Null-dereference READ in blink::FramePainter::PaintScrollCorner |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6664858799177728 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000028 Crash State: blink::FramePainter::PaintScrollCorner blink::PaintLayerCompositor::PaintContents blink::GraphicsLayer::PaintWithoutCommit Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=473072:473106 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6664858799177728 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 12 2017
Most likely patch in blame range is https://codereview.chromium.org/2894733002 Assinging to see if that's the case.
,
Jun 15 2017
,
Jun 15 2017
I think the regression range is wrong; I can repro even at r473072 and my change didn't break it. But I have identified the cause and have a fix pending.
,
Jun 16 2017
,
Jun 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/52dd5c4fd4a98a209ed3bfb8eadf4caf9e40fed6 commit 52dd5c4fd4a98a209ed3bfb8eadf4caf9e40fed6 Author: Steve Kobes <skobes@chromium.org> Date: Fri Jun 16 18:12:25 2017 Fix handling of scrollbar removal on viewport setting change. When the viewportEnabled and viewportMetaEnabled settings are turned on, we remove existing scrollbars on the LocalFrameView because the visual viewport will supply them instead. But we weren't calling ScrollbarExistenceDidChange, so PaintLayerCompositor wasn't notified. This meant the scrollbar and scroll corner layers continued to exist when they should have been destroyed, causing the paint code to crash. Bug: 729317 Change-Id: I2d02a6d4f5b1cab96c510f143434a9d5c868f9a5 Reviewed-on: https://chromium-review.googlesource.com/537335 Reviewed-by: Philip Rogers <pdr@chromium.org> Commit-Queue: Steve Kobes <skobes@chromium.org> Cr-Commit-Position: refs/heads/master@{#480100} [add] https://crrev.com/52dd5c4fd4a98a209ed3bfb8eadf4caf9e40fed6/third_party/WebKit/LayoutTests/scrollbars/scrollbar-removed-by-viewport-crash-expected.txt [add] https://crrev.com/52dd5c4fd4a98a209ed3bfb8eadf4caf9e40fed6/third_party/WebKit/LayoutTests/scrollbars/scrollbar-removed-by-viewport-crash.html [modify] https://crrev.com/52dd5c4fd4a98a209ed3bfb8eadf4caf9e40fed6/third_party/WebKit/Source/core/frame/LocalFrameView.cpp
,
Jun 16 2017
,
Jun 17 2017
ClusterFuzz has detected this issue as fixed in range 480062:480100. Detailed report: https://clusterfuzz.com/testcase?key=6664858799177728 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000028 Crash State: blink::FramePainter::PaintScrollCorner blink::PaintLayerCompositor::PaintContents blink::GraphicsLayer::PaintWithoutCommit Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=473072:473106 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=480062:480100 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6664858799177728 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by dtapu...@chromium.org
, Jun 9 2017