New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 734697 link

Starred by 1 user
Status: WontFix
Owner:
wangxianzhu@chromium.org
Closed: Oct 2017
Cc:
msrchandra@chromium.org
vmp...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug



Sign in to add a comment

Crash in blink::PaintController::CheckUnderInvalidation

Project Member Reported by ClusterFuzz, Jun 19 2017 
Detailed report: https://clusterfuzz.com/testcase?key=4621409224753152

Fuzzer: mbarbella_js_mutation_layout
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0xa61c4880
Crash State:
  blink::PaintController::CheckUnderInvalidation
  blink::PaintController::ProcessNewItem
  blink::PaintController::CreateAndAppend<blink::DrawingDisplayItem,const
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4621409224753152


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Jun 21 2017

Cc: msrchandra@chromium.org
Components: Blink>Paint
Labels: M-61 Test-Predator-Correct-CLs
Owner: brettw@chromium.org
Status: Assigned (was: Untriaged)
Assigning to concern owner from Predator results --
Regression information is not available. The result is the blame information. 

Author: brettw@google.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/d028296ec1c0fdfbd40e2390ca3121de7055295d
Time: Sat Jan 01 16:08:52 2011
The CL last changed line 18 of file debugger_win.cc, which is stack frame 0. 

Author: rch@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/82d89abc03ea6fd6b9258f0e57be0290b33d7eb1
Time: Fri Feb 28 18:25:34 2014
The CL last changed line 783 of file logging.cc, which is stack frame 1. 

Author: chrishtr@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/7a25d907698e89274bebe3cabf8865bff2b63384
Time: Wed Sep 10 16:29:19 2014
The CL last changed line 199 of file BoxPainter.cpp, which is stack frame 6.

@brettw -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by schenney@chromium.org, Jun 21 2017

Labels: PaintTeamTriaged-20170621 BugSource-Chromium
Owner: wangxianzhu@chromium.org

Comment 3 by wangxianzhu@chromium.org, Jun 21 2017

Components: -Blink>Paint Blink>Paint>Invalidation
Labels: -Pri-1 Pri-3
Lower the priority because this happens only for a feature that is not enabled by default.
Project Member

Comment 4 by ClusterFuzz, Oct 4 2017

Status: WontFix (was: Assigned)
ClusterFuzz testcase 4621409224753152 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment