Null-dereference READ in blink::LocalFrameView::UpdateGeometry |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4779360384188416 Fuzzer: inferno_twister_c Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::LocalFrameView::UpdateGeometry blink::RootScrollerController::UpdateIFrameGeometryAndLayoutSize blink::RootScrollerController::RecomputeEffectiveRootScroller Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=527280:527281 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4779360384188416 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 5 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/635201011d3d7c4cccad0f31a571a153e3cf5694 (Add implicit rootScroller feature). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Jan 5 2018
FYI: The patch in question has been reverted for other reasons. I'll make sure to fix this before relanding though.
,
Jan 6 2018
ClusterFuzz has detected this issue as fixed in range 527329:527330. Detailed report: https://clusterfuzz.com/testcase?key=4779360384188416 Fuzzer: inferno_twister_c Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::LocalFrameView::UpdateGeometry blink::RootScrollerController::UpdateIFrameGeometryAndLayoutSize blink::RootScrollerController::RecomputeEffectiveRootScroller Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=527280:527281 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=527329:527330 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4779360384188416 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 6 2018
ClusterFuzz testcase 4779360384188416 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3f0b9946f52dc4e146e90e7377974e12a76404b5 commit 3f0b9946f52dc4e146e90e7377974e12a76404b5 Author: David Bokan <bokan@chromium.org> Date: Mon Jan 22 15:29:23 2018 Fix rootScroller when iframe's view is swapped. This CL fixes an issue when the rootScroller is set to an iframe. An iframe is a special case for rootScroller and requires some changes to be made on the FrameView. This happens in RootScrollerController::ApplyRootScrollerProperties. However, in some cases, when the iframe is navigated we can end up swapping the FrameView used by the Frame. Currently, we don't call ApplyRootScrollerProperties on it since the effective rootScroller in the parent document hasn't changed. This CL adds a hook in HTMLFrameOwnerElement to let the RootScrollerController know that it needs to reapply any properties on the FrameView. I added a test set-rootscroller-before-load.html that exercises this case. A related change also fixes issue 799577 which is caused by differences in (frame_owner->ContentFrame())->View() and frame_owner->OwnedEmbeddedContentView(). This CL change ApplyRootScrollerProperties to use the latter. I also made a small change to the older nested-rootscroller* tests to deflake them. Bug: 798719 , 799577 Change-Id: I1c1ba8ed3d2be80fbbfbb16e8c17e1734b066801 Reviewed-on: https://chromium-review.googlesource.com/867652 Commit-Queue: David Bokan <bokan@chromium.org> Reviewed-by: Steve Kobes <skobes@chromium.org> Cr-Commit-Position: refs/heads/master@{#530868} [add] https://crrev.com/3f0b9946f52dc4e146e90e7377974e12a76404b5/third_party/WebKit/LayoutTests/rootscroller/set-rootscroller-before-load-expected.html [add] https://crrev.com/3f0b9946f52dc4e146e90e7377974e12a76404b5/third_party/WebKit/LayoutTests/rootscroller/set-rootscroller-before-load.html [modify] https://crrev.com/3f0b9946f52dc4e146e90e7377974e12a76404b5/third_party/WebKit/LayoutTests/virtual/android/rootscroller/nested-rootscroller-browser-controls-bounds-hidden.html [modify] https://crrev.com/3f0b9946f52dc4e146e90e7377974e12a76404b5/third_party/WebKit/LayoutTests/virtual/android/rootscroller/nested-rootscroller-browser-controls-bounds-shown.html [modify] https://crrev.com/3f0b9946f52dc4e146e90e7377974e12a76404b5/third_party/WebKit/Source/core/html/HTMLFrameOwnerElement.cpp [modify] https://crrev.com/3f0b9946f52dc4e146e90e7377974e12a76404b5/third_party/WebKit/Source/core/page/scrolling/RootScrollerController.cpp [modify] https://crrev.com/3f0b9946f52dc4e146e90e7377974e12a76404b5/third_party/WebKit/Source/core/page/scrolling/RootScrollerController.h [modify] https://crrev.com/3f0b9946f52dc4e146e90e7377974e12a76404b5/third_party/WebKit/Source/core/page/scrolling/TopDocumentRootScrollerController.cpp [modify] https://crrev.com/3f0b9946f52dc4e146e90e7377974e12a76404b5/third_party/WebKit/Source/core/testing/Internals.cpp [modify] https://crrev.com/3f0b9946f52dc4e146e90e7377974e12a76404b5/third_party/WebKit/Source/core/testing/Internals.h [modify] https://crrev.com/3f0b9946f52dc4e146e90e7377974e12a76404b5/third_party/WebKit/Source/core/testing/Internals.idl |
|||
►
Sign in to add a comment |
|||
Comment 1 by ClusterFuzz
, Jan 5 2018Labels: Test-Predator-Auto-Components