Issue metadata
Sign in to add a comment
|
Bad-cast to blink::HTMLElement from blink::SVGSVGElement;blink::FocusController::NextFocusableElementInForm;blink::InputMethodController::TextInputFlags |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5376402601017344 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x2d8a1002ad10 Crash State: Bad-cast to blink::HTMLElement from blink::SVGSVGElement blink::FocusController::NextFocusableElementInForm blink::InputMethodController::TextInputFlags Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=479114:479272 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5376402601017344 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 14 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 14 2017
,
Jun 14 2017
Another related to issue 733197, issue 733282
,
Jun 15 2017
Let me switch owner to take a look at clusterfuzz page.
,
Jun 15 2017
,
Jun 15 2017
,
Jun 15 2017
As the original change was reverted, pass this back to Ajith. My tentative fix for this is here: https://chromium-review.googlesource.com/c/536395/
,
Jun 15 2017
,
Jun 16 2017
,
Jun 16 2017
@kochi - Thanks for the initial investigations. I am just curious, why none of our bots are not able to catch this bad casting issue. Even if i make a patch, how do i verify this clusterfuzz bug locally or on bot ? Could you please provide some hints ?
,
Jun 16 2017
@ajith.v - bots and clusterfuzz are different thing. Bots just run all the existing tests against various configurations, while clusterfuzz creates fuzzing tests (slightly changing existing tests, or automatically generate some permutations of smaller tests etc.) and runs against some builds. So clusterfuzz can find more bugs that are not covered by existing tests. You are encouraged to add tests which is an essential part of what failed for the clusterfuzz test. https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs is the first step. Maybe for a non-googler, it might be hard to setup the environment locally - in that case I can be of help. But in this particular case, I could reproduce the error with a debug build of content_shell on Linux, and run content_shell against the clusterfuzz's test case: https://clusterfuzz.com/download?testcase_id=5376402601017344
,
Jun 16 2017
@ajith.v - essentially, I already minimized the repro case and put it in the unit test in the CL above: https://chromium-review.googlesource.com/c/536395/3/third_party/WebKit/Source/core/page/FocusControllerTest.cpp
,
Jun 16 2017
ClusterFuzz has detected this issue as fixed in range 479572:479616. Detailed report: https://clusterfuzz.com/testcase?key=5376402601017344 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Bad-cast Crash Address: 0x2d8a1002ad10 Crash State: Bad-cast to blink::HTMLElement from blink::SVGSVGElement blink::FocusController::NextFocusableElementInForm blink::InputMethodController::TextInputFlags Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=479114:479272 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=479572:479616 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5376402601017344 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 16 2017
ClusterFuzz testcase 5376402601017344 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 16 2017
,
Jun 19 2017
Thanks kochi@ for the tips and patch details. I feel the patch you applied is the solution to majority of this clusterfuzz crash issues. I shall integrate it and upload a fresh patch. Looks like I can't go beyond goto.google.com/clusterfuzz-repro step, due to the absence of a @google account with me.
,
Jun 20 2017
ajith.v@ in the clusterfuzz page for this issue https://clusterfuzz.com/v2/testcase-detail/5376402601017344?noredirect=1 you can find "You can reproduce this crash on Linux painlessly with our reproduce tool." which links to https://github.com/google/clusterfuzz-tools You can follow the instruction in README.md file in the clusterfuzz-tools site above. If you have any trouble, please let me know.
,
Jun 20 2017
@kochi - Thanks for those tips, I was able to set up clusterfuzz locally and build is in progress. BTW, do we have any build farm or building in cloud concept, so that it will be easy for me to apply and verify changes fast than building locally for long time ? If yes, could you share those information about access and other details ?
,
Jun 21 2017
Unfortunately, GOMA (cloud compiler used by Chrome team) is not available to external contributors at this moment. We hear lots of requests at BlinkOn, etc., so people are working on...
,
Jun 21 2017
,
Jun 21 2017
I could verify this issue gets fixed with https://codereview.chromium.org/2948593002/
,
Sep 22 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 29 2017
,
Sep 29 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jun 14 2017