Null-dereference READ in blink::KURL::IsNull |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5536586535272448 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000208 Crash State: blink::KURL::IsNull blink::Document::FallbackBaseURL blink::Document::ProcessBaseElement Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=490252:490299 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5536586535272448 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 1 2017
@tkent, can you please have a look? A local bisect points to https://chromium-review.googlesource.com/588728, which changes some code in the immediate vicinity of the crash location. It's super easy to reproduce. On e.g. x64 debug, run content_shell with the minimized repro from Clusterfuzz. It doesn't reproduce 100% reliably, but for me it seems to always repro after two or three tries.
,
Aug 1 2017
,
Aug 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0d862af0161839aac40d476966db504ebe940ab4 commit 0d862af0161839aac40d476966db504ebe940ab4 Author: Kent Tamura <tkent@chromium.org> Date: Wed Aug 02 05:39:59 2017 Fix a crash by adding <base> to a detached srcdoc document. ParentDocument() can be nullptr. Bug: 750836 Change-Id: Idff5feeececa8ad32f3248c565c878902dd24ffc Reviewed-on: https://chromium-review.googlesource.com/597370 Commit-Queue: Kent Tamura <tkent@chromium.org> Reviewed-by: Hayato Ito <hayato@chromium.org> Cr-Commit-Position: refs/heads/master@{#491277} [modify] https://crrev.com/0d862af0161839aac40d476966db504ebe940ab4/third_party/WebKit/LayoutTests/html/README.md [add] https://crrev.com/0d862af0161839aac40d476966db504ebe940ab4/third_party/WebKit/LayoutTests/html/infrastructure/fallback_base_url-expected.txt [add] https://crrev.com/0d862af0161839aac40d476966db504ebe940ab4/third_party/WebKit/LayoutTests/html/infrastructure/fallback_base_url.html [modify] https://crrev.com/0d862af0161839aac40d476966db504ebe940ab4/third_party/WebKit/Source/core/dom/Document.cpp
,
Aug 3 2017
,
Aug 4 2017
ClusterFuzz has detected this issue as fixed in range 491244:491285. Detailed report: https://clusterfuzz.com/testcase?key=5536586535272448 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000208 Crash State: blink::KURL::IsNull blink::Document::FallbackBaseURL blink::Document::ProcessBaseElement Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=490252:490299 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=491244:491285 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5536586535272448 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 4 2017
ClusterFuzz testcase 5536586535272448 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by msrchandra@chromium.org
, Aug 1 2017Labels: M-62 Test-Predator-Wrong
Owner: vogelheim@chromium.org
Status: Assigned (was: Untriaged)