Null-dereference READ in blink::TaskRunnerHelper::Get |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5414078209327104 Fuzzer: dstockwell-anim-gen Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000088 Crash State: blink::TaskRunnerHelper::Get blink::TaskRunnerHelper::Get blink::HTMLMediaElement::DidMoveToNewDocument Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=499973:499992 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5414078209327104 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 7 2017
This issue looks similar to Bug Id -- 762769, so assigning to the concern owner. @japhet -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Sep 7 2017
This doesn't seem to related to DOM.
,
Sep 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e commit bd98f9c5a1f76edf6fc7b8cbe129837727475c3e Author: Nate Chapin <japhet@chromium.org> Date: Fri Sep 08 00:43:20 2017 Fix crashes in TaskRunnerHelper Null-check document->ContextDocument()->GetFrame() when looking up a task runner based on a Document*. PlatformEventController should be resilient to being initialized based on a detached Document*. Bug: 762768 , 762769 ,763040 Test: fast/media/media-element-move-to-new-document.html,gamepad/gamepad-on-detached-navigator.html Change-Id: I84a1b5876d2483b4dfdc6238df376278ba8b2b72 Reviewed-on: https://chromium-review.googlesource.com/655917 Reviewed-by: Alexander Timin <altimin@chromium.org> Commit-Queue: Nate Chapin <japhet@chromium.org> Cr-Commit-Position: refs/heads/master@{#500456} [add] https://crrev.com/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e/third_party/WebKit/LayoutTests/fast/media/media-element-move-to-new-document-crash-expected.txt [add] https://crrev.com/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e/third_party/WebKit/LayoutTests/fast/media/media-element-move-to-new-document-crash.html [add] https://crrev.com/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e/third_party/WebKit/LayoutTests/gamepad/gamepad-on-detached-navigator-expected.txt [add] https://crrev.com/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e/third_party/WebKit/LayoutTests/gamepad/gamepad-on-detached-navigator.html [modify] https://crrev.com/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e/third_party/WebKit/Source/core/dom/TaskRunnerHelper.cpp [modify] https://crrev.com/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e/third_party/WebKit/Source/core/frame/PlatformEventController.cpp [modify] https://crrev.com/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e/third_party/WebKit/Source/core/frame/PlatformEventController.h
,
Sep 8 2017
ClusterFuzz has detected this issue as fixed in range 500415:500457. Detailed report: https://clusterfuzz.com/testcase?key=5414078209327104 Fuzzer: dstockwell-anim-gen Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000088 Crash State: blink::TaskRunnerHelper::Get blink::TaskRunnerHelper::Get blink::HTMLMediaElement::DidMoveToNewDocument Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=499973:499992 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=500415:500457 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5414078209327104 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 8 2017
ClusterFuzz testcase 5414078209327104 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Sep 7 2017