Null-dereference READ in CachedMatchedProperties |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6579234412429312 Fuzzer: attekett_dom_fuzzer Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000008 Crash State: chrome blink::CachedMatchedProperties::Clear blink::MatchedPropertiesCache::Clear Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=428749:428854 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6579234412429312 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Feb 9 2018
,
Feb 9 2018
,
Feb 9 2018
restarted the task to redo regression and find minimum test case. the duplicate issue does have one though.
,
Feb 9 2018
Can reproduce in Release with https://clusterfuzz.com/download?testcase_id=6579234412429312 https://chromium-review.googlesource.com/c/chromium/src/+/911031
,
Feb 10 2018
ClusterFuzz has detected this issue as fixed in range 535905:535934. Detailed report: https://clusterfuzz.com/testcase?key=6579234412429312 Fuzzer: attekett_dom_fuzzer Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000008 Crash State: chrome blink::CachedMatchedProperties::Clear blink::MatchedPropertiesCache::Clear Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=535294:535307 Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=535905:535934 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6579234412429312 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 10 2018
ClusterFuzz testcase 6579234412429312 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3bb914721da18dc40bf44a39dcec5b30ef486b4b commit 3bb914721da18dc40bf44a39dcec5b30ef486b4b Author: Rune Lillesveen <futhark@chromium.org> Date: Mon Feb 12 21:31:24 2018 MatchedPropertiesCache items are weak and may be reset. Add null checks to avoid crashing when the weak reference has been set to nullptr. Bug: 810561 Change-Id: I26fd2274a504e954ee4013e631ec4d5f2b7479d0 Reviewed-on: https://chromium-review.googlesource.com/911031 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Rune Lillesveen <futhark@chromium.org> Cr-Commit-Position: refs/heads/master@{#536197} [modify] https://crrev.com/3bb914721da18dc40bf44a39dcec5b30ef486b4b/third_party/WebKit/Source/core/css/resolver/MatchedPropertiesCache.cpp |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Feb 8 2018Labels: Test-Predator-Auto-Components