New issue
Advanced search Search tips

Issue 729317 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jun 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::FramePainter::PaintScrollCorner

Project Member Reported by ClusterFuzz, Jun 3 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6664858799177728

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000028
Crash State:
  blink::FramePainter::PaintScrollCorner
  blink::PaintLayerCompositor::PaintContents
  blink::GraphicsLayer::PaintWithoutCommit
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=473072:473106

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6664858799177728


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Blink>Paint
Labels: PaintTeamTriaged-20170612 BugSource-Chromium
Owner: skobes@chromium.org
Status: Assigned (was: Untriaged)
Most likely patch in blame range is https://codereview.chromium.org/2894733002

Assinging to see if that's the case.

Comment 3 by skobes@chromium.org, Jun 15 2017

Status: Started (was: Assigned)

Comment 4 by skobes@chromium.org, Jun 15 2017

I think the regression range is wrong; I can repro even at r473072 and my change didn't break it.  But I have identified the cause and have a fix pending.
Project Member

Comment 5 by ClusterFuzz, Jun 16 2017

Labels: OS-Windows
Project Member

Comment 6 by bugdroid1@chromium.org, Jun 16 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/52dd5c4fd4a98a209ed3bfb8eadf4caf9e40fed6

commit 52dd5c4fd4a98a209ed3bfb8eadf4caf9e40fed6
Author: Steve Kobes <skobes@chromium.org>
Date: Fri Jun 16 18:12:25 2017

Fix handling of scrollbar removal on viewport setting change.

When the viewportEnabled and viewportMetaEnabled settings are turned on, we
remove existing scrollbars on the LocalFrameView because the visual viewport
will supply them instead.  But we weren't calling ScrollbarExistenceDidChange,
so PaintLayerCompositor wasn't notified.  This meant the scrollbar and scroll
corner layers continued to exist when they should have been destroyed, causing
the paint code to crash.

Bug:  729317 
Change-Id: I2d02a6d4f5b1cab96c510f143434a9d5c868f9a5
Reviewed-on: https://chromium-review.googlesource.com/537335
Reviewed-by: Philip Rogers <pdr@chromium.org>
Commit-Queue: Steve Kobes <skobes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#480100}
[add] https://crrev.com/52dd5c4fd4a98a209ed3bfb8eadf4caf9e40fed6/third_party/WebKit/LayoutTests/scrollbars/scrollbar-removed-by-viewport-crash-expected.txt
[add] https://crrev.com/52dd5c4fd4a98a209ed3bfb8eadf4caf9e40fed6/third_party/WebKit/LayoutTests/scrollbars/scrollbar-removed-by-viewport-crash.html
[modify] https://crrev.com/52dd5c4fd4a98a209ed3bfb8eadf4caf9e40fed6/third_party/WebKit/Source/core/frame/LocalFrameView.cpp

Comment 7 by skobes@chromium.org, Jun 16 2017

Status: Fixed (was: Started)
Project Member

Comment 8 by ClusterFuzz, Jun 17 2017

ClusterFuzz has detected this issue as fixed in range 480062:480100.

Detailed report: https://clusterfuzz.com/testcase?key=6664858799177728

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000028
Crash State:
  blink::FramePainter::PaintScrollCorner
  blink::PaintLayerCompositor::PaintContents
  blink::GraphicsLayer::PaintWithoutCommit
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=473072:473106
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=480062:480100

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6664858799177728


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment