Issue metadata
Sign in to add a comment
|
Security DCHECK failure: offset + length <= text.TextLength() in TextRunConstructor.cpp |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6180752357326848 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Security DCHECK failure Crash Address: Crash State: offset + length <= text.TextLength() in TextRunConstructor.cpp blink::ConstructTextRun blink::BreakingContext::HandleText Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=482461:482506 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6180752357326848 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 3 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 3 2017
,
Jul 6 2017
+chrishtr@, could you help triage this issue since you're owner of third_party\WebKit\Source\core\layout\ ? Thanks!
,
Jul 6 2017
,
Jul 6 2017
In a layout triggered by editing. r482496 changes the positioning handling for editing and is in the regression range. Seems like a likely culprit. https://codereview.chromium.org/2962473002 No other CLs in the regression range stand out.
,
Jul 7 2017
The patch[1] mentioned in #c6 is change parameter type to |Node*| to |const Node&|.
It doesn't change generated code.
I think this isn't regression rather than ClusterFuzz reveals existing issue.
The sample HTML contains embed, canvas, audio, and video. They tags can make test flaky or
timing dependent.
It seems this is caused by ::first-letter.
p::first-letter {
-webkit-background-origin: initial;
mso-height-source: auto;
mso-displayed-decimal-separator: "\.";
table-layout: auto;
-webkit-box-sizing: border-box;
flood-opacity: 0;
mso-protection: locked visible;
grid-auto-columns: auto;
line-break: before-white-space;
letter-spacing: floatpc;
direction: rtl auto;
text-decoration: line-through;
backdrop-filter: grayscale(80%);
-webkit-shape-margin: 36px; rx: 8px;
-webkit-backface-visibility: visible;
vector-effect: non-scaling-stroke;
overflow: -webkit-paged-x;
text-align: top;
border-top-left-radius: 4vmax
}
[1] http://crbug.com/2962473002: Make Position::LastPositionInNode() to take const Node& instead of Node*
,
Jul 7 2017
Can any of you suggest a triage owner for this issue?
,
Jul 7 2017
,
Jul 11 2017
A friendly reminder that M61 branch is coming soon on 07/20! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix ASAP to trunk. This way we branch M61 from a high quality trunk. Thank you.
,
Jul 12 2017
yosin@, did you able to reproduce? I hit NOTREACHED() in editing and doesn't reproduce, on non-ASAN win. ASAN win takes forever to build and that I haven't been able to try yet.
,
Jul 12 2017
I hit L304 NOTREACHED() with |input_event.GetType()| == |kMouseLeave| (4) at WebFrameWidgetBase::PointerLockMouseEvent(). Here is stack trace: WebFrameWidgetBase::PointerLockMouseEvent(const blink::WebCoalescedInputEvent & coalesced_event) Line 307 blink_web.dll!blink::WebViewImpl::HandleInputEvent(const blink::WebCoalescedInputEvent & coalesced_event) Line 2191 WebViewFrameWidget::HandleInputEvent(const blink::WebCoalescedInputEvent & event) Line 96 content.dll!content::RenderWidgetInputHandler::HandleInputEvent(const blink::WebCoalescedInputEvent & coalesced_event, const ui::LatencyInfo & latency_info, base::Callback<void __cdecl(enum content::InputEventAckState,ui::LatencyInfo const &,std::unique_ptr<ui::DidOverscrollParams,std::default_delete<ui::DidOverscrollParams> >),0,0> callback) Line 311 content.dll!content::RenderWidget::HandleInputEvent(const blink::WebCoalescedInputEvent & input_event, const ui::LatencyInfo & latency_info, base::Callback<void __cdecl(enum content::InputEventAckState,ui::LatencyInfo const &,std::unique_ptr<ui::DidOverscrollParams,std::default_delete<ui::DidOverscrollParams> >),0,0> callback) Line 841 content.dll!content::RenderViewImpl::HandleInputEvent(const blink::WebCoalescedInputEvent & input_event, const ui::LatencyInfo & latency_info, base::Callback<void __cdecl(enum content::InputEventAckState,ui::LatencyInfo const &,std::unique_ptr<ui::DidOverscrollParams,std::default_delete<ui::DidOverscrollParams> >),0,0> callback) Line 2540 content.dll!content::MainThreadEventQueue::HandleEventOnMainThread(const blink::WebCoalescedInputEvent & event, const ui::LatencyInfo & latency, base::Callback<void __cdecl(enum content::InputEventAckState,ui::LatencyInfo const &,std::unique_ptr<ui::DidOverscrollParams,std::default_delete<ui::DidOverscrollParams> >),0,0> handled_callback) Line 544 content.dll!content::QueuedWebInputEvent::Dispatch(content::MainThreadEventQueue * queue) Line 124 content.dll!content::MainThreadEventQueue::DispatchEvents() Line 417 content.dll!base::internal::FunctorTraits<void (__cdecl content::MainThreadEventQueue::*)(void) __ptr64,void>::Invoke<scoped_refptr<content::MainThreadEventQueue> const & __ptr64>(void(content::MainThreadEventQueue::*)() method, const scoped_refptr<content::MainThreadEventQueue> & receiver_ptr) Line 210 content.dll!base::internal::InvokeHelper<0,void>::MakeItSo<void (__cdecl content::MainThreadEventQueue::*const & __ptr64)(void) __ptr64,scoped_refptr<content::MainThreadEventQueue> const & __ptr64>(void(content::MainThreadEventQueue::*)() & functor, const scoped_refptr<content::MainThreadEventQueue> & <args_0>) Line 277 content.dll!base::internal::Invoker<base::internal::BindState<void (__cdecl content::MainThreadEventQueue::*)(void) __ptr64,scoped_refptr<content::MainThreadEventQueue> >,void __cdecl(void)>::RunImpl<void (__cdecl content::MainThreadEventQueue::*const & __ptr64)(void) __ptr64,std::tuple<scoped_refptr<content::MainThreadEventQueue> > const & __ptr64,0>(void(content::MainThreadEventQueue::*)() & functor, const std::tuple<scoped_refptr<content::MainThreadEventQueue> > & bound, base::IndexSequence<0> __formal) Line 355 content.dll!base::internal::Invoker<base::internal::BindState<void (__cdecl content::MainThreadEventQueue::*)(void) __ptr64,scoped_refptr<content::MainThreadEventQueue> >,void __cdecl(void)>::Run(base::internal::BindStateBase * base) Line 333 base.dll!base::Callback<void __cdecl(void),0,0>::Run() Line 91 base.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task) Line 61 blink_platform.dll!blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue * work_queue, bool is_nested, blink::scheduler::LazyNow time_before_task, base::TimeTicks * time_after_task) Line 533 blink_platform.dll!blink::scheduler::TaskQueueManager::DoWork(bool delayed) Line 328 blink_platform.dll!base::internal::FunctorTraits<void (__cdecl blink::scheduler::TaskQueueManager::*)(bool) __ptr64,void>::Invoke<base::WeakPtr<blink::scheduler::TaskQueueManager> const & __ptr64,bool const & __ptr64>(void(blink::scheduler::TaskQueueManager::*)(bool) method, const base::WeakPtr<blink::scheduler::TaskQueueManager> & receiver_ptr, const bool & <args_0>) Line 210 blink_platform.dll!base::internal::InvokeHelper<1,void>::MakeItSo<void (__cdecl blink::scheduler::TaskQueueManager::*const & __ptr64)(bool) __ptr64,base::WeakPtr<blink::scheduler::TaskQueueManager> const & __ptr64,bool const & __ptr64>(void(blink::scheduler::TaskQueueManager::*)(bool) & functor, const base::WeakPtr<blink::scheduler::TaskQueueManager> & weak_ptr, const bool & <args_0>) Line 298 blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (__cdecl blink::scheduler::TaskQueueManager::*)(bool) __ptr64,base::WeakPtr<blink::scheduler::TaskQueueManager>,bool>,void __cdecl(void)>::RunImpl<void (__cdecl blink::scheduler::TaskQueueManager::*const & __ptr64)(bool) __ptr64,std::tuple<base::WeakPtr<blink::scheduler::TaskQueueManager>,bool> const & __ptr64,0,1>(void(blink::scheduler::TaskQueueManager::*)(bool) & functor, const std::tuple<base::WeakPtr<blink::scheduler::TaskQueueManager>,bool> & bound, base::IndexSequence<0,1> __formal) Line 355 blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (__cdecl blink::scheduler::TaskQueueManager::*)(bool) __ptr64,base::WeakPtr<blink::scheduler::TaskQueueManager>,bool>,void __cdecl(void)>::Run(base::internal::BindStateBase * base) Line 333 base.dll!base::Callback<void __cdecl(void),0,0>::Run() Line 91 base.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task) Line 61 base.dll!base::MessageLoop::RunTask(base::PendingTask * pending_task) Line 423 base.dll!base::MessageLoop::DeferOrRunPendingTask(base::PendingTask pending_task) Line 436 base.dll!base::MessageLoop::DoWork() Line 540 base.dll!base::MessagePumpForUI::DoRunLoop() Line 173 base.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate) Line 58 base.dll!base::MessageLoop::Run() Line 370 base.dll!base::RunLoop::Run() Line 112 base.dll!base::Thread::Run(base::RunLoop * run_loop) Line 256 base.dll!base::Thread::ThreadMain() Line 341 base.dll!base::`anonymous namespace'::ThreadFunc(void * params) Line 91
,
Jul 12 2017
Run with --run-layout-test I hit DCHECK_LE(min, max) at L369 of clampTo(). Stack trace: clampTo<int,float>(float value, int min, int max) Line 369 blink::FlooredIntPoint(const blink::FloatPoint & p) Line 222 blink::EnclosingIntRect(const blink::FloatRect & rect) Line 257 blink::LayoutGeometryMap::MapToAncestor(const blink::FloatRect & rect, const blink::LayoutBoxModelObject * ancestor) Line 189 blink::LayoutGeometryMap::AbsoluteRect(const blink::FloatRect & rect) Line 61 blink::CompositingInputsUpdater::UpdateRecursive(blink::PaintLayer * layer, blink::CompositingInputsUpdater::UpdateType update_type, blink::CompositingInputsUpdater::AncestorInfo info) Line 162 blink::CompositingInputsUpdater::UpdateRecursive(blink::PaintLayer * layer, blink::CompositingInputsUpdater::UpdateType update_type, blink::CompositingInputsUpdater::AncestorInfo info) Line 264 blink::CompositingInputsUpdater::UpdateRecursive(blink::PaintLayer * layer, blink::CompositingInputsUpdater::UpdateType update_type, blink::CompositingInputsUpdater::AncestorInfo info) Line 264 blink::CompositingInputsUpdater::UpdateRecursive(blink::PaintLayer * layer, blink::CompositingInputsUpdater::UpdateType update_type, blink::CompositingInputsUpdater::AncestorInfo info) Line 264 blink::CompositingInputsUpdater::UpdateRecursive(blink::PaintLayer * layer, blink::CompositingInputsUpdater::UpdateType update_type, blink::CompositingInputsUpdater::AncestorInfo info) Line 264 blink::CompositingInputsUpdater::UpdateRecursive(blink::PaintLayer * layer, blink::CompositingInputsUpdater::UpdateType update_type, blink::CompositingInputsUpdater::AncestorInfo info) Line 264 blink::CompositingInputsUpdater::UpdateRecursive(blink::PaintLayer * layer, blink::CompositingInputsUpdater::UpdateType update_type, blink::CompositingInputsUpdater::AncestorInfo info) Line 264 blink::CompositingInputsUpdater::Update() Line 27 blink::PaintLayerCompositor::UpdateIfNeeded(blink::DocumentLifecycle::LifecycleState target_state) Line 412 blink::PaintLayerCompositor::UpdateIfNeededRecursiveInternal(blink::DocumentLifecycle::LifecycleState target_state) Line 230 blink::PaintLayerCompositor::UpdateIfNeededRecursive(blink::DocumentLifecycle::LifecycleState target_state) Line 186 blink::LocalFrameView::UpdateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState target_state) Line 3134 blink::LocalFrameView::UpdateLifecycleToCompositingCleanPlusScrolling() Line 2970 blink::LayoutView::HitTest(blink::HitTestResult & result) Line 121 blink::LayoutViewItem::HitTest(blink::HitTestResult & result) Line 45 blink::TreeScope::ElementsFromPoint(int x, int y) Line 304 blink::DocumentOrShadowRoot::elementsFromPoint(blink::TreeScope & tree_scope, int x, int y) Line 44 blink::DocumentV8Internal::elementsFromPointMethod(const v8::FunctionCallbackInfo<v8::Value> & info) Line 4217 blink::V8Document::elementsFromPointMethodCallback(const v8::FunctionCallbackInfo<v8::Value> & info) Line 5958 v8.dll!v8::internal::FunctionCallbackArguments::Call(void(*)(const v8::FunctionCallbackInfo<v8::Value> &) f) Line 26 v8.dll!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::HeapObject> function, v8::internal::Handle<v8::internal::HeapObject> new_target, v8::internal::Handle<v8::internal::FunctionTemplateInfo> fun_data, v8::internal::Handle<v8::internal::Object> receiver, v8::internal::BuiltinArguments args) Line 114 v8.dll!v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments args, v8::internal::Isolate * isolate) Line 142 v8.dll!v8::internal::Builtin_HandleApiCall(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 130
,
Jul 12 2017
yosin@, are you using win ASAN? I'm still unable to build win ASAN. It builds (takes 2-3 hours), but then I get: ==559728==Shadow memory range interleaves with an existing memory mapping. ASan cannot proceed correctly. ABORTING. ==559728==ASan shadow was supposed to be located in the [0x2fff0000-0x4fffffff] range. No instructions to build win ASAN at: http://www.chromium.org/developers/testing/addresssanitizer I might try linux ASAN and win non-ASAN, probably with DCHECK disabled. Another a few hours to build them...
,
Jul 12 2017
kojii@, I don't use ASAN.
,
Jul 12 2017
Doesn't repro on Linux ASAN with DCHECK disabled. WIth DCHECK enabled, it hits DCHECK mentioned in #12/#13 and thus does not repro either. I'll try to build Win non-ASAN with DCHECK disabled tomorrow.
,
Jul 13 2017
Now I believe this is a problem in Win ASAN. Here're what I have tried: 1. Tried on Linux ASAN, this does not reproduce. 2. Tried to build Win ASAN without luck. 3. Tried on Win non-ASAN, hit lots of DCHECK and cannot verify. 4. Tried on Win non-ASAN, Release, no-DCHECK, and the SECURITY_DCHECK changed to CHECK. This does not reproduce. args.gn for the config 4 is here: ``` enable_nacl = false is_debug = false use_goma = true goma_dir = "D:\goma\goma-win64" is_win_fastlink = true ``` If anyone can point out what I'm missing, or can build Win ASAN and can reproduce, it's appreciated.
,
Jul 20 2017
ClusterFuzz testcase 6180752357326848 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.
,
Oct 19 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jul 3 2017