New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 757276 link

Starred by 4 users

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::TextResourceDecoder::Decode

Project Member Reported by ClusterFuzz, Aug 21 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5942684987686912

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x00000088
Crash State:
  blink::TextResourceDecoder::Decode
  blink::DecodedDataDocumentParser::AppendBytes
  blink::HTMLDocumentParser::AppendBytes
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=495207:495222

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5942684987686912

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Aug 21 2017

Labels: OS-Mac OS-Android
Cc: msrchandra@chromium.org
Components: Blink>HTML
Labels: Test-Predator-Wrong-CLs M-62
Owner: japhet@chromium.org
Status: Assigned (was: Untriaged)
Predator could not provide any possible suspects.
Assigning to concern owner from the below CL --
https://chromium.googlesource.com/chromium/src/+log/93dc6eedea859ad0105ab813925b8ad4d8b301b8..219e1da7d71acae806e2223332504a426f8a6d65?pretty=fuller&n=10000

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/06d0ad12bb257b7da70bef82147d4890c5d49f33

@japhet -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.
Project Member

Comment 3 by ClusterFuzz, Aug 22 2017

Labels: OS-Windows

Comment 4 by japhet@chromium.org, Aug 25 2017

Issue 758922 has been merged into this issue.
Project Member

Comment 5 by bugdroid1@chromium.org, Aug 26 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be

commit 9a070d9c2d2bda6f5b041a7e0f6a62bd543630be
Author: Nate Chapin <japhet@chromium.org>
Date: Sat Aug 26 05:42:26 2017

Stash DocumentParser on DocumentLoader for the inital parse of a Document

The navigation might be finished/cancelled and replaced with a parser
from document.open(), and the two shouldn't be mixed.

Prior to https://chromium.googlesource.com/chromium/src/+/e7511b6ade9192af8139739153b236188647bbb7,
DocumentWriter was doing this under the hood. That behavior is apparently
still needed.

Bug:  757215 ,  757276 
Test: fast/loader/detach-iframe-while-loading-javascript-url.html
Change-Id: I63b4e3a7a933b2a073fe03ee39ebc20ba82af2b8
Reviewed-on: https://chromium-review.googlesource.com/624558
Commit-Queue: Kouhei Ueno <kouhei@chromium.org>
Reviewed-by: Kouhei Ueno <kouhei@chromium.org>
Cr-Commit-Position: refs/heads/master@{#497657}
[add] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/LayoutTests/fast/loader/detach-iframe-while-loading-javascript-url-expected.txt
[add] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/LayoutTests/fast/loader/detach-iframe-while-loading-javascript-url.html
[modify] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/Source/core/dom/Document.h
[modify] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/Source/core/loader/DocumentLoader.cpp
[modify] https://crrev.com/9a070d9c2d2bda6f5b041a7e0f6a62bd543630be/third_party/WebKit/Source/core/loader/DocumentLoader.h

Comment 6 by japhet@chromium.org, Aug 28 2017

Status: Fixed (was: Assigned)
Project Member

Comment 7 by ClusterFuzz, Sep 4 2017

Labels: Needs-Feedback
ClusterFuzz testcase 5942684987686912 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
Labels: -Needs-Feedback -Clusterfuzz ClusterFuzz-Wrong
ClusterFuzz is correctly reporting that this is crashing at revision 496287, but the fix was introduced in 497657. So I'm not sure what its deal is.

I've verified that the repro, which used to crash locally, doesn't crash locally for me anymore.


Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Sign in to add a comment