Null-dereference READ in blink::LayoutSelection::Commit |
||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6335304792539136 Fuzzer: bj_broddelwerk Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: blink::LayoutSelection::Commit blink::LayoutView::CommitPendingSelection blink::PaintLayerCompositor::UpdateIfNeededRecursiveInternal Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=496838:496888 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6335304792539136 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 28 2017
Predator did not provide any possible suspects. Assigning to concern owner from CL -- https://chromium.googlesource.com/chromium/src/+log/42810e97655ae281891d436544891bebd4cf9f34..83143bb64888a87fa49c7053a4c775fa2b38144a?pretty=fuller&n=10000 Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/bbcefe73280faa1c5b52349df11f45906ce14d44 @yoichio -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Aug 28 2017
,
Aug 28 2017
,
Aug 29 2017
Issue 758771 has been merged into this issue.
,
Aug 29 2017
,
Aug 30 2017
Issue 758761 has been merged into this issue.
,
Aug 31 2017
Issue 760529 has been merged into this issue.
,
Sep 5 2017
Issue 761285 has been merged into this issue.
,
Sep 5 2017
Testcase 5665167756230656 is a top crash on ClusterFuzz for windows platform. Marking this crash as a stable release blocker. If this is incorrect, remove the ReleaseBlock label.
,
Sep 6 2017
ClusterFuzz testcase 6186961856626688 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 6 2017
[Auto-generated comment by a script] We noticed that this issue is targeted for M-62; it appears the fix may have landed after branch point, meaning a merge might be required. Please confirm if a merge is required here - if so add Merge-Request-62 label, otherwise remove Merge-TBD label. Thanks.
,
Sep 7 2017
There are crashes in wild and I'm working.
,
Sep 8 2017
Removing Merge-TBD label. If a merge is required, please add Merge-Request-62 label.
,
Sep 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8a45da39c3a57dbc3b5a8d04e9445357b67e4000 commit 8a45da39c3a57dbc3b5a8d04e9445357b67e4000 Author: yoichio <yoichio@chromium.org> Date: Sun Sep 10 01:34:52 2017 Check PositionInFlatTree validity in LayoutSelection. |ToPositionInFlatTree(pos_in_dom)| returned invalid PositionInFlatTree when |pos_in_dom| is not settled in flat tree. This patch checks validity of returned PositionInFlatTree. Bug: 759364 Change-Id: I859e5cfb57a40a9b1f7c1e39a911707a4959f60c Reviewed-on: https://chromium-review.googlesource.com/656778 Commit-Queue: Yoichi Osato <yoichio@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#500806} [modify] https://crrev.com/8a45da39c3a57dbc3b5a8d04e9445357b67e4000/third_party/WebKit/Source/core/editing/LayoutSelection.cpp [modify] https://crrev.com/8a45da39c3a57dbc3b5a8d04e9445357b67e4000/third_party/WebKit/Source/core/editing/LayoutSelectionTest.cpp
,
Sep 10 2017
ClusterFuzz has detected this issue as fixed in range 500805:500806. Detailed report: https://clusterfuzz.com/testcase?key=6335304792539136 Fuzzer: bj_broddelwerk Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: blink::LayoutSelection::Commit blink::LayoutView::CommitPendingSelection blink::PaintLayerCompositor::UpdateIfNeededRecursiveInternal Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=496838:496888 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=500805:500806 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6335304792539136 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 11 2017
,
Sep 11 2017
Thanks for the fix. Have you already confirmed and verified this in Canary? If yes, then approving this merge for M62 (branch:3202).
,
Sep 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/932e353dcb35e7427fede775ad3b423c2a926cd3 commit 932e353dcb35e7427fede775ad3b423c2a926cd3 Author: yoichio <yoichio@chromium.org> Date: Thu Sep 14 04:58:48 2017 Check PositionInFlatTree validity in LayoutSelection. |ToPositionInFlatTree(pos_in_dom)| returned invalid PositionInFlatTree when |pos_in_dom| is not settled in flat tree. This patch checks validity of returned PositionInFlatTree. Bug: 759364 Change-Id: I859e5cfb57a40a9b1f7c1e39a911707a4959f60c Reviewed-on: https://chromium-review.googlesource.com/656778 Commit-Queue: Yoichi Osato <yoichio@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#500806}(cherry picked from commit 8a45da39c3a57dbc3b5a8d04e9445357b67e4000) Reviewed-on: https://chromium-review.googlesource.com/666364 Reviewed-by: Yoichi Osato <yoichio@chromium.org> Cr-Commit-Position: refs/branch-heads/3202@{#215} Cr-Branched-From: fa6a5d87adff761bc16afc5498c3f5944c1daa68-refs/heads/master@{#499098} [modify] https://crrev.com/932e353dcb35e7427fede775ad3b423c2a926cd3/third_party/WebKit/Source/core/editing/LayoutSelection.cpp [modify] https://crrev.com/932e353dcb35e7427fede775ad3b423c2a926cd3/third_party/WebKit/Source/core/editing/LayoutSelectionTest.cpp
,
Sep 22 2017
,
Sep 22 2017
|
||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||
Comment 1 by ClusterFuzz
, Aug 27 2017