Null-dereference READ in blink::TextResourceDecoder::Decode |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5942684987686912 Fuzzer: inferno_twister Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x00000088 Crash State: blink::TextResourceDecoder::Decode blink::DecodedDataDocumentParser::AppendBytes blink::HTMLDocumentParser::AppendBytes Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=495207:495222 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5942684987686912 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 21 2017
Predator could not provide any possible suspects. Assigning to concern owner from the below CL -- https://chromium.googlesource.com/chromium/src/+log/93dc6eedea859ad0105ab813925b8ad4d8b301b8..219e1da7d71acae806e2223332504a426f8a6d65?pretty=fuller&n=10000 Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/06d0ad12bb257b7da70bef82147d4890c5d49f33 @japhet -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Aug 22 2017
,
Aug 25 2017
Issue 758922 has been merged into this issue.
,
Aug 26 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be commit 9a070d9c2d2bda6f5b041a7e0f6a62bd543630be Author: Nate Chapin <japhet@chromium.org> Date: Sat Aug 26 05:42:26 2017 Stash DocumentParser on DocumentLoader for the inital parse of a Document The navigation might be finished/cancelled and replaced with a parser from document.open(), and the two shouldn't be mixed. Prior to https://chromium.googlesource.com/chromium/src/+/e7511b6ade9192af8139739153b236188647bbb7, DocumentWriter was doing this under the hood. That behavior is apparently still needed. Bug: 757215 , 757276 Test: fast/loader/detach-iframe-while-loading-javascript-url.html Change-Id: I63b4e3a7a933b2a073fe03ee39ebc20ba82af2b8 Reviewed-on: https://chromium-review.googlesource.com/624558 Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#497657} [add] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/LayoutTests/fast/loader/detach-iframe-while-loading-javascript-url-expected.txt [add] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/LayoutTests/fast/loader/detach-iframe-while-loading-javascript-url.html [modify] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/Source/core/dom/Document.cpp [modify] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/Source/core/dom/Document.h [modify] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/Source/core/loader/DocumentLoader.cpp [modify] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/Source/core/loader/DocumentLoader.h
,
Aug 28 2017
,
Sep 4 2017
ClusterFuzz testcase 5942684987686912 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Sep 5 2017
ClusterFuzz is correctly reporting that this is crashing at revision 496287, but the fix was introduced in 497657. So I'm not sure what its deal is. I've verified that the repro, which used to crash locally, doesn't crash locally for me anymore.
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Aug 21 2017