Null-dereference READ in blink::Element::Shadow |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4556906655121408 Fuzzer: inferno_twister Job Type: windows_asan_chrome Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000008 Crash State: blink::Element::Shadow blink::ShadowWhereNodeCanBeDistributedForV0 blink::Element::AttributeChanged Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=502136:502169 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4556906655121408 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 1 2017
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 2 2017
Reproduces for me.
,
Oct 12 2017
With debug builds, before getting to Element::Shadow, the testcase hits DCHECK in ContainerNode.cpp. [1:1:1012/185438.329425:96700605070:FATAL:ContainerNode.cpp(314)] Check failed: !target_node->parentNode(). #0 0x7fd7659c4dbd base::debug::StackTrace::StackTrace() #1 0x7fd7659c31ec base::debug::StackTrace::StackTrace() #2 0x7fd765a49f7a logging::LogMessage::~LogMessage() #3 0x7fd75daa2f36 blink::ContainerNode::InsertNodeVector<>() #4 0x7fd75da9b437 blink::ContainerNode::AppendChild() #5 0x7fd75dba41ea blink::Node::appendChild() #6 0x7fd75ece77c6 blink::NodeV8Internal::appendChildMethodForMainWorld() #7 0x7fd75ece7487 blink::V8Node::appendChildMethodCallbackForMainWorld() #8 0x7fd75fade2f2 v8::internal::FunctionCallbackArguments::Call() #9 0x7fd75fbd99b3 v8::internal::(anonymous namespace)::HandleApiCallHelper<>() #10 0x7fd75fbd7ba3 v8::internal::Builtin_Impl_HandleApiCall() #11 0x7fd75fbd756d v8::internal::Builtin_HandleApiCall() #12 0x29b70cc847e4 <unknown>
,
Oct 26 2017
As the testcase uses createShadowRoot() which is Shadow DOM V0 API, lowering the priority.
,
Oct 27 2017
ClusterFuzz has detected this issue as fixed in range 512010:512063. Detailed report: https://clusterfuzz.com/testcase?key=4556906655121408 Fuzzer: inferno_twister Job Type: windows_asan_chrome Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000008 Crash State: blink::Element::Shadow blink::ShadowWhereNodeCanBeDistributedForV0 blink::Element::AttributeChanged Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=502136:502169 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=512010:512063 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4556906655121408 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 27 2017
ClusterFuzz testcase 4556906655121408 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 7 2017
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by kkaluri@chromium.org
, Sep 26 2017Labels: Test-Predator-Wrong CF-NeedsTriage M-63