Issue metadata
Sign in to add a comment
|
Bad-cast to blink::LayoutObject from invalid vptr;blink::LayoutText::SetText;blink::LayoutTextFragment::SetTextFragment |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6186429138075648 Fuzzer: mbarbella_webcomponents Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x169406444000 Crash State: Bad-cast to blink::LayoutObject from invalid vptr blink::LayoutText::SetText blink::LayoutTextFragment::SetTextFragment Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=479114:479272 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6186429138075648 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 14 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 14 2017
,
Jun 14 2017
,
Jun 16 2017
szager, nothing in the regression range looks suspicious, so I'm not sure who to assign this to. Could you please take a look?
,
Jun 16 2017
,
Jun 16 2017
,
Jun 18 2017
,
Jun 19 2017
The clusterfuzz reproduce tool fails. Manual UBSAN builds fail to reproduce the issue and there are no changes seemingly relevant to the code in question in the regression range. Without a narrower bisect range or a way to reproduce there really isn't much we can do.
,
Jun 19 2017
Tanin, can you check why reproduce tool is failing here.
,
Jun 19 2017
,
Jun 20 2017
The reproduce can reproduce this crash consistently (by me and by our CI). I'll ping eae@ and figure why it failed on his machine. If anyone looks to reproducing this, please run `/google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 6186429138075648`
,
Jun 21 2017
ClusterFuzz has detected this issue as fixed in range 480776:480840. Detailed report: https://clusterfuzz.com/testcase?key=6186429138075648 Fuzzer: mbarbella_webcomponents Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x169406444000 Crash State: Bad-cast to blink::LayoutObject from invalid vptr blink::LayoutText::SetText blink::LayoutTextFragment::SetTextFragment Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=479114:479272 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=480776:480840 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6186429138075648 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 21 2017
,
Jun 21 2017
ClusterFuzz testcase 6186429138075648 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 21 2017
,
Jun 22 2017
,
Sep 27 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jun 14 2017