New issue
Advanced search Search tips

Issue 805420 link

Starred by 1 user
Status: WontFix
Owner:
bokan@chromium.org
Closed: Feb 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::LocalFrameView::UpdateGeometry

Project Member Reported by ClusterFuzz, Jan 24 2018 
Detailed report: https://clusterfuzz.com/testcase?key=4854907818737664

Fuzzer: inferno_twister_c
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000098
Crash State:
  blink::LocalFrameView::UpdateGeometry
  blink::RootScrollerController::UpdateIFrameGeometryAndLayoutSize
  blink::RootScrollerController::DidResizeFrameView
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=530923:530929

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4854907818737664

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Jan 24 2018

Labels: Test-Predator-Auto-Owner
Owner: bokan@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e9aa1ff150cc50a295227f280d50a7b023938cbd ([Reland] Add implicit rootScroller feature).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 2 by ClusterFuzz, Jan 24 2018

Components: Blink>Internals
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 3 by bokan@chromium.org, Jan 26 2018

Status: Started (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Jan 29 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1277149bdcf1ee445039a6f148e71fae487005fa

commit 1277149bdcf1ee445039a6f148e71fae487005fa
Author: David Bokan <bokan@chromium.org>
Date: Mon Jan 29 13:51:57 2018

Fix nullptr crash in RootScrollerController

The stacktrace in the bug revealed a path where we don't check that the
LocalFrameView isn't null.

No test since I couldn't reproduce the crash.

Bug:  805420 
Change-Id: Ief57e784e765efadb18b5c9c040e7b5a40ee904c
Reviewed-on: https://chromium-review.googlesource.com/887826
Reviewed-by: Dave Tapuska <dtapuska@chromium.org>
Commit-Queue: David Bokan <bokan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#532412}
[modify] https://crrev.com/1277149bdcf1ee445039a6f148e71fae487005fa/third_party/WebKit/Source/core/page/scrolling/RootScrollerController.cpp
Project Member

Comment 5 by ClusterFuzz, Feb 12 2018

Status: WontFix (was: Started)
ClusterFuzz testcase 4854907818737664 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment