Null-dereference READ in blink::CanBeScrolledIntoView |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6100085825077248 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000018 Crash State: blink::CanBeScrolledIntoView blink::FocusController::FindFocusCandidateInContainer blink::FocusController::AdvanceFocusDirectionallyInContainer Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=473072:473106 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6100085825077248 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 26 2017
Reproduces locally, taking a look.
,
Jun 26 2017
Adding people who might be interested in spatial navigation.
,
Jun 26 2017
Attaching manually cleaned up minimized test case. This seems happening when a focused element is inside display:contents container, and its layout object is null. ecobos@, could you take a look?
,
Jun 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/74228a3e7750f7065159b9aa00262b3cb5216972 commit 74228a3e7750f7065159b9aa00262b3cb5216972 Author: Emilio Cobos Álvarez <ecobos@igalia.com> Date: Thu Jun 29 16:54:51 2017 Don't assume all the ancestors of the visible node have layout objects. This is quite wrong in the presence of display: contents. BUG= 736670 Change-Id: I300e9a4cc9ef7acc4b767f7b955ef9c9779f9b14 Reviewed-on: https://chromium-review.googlesource.com/550255 Reviewed-by: Rune Lillesveen <rune@opera.com> Reviewed-by: Takayoshi Kochi <kochi@chromium.org> Commit-Queue: Emilio Cobos Álvarez <ecobos@igalia.com> Cr-Commit-Position: refs/heads/master@{#483389} [add] https://crrev.com/74228a3e7750f7065159b9aa00262b3cb5216972/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-display-contents-crash-expected.txt [add] https://crrev.com/74228a3e7750f7065159b9aa00262b3cb5216972/third_party/WebKit/LayoutTests/fast/spatial-navigation/snav-display-contents-crash.html [modify] https://crrev.com/74228a3e7750f7065159b9aa00262b3cb5216972/third_party/WebKit/Source/core/page/SpatialNavigation.cpp
,
Jun 29 2017
,
Jun 30 2017
ClusterFuzz has detected this issue as fixed in range 483366:483401. Detailed report: https://clusterfuzz.com/testcase?key=6100085825077248 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000018 Crash State: blink::CanBeScrolledIntoView blink::FocusController::FindFocusCandidateInContainer blink::FocusController::AdvanceFocusDirectionallyInContainer Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=473072:473106 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=483366:483401 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6100085825077248 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 29 2017
,
Sep 29 2017
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by tkent@chromium.org
, Jun 26 2017