New issue
Advanced search Search tips

Issue 798733 link

Starred by 1 user
Status: Verified
Owner:
schenney@chromium.org
Closed: Apr 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::Node::InsertedInto

Project Member Reported by ClusterFuzz, Jan 3 2018 
Detailed report: https://clusterfuzz.com/testcase?key=4785358675116032

Fuzzer: inferno_twister
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::Node::InsertedInto
  blink::Element::InsertedInto
  blink::SVGElement::InsertedInto
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=508795:508862

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4785358675116032

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Jan 3 2018

Components: Blink>DOM Blink>SVG
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by schenney@chromium.org, Jan 3 2018

Owner: schenney@chromium.org
Status: Assigned (was: Untriaged)

Comment 3 by schenney@chromium.org, Jan 5 2018 

In Debug this hits an assert:
[1:1:0105/163841.858264:FATAL:ContainerNode.cpp(314)] Check failed: !target_node->parentNode(). 
#0 0x7fbd9d9b5aad base::debug::StackTrace::StackTrace()
#1 0x7fbd9d9b3eec base::debug::StackTrace::StackTrace()
#2 0x7fbd9da3b3ba logging::LogMessage::~LogMessage()
#3 0x7fbd8bc14112 blink::ContainerNode::InsertNodeVector<>()
#4 0x7fbd8bc0c86b blink::ContainerNode::AppendChild()
#5 0x7fbd8bcf986a blink::Node::appendChild()
#6 0x7fbd8ce53241 blink::NodeV8Internal::appendChildMethodForMainWorld()
#7 0x7fbd8ce52efa blink::V8Node::appendChildMethodCallbackForMainWorld()
#8 0x7fbd8dd991b2 v8::internal::FunctionCallbackArguments::Call()
#9 0x7fbd8de93855 v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#10 0x7fbd8de91949 v8::internal::Builtin_Impl_HandleApiCall()
#11 0x7fbd8de9138d v8::internal::Builtin_HandleApiCall()
#12 0x2db0fc984584 <unknown>

Comment 4 by schenney@chromium.org, Jan 11 2018 

This is a very convoluted situation. It seems to require a JS stack size limit being reached inside an DOM mutation event handler. I'm working to reduce the test case down to something tractable.

Comment 5 by schenney@chromium.org, Jan 22 2018

Labels: -Pri-1 Pri-2
https://clusterfuzz.com/v2/testcase-detail/6489875233898496

Added another test case, more reduced.
Project Member

Comment 6 by ClusterFuzz, Apr 8 2018 

ClusterFuzz has detected this issue as fixed in range 549059:549062.

Detailed report: https://clusterfuzz.com/testcase?key=4785358675116032

Fuzzer: inferno_twister
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::Node::InsertedInto
  blink::Element::InsertedInto
  blink::SVGElement::InsertedInto
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=508795:508862
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=549059:549062

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4785358675116032

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Apr 8 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4785358675116032 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment