Null-dereference READ in blink::ScriptLoader::ExecuteScriptBlock |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5802862662909952 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000000 Crash State: blink::ScriptLoader::ExecuteScriptBlock blink::ScriptLoader::Execute blink::ScriptRunner::ExecuteAsyncTask Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=487678:487731 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5802862662909952 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 5 2017
DOM doesn't look related.
,
Sep 6 2017
Er, PendingScript::GetSource() returns null for errored module scripts.
,
Sep 6 2017
QUERY: custom_data.ChromeCrashProto.magic_signature_1.name='blink::ScriptLoader::ExecuteScriptBlock' 2 crashes in the wild.
,
Sep 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a664792a49d7462452d631f090d8f936f6b93252 commit a664792a49d7462452d631f090d8f936f6b93252 Author: Hiroshige Hayashizaki <hiroshige@chromium.org> Date: Thu Sep 07 02:41:19 2017 Fix crashes when module scripts are moved between documents and failed loading PendingScript::GetSource() can return nullptr when error_occurred is set to true, causing null pointer crashes. This CL uses ScriptLoader::GetScriptType() instead of Script::GetScriptType(), which should be equivalent. Bug: 761625 , 721914 Change-Id: Ic8cd45001f7ec385bfda6a3456e61401c9d78760 Reviewed-on: https://chromium-review.googlesource.com/653762 Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Commit-Queue: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#500195} [modify] https://crrev.com/a664792a49d7462452d631f090d8f936f6b93252/third_party/WebKit/Source/core/dom/ScriptLoader.cpp
,
Sep 7 2017
ClusterFuzz has detected this issue as fixed in range 500168:500208. Detailed report: https://clusterfuzz.com/testcase?key=5802862662909952 Fuzzer: ifratric-browserfuzzer-v3 Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000000 Crash State: blink::ScriptLoader::ExecuteScriptBlock blink::ScriptLoader::Execute blink::ScriptRunner::ExecuteAsyncTask Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=487678:487731 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=500168:500208 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5802862662909952 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 7 2017
ClusterFuzz testcase 5802862662909952 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by msrchandra@chromium.org
, Sep 4 2017Components: Blink>DOM
Labels: Test-Predator-Wrong-CLs M-63
Owner: hirosh...@chromium.org
Status: Assigned (was: Untriaged)