New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 765562 link

Starred by 1 user
Status: Fixed
Owner:
kochi@chromium.org
Last visit > 30 days ago
Closed: Sep 2017
Cc:
pnangunoori@chromium.org
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Stack-overflow in void blink::SerializeNodesWithNamespaces<blink::EditingAlgorithm<blink::NodeTrav

Project Member Reported by ClusterFuzz, Sep 15 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6440338834325504

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0xff2e4f9c
Crash State:
  void blink::SerializeNodesWithNamespaces<blink::EditingAlgorithm<blink::NodeTrav
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=470941:470958

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6440338834325504

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by pnangunoori@chromium.org, Sep 15 2017

Cc: msrchandra@chromium.org pnangunoori@chromium.org
Components: Blink>Layout
Labels: Test-Predator-Wrong-CLs M-63 CF-NeedsTriage
Unable to provide possible suspect using Predator, Cl and Code Search.
Could someone please look into the issue.
Thank You.

Comment 2 by e...@chromium.org, Sep 15 2017

Components: -Blink>Layout Blink>Editing
Project Member

Comment 3 by ClusterFuzz, Sep 16 2017

Labels: OS-Mac

Comment 4 by yosin@chromium.org, Sep 19 2017

Components: -Blink>Editing Blink>DOM
Labels: OS-Windows
Route to Blink>DOM since I hit DCHECK() in TreeScopeAdopter::UpdateTreeScope():
TreeScopeAdopter.cpp(129) Check failed: node.GetTreeScope() == OldScope()

Note: In M60, template.content.appendChild(template) throws DOMException:
Failed to execute 'appendChild' on 'Node': The new child element contains the parent.

Note: M63 shows "Aw, Snap!" page.


# Stack trace
TreeScopeAdopter::UpdateTreeScope(blink::Node & node) Line 130
TreeScopeAdopter::MoveTreeToNewScope(blink::Node & root) Line 64
TreeScopeAdopter::Execute() Line 42
TreeScope::AdoptIfNeeded(blink::Node & node) Line 357
Document::adoptNode(blink::Node * source, blink::ExceptionState & exception_state) Line 1357
DocumentV8Internal::adoptNodeMethod(const v8::FunctionCallbackInfo<v8::Value> & info) Line 3427
V8Document::adoptNodeMethodCallback(const v8::FunctionCallbackInfo<v8::Value> & info) Line 6373
v8.dll!v8::internal::FunctionCallbackArguments::Call(void(*)(const v8::FunctionCallbackInfo<v8::Value> &) f) Line 26
v8.dll!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::HeapObject> function, v8::internal::Handle<v8::internal::HeapObject> new_target, v8::internal::Handle<v8::internal::FunctionTemplateInfo> fun_data, v8::internal::Handle<v8::internal::Object> receiver, v8::internal::BuiltinArguments args) Line 114
v8.dll!v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments args, v8::internal::Isolate * isolate) Line 142
v8.dll!v8::internal::Builtin_HandleApiCall(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 130

Comment 5 by hayato@chromium.org, Sep 19 2017

Owner: kochi@chromium.org
Isn't it stackoverflow, is it?
It would hit DCHECK without stackoverflow?

kochi@, could you triage with yosin@?

Comment 6 by kochi@chromium.org, Sep 19 2017

Status: Assigned (was: Untriaged)

Comment 7 by kochi@chromium.org, Sep 26 2017

Status: Started (was: Assigned)
Analyzed the issue.

<template id=template></template>
<script>
var doc1 = document.implementation.createDocument("", null);
doc1.adoptNode(template.content);  
template.content.appendChild(template);  // (*1)
...
... = template.innerHTML  // (*2)
</script>

So on (*1) line creates a circle with the template element.
Thus on (*2) line it consumes infinite memory.

Other browsers (Firefox, Safari) throws HierarchyRequestError exception
on (*1) line.

Will work on fix immediately.
Project Member

Comment 8 by bugdroid1@chromium.org, Sep 28 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e1eb32d154d790993961b2ec14114895a8312ee5

commit e1eb32d154d790993961b2ec14114895a8312ee5
Author: Takayoshi Kochi <kochi@chromium.org>
Date: Thu Sep 28 11:06:43 2017

Fix template content check in host-including inclusive ancestor algorithm

ContainerNode::IsHostIncludingInclusiveAncestorOfThis() implements
https://dom.spec.whatwg.org/#concept-tree-host-including-inclusive-ancestor

The function checks if a node (as a context object) is in
a template document by using |GetDocument().IsTemplateDocument()|
which doesn't work if |template.content| (a DocumentFragment) is
adopted to some other document.

This could make it possible for template.content to make circular
DOM tree.

Bug:  765562 
Change-Id: I69a637f6d115265029f852b9847ea4e421599c2e
Reviewed-on: https://chromium-review.googlesource.com/683857
Reviewed-by: Kent Tamura <tkent@chromium.org>
Reviewed-by: Hayato Ito <hayato@chromium.org>
Commit-Queue: Takayoshi Kochi <kochi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504964}
[add] https://crrev.com/e1eb32d154d790993961b2ec14114895a8312ee5/third_party/WebKit/LayoutTests/external/wpt/html/semantics/scripting-1/the-template-element/template-element/template-content-hierarcy.html
[modify] https://crrev.com/e1eb32d154d790993961b2ec14114895a8312ee5/third_party/WebKit/Source/core/dom/ContainerNode.cpp

Comment 9 by kochi@chromium.org, Sep 29 2017

Status: Fixed (was: Started)

Sign in to add a comment