Null-dereference READ in blink::StyleEngine::EnsureUAStyleForFullscreen |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4528568167301120 Fuzzer: inferno_twister Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000074 Crash State: blink::StyleEngine::EnsureUAStyleForFullscreen blink::Element::SetContainsFullScreenElement blink::Element::SetContainsFullScreenElementOnAncestorsCrossingFrameBoundaries Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=480859:480871 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4528568167301120 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 4 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/81e33d3b1082212c0cc3732719167004dcfb63fc (Reland "Sync requestFullscreen() and exitFullscreen() algorithms with the spec"). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Nov 7 2017
,
Nov 7 2017
,
Nov 7 2017
,
Nov 7 2017
,
Nov 7 2017
,
Nov 17 2017
Trying a fix in https://chromium-review.googlesource.com/c/chromium/src/+/776599
,
Nov 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e75d59b0893e6efcc9e362285fbddca9813c30e7 commit e75d59b0893e6efcc9e362285fbddca9813c30e7 Author: Philip Jägenstedt <foolip@chromium.org> Date: Fri Nov 17 17:23:40 2017 Don't SetContainsFullScreenElement() when inserting elements This isn't needed because: * Fullscreen::FullscreenElementChanged sets the flag when an element becomes the fullscreen element. * Moving a fullscreen element always means first removing it, and removing a fullscreen element should exit fullscreen. The test would hit an assert without this change. Bug: 781527 Change-Id: If57a93efefdd60073e949f823aa58d3f0e148deb Reviewed-on: https://chromium-review.googlesource.com/776599 Reviewed-by: Rune Lillesveen <futhark@chromium.org> Commit-Queue: Philip Jägenstedt <foolip@chromium.org> Cr-Commit-Position: refs/heads/master@{#517449} [add] https://crrev.com/e75d59b0893e6efcc9e362285fbddca9813c30e7/third_party/WebKit/LayoutTests/external/wpt/fullscreen/model/move-to-fullscreen-iframe-manual.html [modify] https://crrev.com/e75d59b0893e6efcc9e362285fbddca9813c30e7/third_party/WebKit/Source/core/dom/Element.cpp
,
Nov 17 2017
,
Nov 18 2017
ClusterFuzz has detected this issue as fixed in range 514498:517698. Detailed report: https://clusterfuzz.com/testcase?key=4528568167301120 Fuzzer: inferno_twister Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000074 Crash State: blink::StyleEngine::EnsureUAStyleForFullscreen blink::Element::SetContainsFullScreenElement blink::Element::SetContainsFullScreenElementOnAncestorsCrossingFrameBoundaries Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=480859:480871 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=514498:517698 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4528568167301120 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 18 2017
ClusterFuzz testcase 4528568167301120 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ClusterFuzz
, Nov 4 2017Labels: Test-Predator-AutoComponents