New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 761326 link

Starred by 1 user
Status: WontFix
Owner:
kochi@chromium.org
Last visit > 30 days ago
Closed: Sep 2017
Cc:
msrchandra@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference in blink::Node::IsShadowRoot

Project Member Reported by ClusterFuzz, Sep 1 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5987509749415936

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: Null-dereference
Crash Address: 0x0000000b
Crash State:
  blink::Node::IsShadowRoot
  blink::Document::UpdateStyleAndLayoutTreeForNode
  blink::TreeScope::getElementById
  
Memory Tool: SYZYASAN

Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=498677:498753

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5987509749415936

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by msrchandra@chromium.org, Sep 5 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Wrong
Owner: hayato@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.
Using Code Search for the file, "treescope.cpp" assigning to the concern owner from GIT Blame.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/933dc3199a9418e3c5b1d14d681d976867e8e4f9

@hayato -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by hayato@chromium.org, Sep 6 2017

Owner: kochi@chromium.org
kochi@, could you triage?
input.focus() is used in the reproducer testcase.

Comment 3 by kochi@chromium.org, Sep 6 2017 

Reproduced locally.  Will take a look.

Comment 4 by kochi@chromium.org, Sep 6 2017

Status: WontFix (was: Assigned)
The test is invalid.

Test is getting shadow root of <input> via window.internals.shadowRoot()
API.  This is not web-exposed and same issue won't happen for shadow hosts
that are created by JS-exposed .attachShadow() API.

Sign in to add a comment