New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 799059 link

Starred by 1 user
Status: Fixed
Owner:
kochi@chromium.org
Last visit > 30 days ago
Closed: Jan 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

Crash in blink::StyleEngine::NodeWillBeRemoved

Project Member Reported by ClusterFuzz, Jan 4 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5636957576364032

Fuzzer: marty_html_twiddler
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000100000011
Crash State:
  blink::StyleEngine::NodeWillBeRemoved
  blink::ContainerNode::WillRemoveChild
  blink::ContainerNode::RemoveChild
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Low

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=526968:526970

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5636957576364032

Additional requirements: Requires Gestures

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Jan 5 2018

Labels: Pri-2

Comment 2 by dtapu...@chromium.org, Jan 5 2018

Components: Blink>DOM

Comment 3 by kochi@chromium.org, Jan 12 2018

Owner: kochi@chromium.org
owning temporarily for take a look at trace.

Comment 4 by kochi@chromium.org, Jan 12 2018

Status: Assigned (was: Untriaged)
Hmm, can't view the page yet. changing the status.

Comment 5 by kochi@chromium.org, Jan 12 2018

Labels: -Restrict-View-SecurityTeam
I don't think this is a security issue.

Comment 6 by kochi@chromium.org, Jan 12 2018

Labels: -Security_Severity-Low -Security_Impact-Head allpublic

Comment 7 by kochi@chromium.org, Jan 12 2018 

Looks like this fixed the crash already.

The original change (which was in 526968:526970 range, as reported) was reverted
at:
https://chromium.googlesource.com/chromium/src/+/ce67e40512a36401cb863ff78d59f7a28c127bf3

Comment 8 by kochi@chromium.org, Jan 12 2018

Status: Fixed (was: Assigned)

Comment 9 by kochi@chromium.org, Jan 12 2018 

As far as I searched,  bug 799197 ,  bug 799103 ,  bug 799069 ,  bug 799059  (this)
are pointing to the same issue.
Project Member

Comment 10 by ClusterFuzz, Jan 12 2018 

ClusterFuzz has detected this issue as fixed in range 527016:527020.

Detailed report: https://clusterfuzz.com/testcase?key=5636957576364032

Fuzzer: marty_html_twiddler
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000100000011
Crash State:
  blink::StyleEngine::NodeWillBeRemoved
  blink::ContainerNode::WillRemoveChild
  blink::ContainerNode::RemoveChild
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Low

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=526968:526970
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=527016:527020

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5636957576364032

Additional requirements: Requires Gestures

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment