8Element::attachShadowMethodCallback+0x5e3 [C:\b\c\b\Win_ASan_Release\src\out\Release\gen\blink\bindings\core\v8\V8Element.cpp @ 2457]
04beb590 10251933 04beb6b0 19b97f64 41b58ab3 chrome_child!v8::internal::FunctionCallbackArguments::Call+0x506 [C:\b\c\b\win_asan_release\src\v8\src\api-arguments.cc @ 25]
04beb760 1024e642 04beb874 04beb870 0840cb04 chrome_child!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>+0xc53 [C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc @ 112]
04beb83c 1024daa2 0ac0f200 04beb868 0d4063fe chrome_child!v8::internal::Builtin_Impl_HandleApiCall+0x2a2 [C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc @ 142]
04beb924 10e8339d 299841a1 220e0a85 2390f511 chrome_child!v8::internal::Builtin_HandleApiCall+0x32 [C:\b\c\b\win_asan_release\src\v8\src\builtins\builtins-api.cc @ 130]
04beb950 10fe3942 07584ed0 00000000 07209324 chrome_child!v8::internal::`anonymous namespace'::Invoke+0x72d [C:\b\c\b\win_asan_release\src\v8\src\execution.cc @ 145]
(Inline) -------- -------- -------- -------- chrome_child!std::_Wrap_alloc+0xc [C:\b\depot_tools\win_toolchain\vs_files\d3cb0e37bdd120ad0ac4650b674b09e81be45616\VC\include\xmemory0 @ 976]
(Inline) -------- -------- -------- -------- chrome_child!std::vector+0x53 [C:\b\depot_tools\win_toolchain\vs_files\d3cb0e37bdd120ad0ac4650b674b09e81be45616\VC\include\vector @ 1212]
(Inline) -------- -------- -------- -------- chrome_child!std::vector+0x53 [C:\b\depot_tools\win_toolchain\vs_files\d3cb0e37bdd120ad0ac4650b674b09e81be45616\VC\include\vector @ 1208]
(Inline) -------- -------- -------- -------- chrome_child!v8::internal::SlotCollectingVisitor::~SlotCollectingVisitor+0x73 [C:\b\c\b\win_asan_release\src\v8\src\heap\heap.cc @ 4297]
04beb970 114156e7 771c6bac 04beb9b0 9f7a14bb chrome_child!v8::internal::Heap::VerifyObjectLayoutChange+0x522 [C:\b\c\b\win_asan_release\src\v8\src\heap\heap.cc @ 4336]
(Inline) -------- -------- -------- -------- chrome_child!v8::internal::HeapObject::synchronized_set_map+0x3b [C:\b\c\b\Win_ASan_Release\src\v8\src\objects-inl.h @ 1497]
(Inline) -------- -------- -------- -------- chrome_child!v8::internal::`anonymous namespace'::MigrateFastToFast+0x4097 [C:\b\c\b\Win_ASan_Release\src\v8\src\objects.cc @ 3528]
04bebb44 113f39bd 0840cae4 0ac0f200 00000000 chrome_child!v8::internal::JSObject::MigrateToMap+0x4597 [C:\b\c\b\Win_ASan_Release\src\v8\src\objects.cc @ 3808]
04bebb70 0042317d 00000000 00000000 00000000 chrome_child!v8::internal::Dictionary<v8::internal::GlobalDictionary,v8::internal::GlobalDictionaryShape,v8::internal::Handle<v8::internal::Name> >::Add+0x39d [C:\b\c\b\Win_ASan_Release\src\v8\src\objects.cc @ 18176]
04bebbb4 127b230b 127b23a9 00000000 1dbe42f3 chrome!__asan::Allocator::Allocate+0x3bd [e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_allocator.cc @ 494]
04bebc3c 16299175 1629925b 1c393035 1c393035 chrome_child!base::trace_event::TraceLog::GetCategoryGroupEnabled+0xdb [C:\b\c\b\win_asan_release\src\base\trace_event\trace_log.cc @ 422]
04bebc40 1629925b 1c393035 1c393035 2e021ce0 chrome_child!blink::InspectorTraceEvents::Will+0x47 [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\inspector\InspectorTraceEvents.cpp @ 196]
04bebc5c 16a2e12d 04bec030 1c393035 04bec030 chrome_child!blink::InspectorTraceEvents::Will+0x12d [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\inspector\InspectorTraceEvents.cpp @ 199]
04bebcbc 00425369 04ed0030 1c393035 0757ae40 chrome_child!blink::probe::CallFunction::CallFunction+0x341 [C:\b\c\b\win_asan_release\src\out\release\gen\blink\core\CoreProbesImpl.cpp @ 1195]
04bec070 0158200b 2390f511 00000000 0840caf8 chrome!__asan::Allocator::QuarantineChunk+0x119 [e:\b\build\slave\win_upload_clang\build\src\third_party\llvm\projects\compiler-rt\lib\asan\asan_allocator.cc @ 559]
WARNING: Frame IP not in any known module. Following frames may be wrong.
04bec094 1a116c58 04bec0e0 00000014 0840cafc 0x158200b
04bec0b4 161248a0 161249ff 45e0360e 1ec38e4a chrome_child!blink::V8Window::findInstanceInPrototypeChain+0x2c [C:\b\c\b\Win_ASan_Release\src\out\Release\gen\blink\bindings\core\v8\V8Window.cpp @ 10463]
(Inline) -------- -------- -------- -------- chrome_child!blink::ToLocalDOMWindow+0x7 [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\frame\LocalDOMWindow.h @ 381]
00000000 00000000 00000000 00000000 00000000 chrome_child!blink::LocalFrame::DomWindow+0xc0 [C:\b\c\b\win_asan_release\src\third_party\WebKit\Source\core\frame\LocalFrame.cpp @ 538]
,
May 22 2017
yes if this is a NULL ptr deref then this would be non security but I'll run it through CF to get a stack and regression
,
May 22 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5874972991160320
,
May 22 2017
,
May 22 2017
,
May 22 2017
Detailed report: https://clusterfuzz.com/testcase?key=5874972991160320 Job Type: linux_asan_chrome_mp Crash Type: CHECK failure Crash Address: Crash State: list_node in LayoutListItem.cpp blink::LayoutListItem::UpdateListMarkerNumbers blink::LayoutObjectChildList::RemoveChildNode Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=467230:467252 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5874972991160320 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 28 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, May 21 2017