Null-dereference READ in chrome |
||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6540822404399104 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x00000000000c Crash State: chrome v8::Local<v8::Value> blink::ToV8SequenceInternal<blink::HeapVector<blink::Member blink::CSSPaintDefinition::Paint Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=529558:529594 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6540822404399104 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 17 2018
Automatically adding ccs based on suspected regression changelists: Fix ::first-letter selection with grapheme pairs by hichris123@gmail.com - https://chromium.googlesource.com/chromium/src/+/d3d57746f0d78270efb24194f5ec930adc3b5e72 If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
,
Jan 17 2018
I don't have access to the testcase, but it's more likely that it's related to https://chromium.googlesource.com/chromium/src/+/9df518ea41271fef3a3b4b9b85164b632092c5db ("Ship CSS Paint API"), so CC'ing a few Source/modules/csspaint OWNERS.
,
Jan 17 2018
"Ship CSS Paint API" isn't responsible for this. I will investigate right away.
,
Jan 17 2018
Issue 803129 has been merged into this issue.
,
Jan 17 2018
,
Jan 18 2018
,
Jan 22 2018
Issue 804271 has been merged into this issue.
,
Jan 22 2018
Users experienced this crash on the following builds: Win Canary 66.0.3327.0 - 0.50 CPM, 7 reports, 7 clients (signature blink::ToV8SequenceInternal<blink::HeapVector<blink::Member<blink::CSSStyleValue>,0> >) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Jan 23 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/206454eb0bc1e2e2886293abf2b205a32099ba50 commit 206454eb0bc1e2e2886293abf2b205a32099ba50 Author: Xida Chen <xidachen@chromium.org> Date: Tue Jan 23 17:02:44 2018 [PaintWorklet] Do null check for paint_arguments in CSSPaintDefinition::Paint Currently we have shipped the CSSPaintAPI, but not CSSPaintAPIArguments. As a result, we could skip parsing the arguments if we run chromium without --enable-experimental-web-platform-features, then the |paint_arguments| in the CSSPaintDefinition::Paint function becomes nullptr, and we will hit a DCHECK. To fix it, we always check whether it is nullptr or not in that function. We added a unit test to ensure that it will never crash. Bug: 803026 , 804206 Change-Id: I7f4b46eea423768974c7ffb3cd691484b1ad683d Reviewed-on: https://chromium-review.googlesource.com/879110 Reviewed-by: Stephen McGruer <smcgruer@chromium.org> Commit-Queue: Xida Chen <xidachen@chromium.org> Cr-Commit-Position: refs/heads/master@{#531262} [modify] https://crrev.com/206454eb0bc1e2e2886293abf2b205a32099ba50/third_party/WebKit/Source/modules/csspaint/CSSPaintDefinition.cpp [modify] https://crrev.com/206454eb0bc1e2e2886293abf2b205a32099ba50/third_party/WebKit/Source/modules/csspaint/CSSPaintDefinition.h [modify] https://crrev.com/206454eb0bc1e2e2886293abf2b205a32099ba50/third_party/WebKit/Source/modules/csspaint/PaintWorkletTest.cpp
,
Jan 23 2018
,
Jan 24 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/329d49213d27cd7eaf30f52a7fbab6118a7c5c37 commit 329d49213d27cd7eaf30f52a7fbab6118a7c5c37 Author: Xida Chen <xidachen@chromium.org> Date: Wed Jan 24 01:03:49 2018 [PaintWorklet] Build right paint callback according to paint_arguments In my previous CL: https://chromium-review.googlesource.com/c/chromium/src/+/879110 I simply did null check for the |paint_arguments|, and return a nullptr when it is null. There is a better way to handle it, which is to build the paint callback function without the |paint_arguments| if it is null. This CL should not change any behavior. We can use the existing tests to verify this. We already have a PaintWorkletTest for that and a bunch of layout tests to ensure the correct behavior. Bug: 803026 , 804206 Change-Id: I07b2f58dfe88ccbb5ac27d7268eb228ea101f5fc Reviewed-on: https://chromium-review.googlesource.com/880886 Reviewed-by: Robert Flack <flackr@chromium.org> Reviewed-by: Ian Kilpatrick <ikilpatrick@chromium.org> Commit-Queue: Xida Chen <xidachen@chromium.org> Cr-Commit-Position: refs/heads/master@{#531396} [modify] https://crrev.com/329d49213d27cd7eaf30f52a7fbab6118a7c5c37/third_party/WebKit/Source/modules/csspaint/CSSPaintDefinition.cpp [modify] https://crrev.com/329d49213d27cd7eaf30f52a7fbab6118a7c5c37/third_party/WebKit/Source/modules/csspaint/PaintWorkletTest.cpp
,
Jan 24 2018
ClusterFuzz has detected this issue as fixed in range 531250:531265. Detailed report: https://clusterfuzz.com/testcase?key=6540822404399104 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x00000000000c Crash State: chrome v8::Local<v8::Value> blink::ToV8SequenceInternal<blink::HeapVector<blink::Member blink::CSSPaintDefinition::Paint Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=529558:529594 Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=531250:531265 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6540822404399104 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 24 2018
ClusterFuzz testcase 6540822404399104 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 24 2018
govind@: cluster fuzz detects that there is no crash anymore. I have tried on today's canary and there is no crash on a few demos that used to crash. Could you review the merge request to M65? Thank you.
,
Jan 25 2018
Your change meets the bar and is auto-approved for M65. Please go ahead and merge the CL to branch 3325 manually. Please contact milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 25 2018
Pls merge your change to M65 branch 3325 ASAP so we can pick it up for next M65 dev release. Thank you.
,
Jan 25 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b88ee05cf6f15afaa0d31ae99974226cfc89295c commit b88ee05cf6f15afaa0d31ae99974226cfc89295c Author: Xida Chen <xidachen@chromium.org> Date: Thu Jan 25 01:26:34 2018 [PaintWorklet] Do null check for paint_arguments in CSSPaintDefinition::Paint Currently we have shipped the CSSPaintAPI, but not CSSPaintAPIArguments. As a result, we could skip parsing the arguments if we run chromium without --enable-experimental-web-platform-features, then the |paint_arguments| in the CSSPaintDefinition::Paint function becomes nullptr, and we will hit a DCHECK. To fix it, we always check whether it is nullptr or not in that function. We added a unit test to ensure that it will never crash. Bug: 803026 , 804206 Change-Id: I7f4b46eea423768974c7ffb3cd691484b1ad683d Reviewed-on: https://chromium-review.googlesource.com/879110 Reviewed-by: Stephen McGruer <smcgruer@chromium.org> Commit-Queue: Xida Chen <xidachen@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#531262}(cherry picked from commit 206454eb0bc1e2e2886293abf2b205a32099ba50) Reviewed-on: https://chromium-review.googlesource.com/884553 Reviewed-by: Xida Chen <xidachen@chromium.org> Cr-Commit-Position: refs/branch-heads/3325@{#82} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} [modify] https://crrev.com/b88ee05cf6f15afaa0d31ae99974226cfc89295c/third_party/WebKit/Source/modules/csspaint/CSSPaintDefinition.cpp [modify] https://crrev.com/b88ee05cf6f15afaa0d31ae99974226cfc89295c/third_party/WebKit/Source/modules/csspaint/CSSPaintDefinition.h [modify] https://crrev.com/b88ee05cf6f15afaa0d31ae99974226cfc89295c/third_party/WebKit/Source/modules/csspaint/PaintWorkletTest.cpp
,
Jan 25 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b701c2a442d7d136287f6bb675b315a1f0ae7f12 commit b701c2a442d7d136287f6bb675b315a1f0ae7f12 Author: Xida Chen <xidachen@chromium.org> Date: Thu Jan 25 01:28:10 2018 [PaintWorklet] Build right paint callback according to paint_arguments In my previous CL: https://chromium-review.googlesource.com/c/chromium/src/+/879110 I simply did null check for the |paint_arguments|, and return a nullptr when it is null. There is a better way to handle it, which is to build the paint callback function without the |paint_arguments| if it is null. This CL should not change any behavior. We can use the existing tests to verify this. We already have a PaintWorkletTest for that and a bunch of layout tests to ensure the correct behavior. Bug: 803026 , 804206 Change-Id: I07b2f58dfe88ccbb5ac27d7268eb228ea101f5fc Reviewed-on: https://chromium-review.googlesource.com/880886 Reviewed-by: Robert Flack <flackr@chromium.org> Reviewed-by: Ian Kilpatrick <ikilpatrick@chromium.org> Commit-Queue: Xida Chen <xidachen@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#531396}(cherry picked from commit 329d49213d27cd7eaf30f52a7fbab6118a7c5c37) Reviewed-on: https://chromium-review.googlesource.com/884554 Reviewed-by: Xida Chen <xidachen@chromium.org> Cr-Commit-Position: refs/branch-heads/3325@{#83} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} [modify] https://crrev.com/b701c2a442d7d136287f6bb675b315a1f0ae7f12/third_party/WebKit/Source/modules/csspaint/CSSPaintDefinition.cpp [modify] https://crrev.com/b701c2a442d7d136287f6bb675b315a1f0ae7f12/third_party/WebKit/Source/modules/csspaint/PaintWorkletTest.cpp |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by ClusterFuzz
, Jan 17 2018Labels: Test-Predator-Auto-Components