Null-dereference READ in blink::Document::PropagateStyleToViewport |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6191814662160384 Fuzzer: inferno_twister Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000028 Crash State: blink::Document::PropagateStyleToViewport blink::Document::UpdateStyle blink::Document::UpdateStyleAndLayoutTree Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=493344:493354 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6191814662160384 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 3 2017
Test Predator has given the following results: Propagate style to viewport after style recalc. by rune@opera.com Changelist touched lines near the crashed line in frame #0 blink::Document::PropagateStyleToViewport(enum blink::StyleRecalcChange) (distance = 0 lines away) Top touched frame is #0 blink::Document::PropagateStyleToViewport(in Document.cpp) Changed files Document.cpp, Document.h, Element.cpp, StyleEngine.cpp, StyleEngine.h, with the same CrashedDirectory(third_party/WebKit/Source/core/dom) as Document.cpp (in frame#0, frame#1, frame#2, frame#6) Touched files in stacktrace - Document.cpp Changed files Document.cpp, Document.h, Element.cpp, StyleEngine.cpp, StyleEngine.h, with the same CrashedComponent(Blink>DOM) as Document.cpp (in frame#0, frame#1, frame#2, frame#6) @rune -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes. Thank You.
,
Oct 3 2017
This looks similar to issue 757585
,
Oct 3 2017
,
Oct 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/396316b0bd382ac8a6e373f2a2b249bde933ebeb commit 396316b0bd382ac8a6e373f2a2b249bde933ebeb Author: Rune Lillesveen <rune@opera.com> Date: Thu Oct 05 21:05:01 2017 Don't update fragment anchor during DOM operations. We tried to update the fragment anchor position immediately when all script blocking sheets are removed. As part of that update we do a style and layout update. The last script blocking sheet may be removed as part of removing a style element from the DOM. Updating style and layout in the middle of a DOM operation is not safe. Instead, update the fragment anchor position during the next safe lifecycle update. The crash was caused by Document still pointing to a documentElement being removed while updating the style and layout tree, but its parent pointer had already been set to null. Bug: 771088 Change-Id: Iaaaeece23d795c2e41d31b9fb97fc795eb2b8305 Reviewed-on: https://chromium-review.googlesource.com/698305 Commit-Queue: Rune Lillesveen <rune@opera.com> Reviewed-by: Steve Kobes <skobes@chromium.org> Cr-Commit-Position: refs/heads/master@{#506854} [add] https://crrev.com/396316b0bd382ac8a6e373f2a2b249bde933ebeb/third_party/WebKit/LayoutTests/fast/css/synchronous-hash-update-crash.html [modify] https://crrev.com/396316b0bd382ac8a6e373f2a2b249bde933ebeb/third_party/WebKit/Source/core/dom/Document.cpp
,
Oct 7 2017
ClusterFuzz has detected this issue as fixed in range 506834:506865. Detailed report: https://clusterfuzz.com/testcase?key=6191814662160384 Fuzzer: inferno_twister Job Type: windows_asan_chrome_no_sandbox Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000028 Crash State: blink::Document::PropagateStyleToViewport blink::Document::UpdateStyle blink::Document::UpdateStyleAndLayoutTree Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=493344:493354 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=506834:506865 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6191814662160384 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 7 2017
,
Oct 7 2017
ClusterFuzz testcase 6191814662160384 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 7 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Oct 3 2017Labels: Test-Predator-AutoComponents