New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 775922 link

Starred by 4 users

Issue metadata

Status: Verified
Owner:
Not on Chrome anymore
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::StyleRule::Properties

Project Member Reported by ClusterFuzz, Oct 18 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6262227094208512

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::StyleRule::Properties
  blink::CSSStyleRule::cssText
  blink::V8CSSRule::cssTextAttributeGetterCallback
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=509326:509389

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6262227094208512

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Oct 18 2017

Labels: OS-Windows OS-Linux
Project Member

Comment 2 by ClusterFuzz, Oct 18 2017

Components: Blink>CSS
Labels: Test-Predator-AutoComponents
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 3 by ClusterFuzz, Oct 18 2017

Labels: Test-Predator-AutoOwner
Owner: nainar@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/b30a67726d61312f337145310c81678c8e0ab20d (Only copy parsed properties over when mutating a rule.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 4 by nainar@chromium.org, Oct 18 2017

Cc: kkaluri@chromium.org nainar@chromium.org
 Issue 775799  has been merged into this issue.

Comment 5 by nainar@chromium.org, Oct 18 2017

Issue 775914 has been merged into this issue.

Comment 6 by nainar@chromium.org, Oct 18 2017

Reverting the CL in question immediately

Comment 7 by nainar@chromium.org, Oct 18 2017

 Issue 775762  has been merged into this issue.
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 18 2017

Labels: FoundIn-M-64 Fracas
Users experienced this crash on the following builds:

Mac Canary 64.0.3243.0 -  75.55 CPM, 54 reports, 41 clients (signature blink::StyleRule::ShouldConsiderForMatchingRules)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 18 2017

Labels: ReleaseBlock-Dev
This crash has high impact on Chrome's stability.
Signature: blink::StyleRule::ShouldConsiderForMatchingRules.
Channel: canary. Platform: mac.
Labeling  issue 775922  with ReleaseBlock-Dev.


If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas
Labels: Update-Weekly
Project Member

Comment 11 by bugdroid1@chromium.org, Oct 19 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c6dfaf800108be95ccd9c5c8cb73bed66e80ba1f

commit c6dfaf800108be95ccd9c5c8cb73bed66e80ba1f
Author: nainar <nainar@chromium.org>
Date: Thu Oct 19 00:26:27 2017

Revert "Only copy parsed properties over when mutating a rule."

This reverts commit b30a67726d61312f337145310c81678c8e0ab20d.

Reason for revert: Not a stable enough change as it causes  crbug.com/775922 

Original change's description:
> Only copy parsed properties over when mutating a rule.
> 
> Currently when we copy over a StyleRule we parse all proeprties
> greedily. This should only be the already parsed properties. The greedy
> method may result in a dangerous state.
> 
> This is a speculative fix for the ClusterFuzz issue.
> 
> Bug:  774061 
> Change-Id: I0b7f09018c7cf2d8ca75ea5d705016fbcce6f0ae
> Reviewed-on: https://chromium-review.googlesource.com/722579
> Reviewed-by: Darren Shen <shend@chromium.org>
> Commit-Queue: nainar <nainar@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#509352}

TBR=nainar@chromium.org,shend@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  774061 ,  775922 
Change-Id: I49f536965359f14793eba4f952d216a04dd07df6
Reviewed-on: https://chromium-review.googlesource.com/726679
Reviewed-by: nainar <nainar@chromium.org>
Commit-Queue: nainar <nainar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#509941}
[delete] https://crrev.com/9e77a8ed0f573731a9e4b8376d188541b989eb70/third_party/WebKit/LayoutTests/fast/css/lazy-parsing-delete-rule-crash.html
[delete] https://crrev.com/9e77a8ed0f573731a9e4b8376d188541b989eb70/third_party/WebKit/LayoutTests/fast/css/resources/lazy-pasing-delete-rule-crash.css
[modify] https://crrev.com/c6dfaf800108be95ccd9c5c8cb73bed66e80ba1f/third_party/WebKit/Source/core/css/StyleRule.cpp

Status: Fixed (was: Assigned)
Project Member

Comment 13 by ClusterFuzz, Oct 19 2017

ClusterFuzz has detected this issue as fixed in range 509932:509960.

Detailed report: https://clusterfuzz.com/testcase?key=6262227094208512

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::StyleRule::Properties
  blink::CSSStyleRule::cssText
  blink::V8CSSRule::cssTextAttributeGetterCallback
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=509326:509389
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=509932:509960

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6262227094208512

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 14 by ClusterFuzz, Oct 19 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5424998214008832 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components
Labels: -Test-Predator-AutoOwner Test-Predator-Auto-Owner

Sign in to add a comment