Null-dereference WRITE in blink::ObjectPaintPropertyTreeBuilder::UpdateForSelf |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4738715716157440 Fuzzer: miaubiz_svg_fuzzer Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference WRITE Crash Address: 0x00000000000f Crash State: blink::ObjectPaintPropertyTreeBuilder::UpdateForSelf blink::PrePaintTreeWalk::WalkInternal blink::PrePaintTreeWalk::Walk Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=522150:522195 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4738715716157440 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 7 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/46367c60003ed45d9fc3f2f448ca9482f8b89ffd ([PE] Update reference filters on box resize). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Dec 7 2017
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Dec 7 2017
,
Dec 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bf8135d0bce64496b872062a07b427ddff825ec5 commit bf8135d0bce64496b872062a07b427ddff825ec5 Author: Xianzhu Wang <wangxianzhu@chromium.org> Date: Fri Dec 08 01:05:27 2017 [PE] Avoid null pointer for objects with reflection but no effect Reflection only has effect if we create layer for the object. Some objects (e.g. SVG text) having reflection style but doesn't create layers. Should check for the condition. Bug: 792727 , 777259 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Change-Id: I09528df085002f8d30e1f20fd07a7e7b3f2d3cf1 Reviewed-on: https://chromium-review.googlesource.com/814894 Commit-Queue: Chris Harrelson <chrishtr@chromium.org> Reviewed-by: Chris Harrelson <chrishtr@chromium.org> Cr-Commit-Position: refs/heads/master@{#522661} [modify] https://crrev.com/bf8135d0bce64496b872062a07b427ddff825ec5/third_party/WebKit/Source/core/layout/LayoutBox.cpp [modify] https://crrev.com/bf8135d0bce64496b872062a07b427ddff825ec5/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilder.cpp [modify] https://crrev.com/bf8135d0bce64496b872062a07b427ddff825ec5/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilderTest.cpp
,
Dec 8 2017
ClusterFuzz testcase 6173663685771264 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 8 2017
ClusterFuzz has detected this issue as fixed in range 522600:522669. Detailed report: https://clusterfuzz.com/testcase?key=4738715716157440 Fuzzer: miaubiz_svg_fuzzer Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference WRITE Crash Address: 0x00000000000f Crash State: blink::ObjectPaintPropertyTreeBuilder::UpdateForSelf blink::PrePaintTreeWalk::WalkInternal blink::PrePaintTreeWalk::Walk Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=522150:522195 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=522600:522669 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4738715716157440 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Dec 7 2017