New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 765940 link

Starred by 2 users
Status: Verified
Owner:
rakina@chromium.org
Closed: Oct 2017
Cc:
kochi@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Null-dereference in blink::Element::SynchronizeAttribute

Project Member Reported by ClusterFuzz, Sep 16 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6253764247027712

Fuzzer: inferno_twister
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: Null-dereference
Crash Address: 0x0000002f
Crash State:
  blink::Element::SynchronizeAttribute
  blink::Element::setAttribute
  blink::Element::SetIntegralAttribute
  
Memory Tool: SYZYASAN

Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_chrome&range=434043:434111

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6253764247027712

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by pnangunoori@chromium.org, Sep 18 2017

Labels: CF-NeedsTriage
Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.
Thank You.

Comment 2 by msrchandra@chromium.org, Sep 18 2017 

 Issue 765875  has been merged into this issue.

Comment 3 by msrchandra@chromium.org, Sep 18 2017

Labels: M-63

Comment 4 by msrchandra@chromium.org, Sep 18 2017

Labels: Test-Predator-Wrong
Project Member

Comment 5 by ClusterFuzz, Sep 19 2017

Labels: OS-Linux

Comment 6 by dtapu...@chromium.org, Sep 21 2017

Components: Blink>DOM

Comment 7 by hayato@chromium.org, Sep 21 2017

Owner: kochi@chromium.org
kochi@, could you triage this?
Project Member

Comment 8 by ClusterFuzz, Sep 21 2017

Labels: OS-Mac

Comment 9 by kochi@chromium.org, Sep 25 2017

Status: Started (was: Untriaged)
Reproducing for me.
Starting to look at it.

Comment 10 by kochi@chromium.org, Sep 27 2017 

The crash is happening with an combination of DOM mutation events,
which is called during actual mutation is complete.
Let me work on the fix.
Project Member

Comment 11 by ClusterFuzz, Oct 1 2017

Labels: Test-Predator-AutoComponents
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 12 by infe...@chromium.org, Oct 1 2017

Labels: -Test-Predator-AutoComponents

Comment 13 by kochi@chromium.org, Oct 23 2017

Cc: kochi@chromium.org
Owner: rakina@chromium.org
Status: Assigned (was: Started)
Rakina, could you take a look?
Project Member

Comment 14 by ClusterFuzz, Oct 26 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6175370893328384 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 15 by ClusterFuzz, Nov 3 2017

Labels: Needs-Feedback
ClusterFuzz testcase 6253764247027712 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Comment 16 by kochi@chromium.org, Dec 22 2017

Labels: -Pri-1 Pri-2
Note to myself: here's my manually minimized test case.
run with content_shell -run-layout-test.
cf.html
3.9 KB View Download

Sign in to add a comment