Null-dereference READ in blink::Node::GetLayoutBox |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5072208434298880 Fuzzer: ochang_domfuzzer Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: blink::Node::GetLayoutBox blink::LayoutSlider::UpdateLayout blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=518240:518474 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5072208434298880 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 30 2018
Automatically adding ccs based on suspected regression changelists: No EventDispatchMediator is the best EventDispatchMediator! by mustaq@google.com - https://chromium.googlesource.com/chromium/src/+/dd36316add75b494525eab19b86e4fa165f85fca If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
,
Jan 31 2018
,
Feb 1 2018
The CL mentioned above is unrelated: the CL only affects DOM event dispatching, and the stack-trace shows of the crash has not event-related function calls. Instead, the stack-trace seems to suggest a problem with layout (specifically in layout/Layout*).
,
Feb 5 2018
cc-ing authors of layout-related changes in the range: https://chromium.googlesource.com/chromium/src/+log/9d2bc3eaf729a97bab085062151676e5e8a374a3..d2d6ee9c44327d3f4518dbc904f8c7d4aa4128af?pretty=fuller&n=10000
,
Feb 5 2018
The test modifies inside of UA shadow using internals.ShadowRoot(). I don't think this is possible for regular Chromium to run, closing as WontFix. /cc tkent@, forms owner in case he has different opinion.
,
Feb 6 2018
,
Feb 7 2018
Issue 810044 has been merged into this issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Jan 30 2018Labels: Test-Predator-Auto-Components