New issue
Advanced search Search tips

Issue 801826 link

Starred by 1 user
Status: Verified
Owner:
japhet@chromium.org
Closed: Jan 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 3
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::Frame::GetPage

Project Member Reported by ClusterFuzz, Jan 13 2018 
Detailed report: https://clusterfuzz.com/testcase?key=6651710843125760

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  blink::Frame::GetPage
  blink::Internals::textAffinity
  blink::V8Internals::textAffinityAttributeGetterCallback
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=502858:502881

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6651710843125760

Additional requirements: Requires HTTP

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Jan 13 2018

Components: Blink>Internals
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jan 13 2018

Labels: Test-Predator-Auto-Owner
Owner: japhet@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/dc412c92d884336e3165bbb0058d1b791d17bcb5 (Install supplements in LocalDOMWindow::InstallNewDocument instead of in DocumentLoader).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 3 by ClusterFuzz, Jan 16 2018

Labels: OS-Linux

Comment 4 by japhet@chromium.org, Jan 19 2018

Labels: -Pri-1 Pri-3
This crash is in a test-only API.
Project Member

Comment 5 by bugdroid1@chromium.org, Jan 22 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/32b59d92033c560271c378cefe729e99c3abf4d3

commit 32b59d92033c560271c378cefe729e99c3abf4d3
Author: Nate Chapin <japhet@chromium.org>
Date: Mon Jan 22 21:17:02 2018

Fix null deref in Internals::textAffinity

Bug:  801826 
Change-Id: Ib8552a33c551d887a39d8eab9a3317311ac26385
Reviewed-on: https://chromium-review.googlesource.com/876927
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Nate Chapin <japhet@chromium.org>
Cr-Commit-Position: refs/heads/master@{#530994}
[modify] https://crrev.com/32b59d92033c560271c378cefe729e99c3abf4d3/third_party/WebKit/Source/core/testing/Internals.cpp
Project Member

Comment 6 by ClusterFuzz, Jan 23 2018 

ClusterFuzz has detected this issue as fixed in range 530957:531013.

Detailed report: https://clusterfuzz.com/testcase?key=6651710843125760

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  blink::Frame::GetPage
  blink::Internals::textAffinity
  blink::V8Internals::textAffinityAttributeGetterCallback
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=502858:502881
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=530957:531013

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6651710843125760

Additional requirements: Requires HTTP

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Jan 23 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6651710843125760 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment