Issue metadata
Sign in to add a comment
|
Security DCHECK failure: !object || (object->IsTableCell()) in LayoutTableCell.h |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6526471744258048 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Security DCHECK failure Crash Address: Crash State: !object || (object->IsTableCell()) in LayoutTableCell.h blink::AXTableCell::ScanToDecideHeaderRole blink::AXARIAGridCell::ScanToDecideHeaderRole Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=500415:500471 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6526471744258048 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 2 2018
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Jan 3 2018
,
Jan 3 2018
,
Jan 17 2018
aleventhal: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 25 2018
,
Jan 31 2018
aleventhal: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 7 2018
Dominicc - aleventhal@ has failed to respond on this regression. As reviewer, can you please revert the cl.
,
Feb 7 2018
@inferno, perhaps I was under the mistaken that this was a different crbug. I'll take a look now.
,
Feb 7 2018
,
Feb 7 2018
,
Feb 7 2018
Looks like this is legit and broken on master. I thought it was another dupe of something we fixed.
,
Feb 7 2018
,
Feb 8 2018
A fix is under review here: https://chromium-review.googlesource.com/c/chromium/src/+/906953
,
Feb 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b0d1618cc5e95f77c152022232257b61b61a952e commit b0d1618cc5e95f77c152022232257b61b61a952e Author: Aaron Leventhal <aleventhal@chromium.org> Date: Thu Feb 08 18:57:13 2018 Crash fix for th with role gridcell in a table with nontraditional css Do not assume we can use ToLayoutCell() in an object that can be created for an ARIA cell and may not be associated with an actual table cell. Bug: 798410 Change-Id: I3db7d09ca146469a4fb87ef04a03e9d4ba8525d3 Reviewed-on: https://chromium-review.googlesource.com/906953 Commit-Queue: Aaron Leventhal <aleventhal@chromium.org> Reviewed-by: Nektarios Paisios <nektar@chromium.org> Cr-Commit-Position: refs/heads/master@{#535462} [add] https://crrev.com/b0d1618cc5e95f77c152022232257b61b61a952e/third_party/WebKit/LayoutTests/accessibility/table-with-th-role-gridcell-crash.html [modify] https://crrev.com/b0d1618cc5e95f77c152022232257b61b61a952e/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp
,
Feb 8 2018
,
Feb 8 2018
,
Feb 9 2018
ClusterFuzz has detected this issue as fixed in range 535460:535466. Detailed report: https://clusterfuzz.com/testcase?key=6526471744258048 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Security DCHECK failure Crash Address: Crash State: !object || (object->IsTableCell()) in LayoutTableCell.h blink::AXTableCell::ScanToDecideHeaderRole blink::AXARIAGridCell::ScanToDecideHeaderRole Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=500415:500471 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=535460:535466 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6526471744258048 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 9 2018
ClusterFuzz testcase 6526471744258048 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 11 2018
,
Feb 11 2018
This bug requires manual review: M65 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 11 2018
+awhalley@ (Security TPM) for M65 merge review. Pls not that this was regressed in M63.
,
Feb 12 2018
govind@ - good for 65 (Note that since it's a security bug, the fact we've shipped with in the past isn't a good indicator we can continue to ship with it :-)
,
Feb 12 2018
Agree, approving merge to M65 branch 3325 based on comment #23. Please merge ASAP so we can pick it up for this week Beta release. Thank you.
,
Feb 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8b82bd215942b4c2fdcaf8dac918ffc249e20c77 commit 8b82bd215942b4c2fdcaf8dac918ffc249e20c77 Author: Aaron Leventhal <aleventhal@chromium.org> Date: Tue Feb 13 16:54:36 2018 Crash fix for th with role gridcell in a table with nontraditional css Do not assume we can use ToLayoutCell() in an object that can be created for an ARIA cell and may not be associated with an actual table cell. Bug: 798410 Change-Id: I3db7d09ca146469a4fb87ef04a03e9d4ba8525d3 Reviewed-on: https://chromium-review.googlesource.com/906953 Commit-Queue: Aaron Leventhal <aleventhal@chromium.org> Reviewed-by: Nektarios Paisios <nektar@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#535462}(cherry picked from commit b0d1618cc5e95f77c152022232257b61b61a952e) Reviewed-on: https://chromium-review.googlesource.com/916527 Reviewed-by: Aaron Leventhal <aleventhal@chromium.org> Cr-Commit-Position: refs/branch-heads/3325@{#447} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} [add] https://crrev.com/8b82bd215942b4c2fdcaf8dac918ffc249e20c77/third_party/WebKit/LayoutTests/accessibility/table-with-th-role-gridcell-crash.html [modify] https://crrev.com/8b82bd215942b4c2fdcaf8dac918ffc249e20c77/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp
,
Mar 6 2018
,
Mar 27 2018
,
May 18 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jan 2 2018Owner: aleventhal@chromium.org
Status: Assigned (was: Untriaged)