New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 801931 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::CSSToLengthConversionData::ZoomedComputedPixels

Project Member Reported by ClusterFuzz, Jan 15 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4890013774118912

Fuzzer: ochang_domfuzzer
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  blink::CSSToLengthConversionData::ZoomedComputedPixels
  float blink::CSSPrimitiveValue::ComputeLength<float>
  blink::StyleBuilderConverter::ConvertShadow
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=518240:518474

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4890013774118912

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jan 15 2018

Components: Blink>CSS
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by meade@chromium.org, Jan 16 2018

Cc: xidac...@chromium.org xlai@chromium.org
Owner: flackr@chromium.org
Status: Assigned (was: Untriaged)
I see a bunch of offscreen canvas stuff in the stack trace, e.g. blink::FilterOperationResolver::CreateOffscreenFilterOperations. Adding offscreen canvas folks to see if they have any insight.
Cc: junov@chromium.org

Comment 4 by xlai@chromium.org, Jan 16 2018

Cc: fs...@chromium.org
The running of this test case will access FontFallbackList::cached_primary_simple_font_data_ in worker thread. Maybe re-defining FontFallbackList using ThreadSpecific struct can help? 

+cc Fernando who's working on OffscreeCanvas fonts.

Comment 5 by e...@chromium.org, Jan 31 2018

Components: -Blink>CSS Blink>Canvas
Owner: ----
Status: Untriaged (was: Assigned)
Re-routing to canvas team as per comment 4.

Comment 6 by junov@chromium.org, Feb 19 2018

Labels: -Pri-1 Pri-2
Owner: xlai@chromium.org
Status: Assigned (was: Untriaged)
Lowering priority because this is related to an unshipped feature (OffscreenCanvas).

Comment 7 by xlai@chromium.org, Feb 21 2018

Owner: fs...@chromium.org
Fernando, could you please take a look as this is related to OffscreenCanvas fonts display?
Project Member

Comment 8 by ClusterFuzz, May 16 2018

ClusterFuzz has detected this issue as fixed in range 558997:559001.

Detailed report: https://clusterfuzz.com/testcase?key=4890013774118912

Fuzzer: ochang_domfuzzer
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  blink::CSSToLengthConversionData::ZoomedComputedPixels
  float blink::CSSPrimitiveValue::ComputeLength<float>
  blink::StyleBuilderConverter::ConvertShadow
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=518240:518474
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=558997:559001

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4890013774118912

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, May 16 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4890013774118912 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Status: Assigned (was: Verified)
Bulk edit: reopening CF issues likely closed incorrectly due to https://chromium.googlesource.com/chromium/src/+/cd3ebc4c69d7c01770f37f34aad623aa4ab2b128
Project Member

Comment 11 by ClusterFuzz, May 17 2018

Labels: -Reproducible Unreproducible
ClusterFuzz testcase 4890013774118912 appears to be flaky, updating reproducibility label.
Project Member

Comment 12 by bugdroid1@chromium.org, May 30 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/208cb499ad8612200c5273e22296ab8732725a0d

commit 208cb499ad8612200c5273e22296ab8732725a0d
Author: Fernando Serboncini <fserb@chromium.org>
Date: Wed May 30 15:53:24 2018

Prevent FontSizes::Ex conversion when we have no font

Bug:  801931 
Change-Id: Ie76b4a5525537c1888be82b56a82dd4accf27eeb
Reviewed-on: https://chromium-review.googlesource.com/1072268
Commit-Queue: Fernando Serboncini <fserb@chromium.org>
Reviewed-by: Alan Cutter <alancutter@chromium.org>
Cr-Commit-Position: refs/heads/master@{#562851}
[modify] https://crrev.com/208cb499ad8612200c5273e22296ab8732725a0d/third_party/WebKit/LayoutTests/fast/canvas/OffscreenCanvas-text-rendering-in-worker-expected.html
[modify] https://crrev.com/208cb499ad8612200c5273e22296ab8732725a0d/third_party/WebKit/LayoutTests/fast/canvas/OffscreenCanvas-text-rendering-in-worker.html
[modify] https://crrev.com/208cb499ad8612200c5273e22296ab8732725a0d/third_party/blink/renderer/core/css/resolver/filter_operation_resolver.cc
[modify] https://crrev.com/208cb499ad8612200c5273e22296ab8732725a0d/third_party/blink/renderer/core/css/resolver/filter_operation_resolver.h
[modify] https://crrev.com/208cb499ad8612200c5273e22296ab8732725a0d/third_party/blink/renderer/core/css/resolver/style_builder_converter.cc
[modify] https://crrev.com/208cb499ad8612200c5273e22296ab8732725a0d/third_party/blink/renderer/core/css/resolver/style_builder_converter.h
[modify] https://crrev.com/208cb499ad8612200c5273e22296ab8732725a0d/third_party/blink/renderer/core/css/threaded/filter_operation_resolver_threaded_test.cc
[modify] https://crrev.com/208cb499ad8612200c5273e22296ab8732725a0d/third_party/blink/renderer/modules/canvas/canvas2d/canvas_rendering_context_2d_state.cc
[modify] https://crrev.com/208cb499ad8612200c5273e22296ab8732725a0d/third_party/blink/renderer/modules/canvas/offscreencanvas2d/offscreen_canvas_rendering_context_2d.cc
[modify] https://crrev.com/208cb499ad8612200c5273e22296ab8732725a0d/third_party/blink/renderer/modules/canvas/offscreencanvas2d/offscreen_canvas_rendering_context_2d.h

Comment 13 by fs...@chromium.org, May 30 2018

Status: Fixed (was: Assigned)
Project Member

Comment 14 by ClusterFuzz, Dec 1

ClusterFuzz has detected this issue as fixed in range 558997:559001.

Detailed report: https://clusterfuzz.com/testcase?key=4890013774118912

Fuzzer: ochang_domfuzzer
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  blink::CSSToLengthConversionData::ZoomedComputedPixels
  float blink::CSSPrimitiveValue::ComputeLength<float>
  blink::StyleBuilderConverter::ConvertShadow
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=518240:518474
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=558997:559001

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4890013774118912

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment