New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 768152 link

Starred by 1 user
Status: Duplicate
Owner: ----
Closed: Sep 2017
Cc:
tkent@chromium.org
pnangunoori@chromium.org
qyears...@chromium.org
msrchandra@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference in blink::TextControlElement::SetInnerEditorValue

Project Member Reported by ClusterFuzz, Sep 23 2017 
Detailed report: https://clusterfuzz.com/testcase?key=6531971659595776

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: Null-dereference
Crash Address: 0x00000027
Crash State:
  blink::TextControlElement::SetInnerEditorValue
  blink::HTMLInputElement::SetInnerEditorValue
  blink::TextFieldInputType::UpdateView
  
Memory Tool: SYZYASAN

Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=503785:503832

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6531971659595776

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by pnangunoori@chromium.org, Sep 26 2017

Cc: msrchandra@chromium.org pnangunoori@chromium.org
Labels: M-63 Test-Predator-Correct
Owner: qyears...@chromium.org
Status: Assigned (was: Untriaged)
Test Predator has given the following results:

Import wpt@6667388df688599fb4f66365f729603d96fbcb0b by blink-w3c-test-autoroller@chromium.org
Changed files submission-checks.window.js, activation-behavior.window-expected.txt, activation-behavior.window.js, with the same CrashedComponent(Blink>HTML) as htmlinputelement.cpp (in frame#1, frame#3), htmlelement.cpp (in frame#5), htmlformcontrolelement.cpp (in frame#6), textcontrolelement.cpp (in frame#0)

Assigning this to reviewer of the commit @qyearsley.

@qyearsley -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.

Thanks!

Comment 2 by qyears...@chromium.org, Sep 26 2017

Cc: tkent@chromium.org qyears...@chromium.org
Owner: ----
Status: Untriaged (was: Assigned)
It's possible that imported test has uncovered a bug, but not possible that it introduced it.

tkent@, do you know something about blink::TextControlElement::SetInnerEditorValue (https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/html/TextControlElement.cpp?l=802) and where a null dereference might have occurred in there?

Comment 3 by tkent@chromium.org, Sep 26 2017

Mergedinto: 580734
Status: Duplicate (was: Untriaged)

Sign in to add a comment