New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 812023 link

Starred by 3 users

Issue metadata

Status: Verified
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::ScrollAnchor::Clear

Project Member Reported by ClusterFuzz, Feb 13 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5952542379606016

Fuzzer: ifratric-browserfuzzer-v3
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::ScrollAnchor::Clear
  blink::LocalFrameView::UpdateScrollOffset
  blink::ScrollableArea::ScrollOffsetChanged
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=536325:536340

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5952542379606016

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Feb 13 2018

Labels: OS-Mac
Project Member

Comment 2 by ClusterFuzz, Feb 13 2018

Components: Blink>Internals Blink>Layout
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 3 by ClusterFuzz, Feb 13 2018

Labels: Test-Predator-Auto-Owner
Owner: szager@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/dae6f0ca22561ab9cef4a0e46d37faf67333a460 ([RootLayerScrolls] Speculative fix for crasher).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 4 by szager@chromium.org, Feb 14 2018

Issue 812216 has been merged into this issue.
Project Member

Comment 5 by bugdroid1@chromium.org, Feb 14 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cd01cb4c6de95538b0e47fd304b81a2e9d7c3d2e

commit cd01cb4c6de95538b0e47fd304b81a2e9d7c3d2e
Author: Stefan Zager <szager@chromium.org>
Date: Wed Feb 14 18:31:51 2018

Speculative fix for crash in ScrollAnchor::Clear()

The line removed in this CL was added in:

https://chromium-review.googlesource.com/c/chromium/src/+/914864

That CL was to fix a crash, but the crash only occurs when
root layer scrolling is enabled.  The call to ScrollAnchor::Dispose
from LocalFrameView::Dispose was added just for completeness, but
does not affect the original crash.

This new crash suggests that LocalFrameView may still process scroll
events after Dispose() has been called.  Which is strange and
horrible, but probably not worth fully investigating at this point.
Instead, just remove the call to scroll_anchor_.Dispose() and wait
for root layer scrolling to make the surrounding code obsolete.

BUG= 812023 
R=skobes@chromium.org,bokan@chromium.org

Change-Id: I0715ab5a76e2fee6b4f378fc470d816b851bfa44
Reviewed-on: https://chromium-review.googlesource.com/919396
Reviewed-by: Steve Kobes <skobes@chromium.org>
Commit-Queue: Stefan Zager <szager@chromium.org>
Cr-Commit-Position: refs/heads/master@{#536759}
[modify] https://crrev.com/cd01cb4c6de95538b0e47fd304b81a2e9d7c3d2e/third_party/WebKit/Source/core/frame/LocalFrameView.cpp

Cc: pbomm...@chromium.org abdulsyed@chromium.org
Labels: ReleaseBlock-Dev Target-66 M-66 FoundIn-66 RegressedIn-66
This is currently Top#1 renderer crash on latest Chrome Canary i.e., 66.0.2247.0 on Windows and Mac. 


Project Member

Comment 7 by sheriffbot@chromium.org, Feb 14 2018

Labels: FoundIn-M-66 Fracas
Users experienced this crash on the following builds:

Mac Canary 66.0.3347.0 -  17.10 CPM, 16 reports, 13 clients (signature blink::ScrollAnchor::Clear)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas
Project Member

Comment 8 by ClusterFuzz, Feb 15 2018

ClusterFuzz has detected this issue as fixed in range 536747:536764.

Detailed report: https://clusterfuzz.com/testcase?key=5952542379606016

Fuzzer: ifratric-browserfuzzer-v3
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::ScrollAnchor::Clear
  blink::LocalFrameView::UpdateScrollOffset
  blink::ScrollableArea::ScrollOffsetChanged
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=536325:536340
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=536747:536764

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5952542379606016

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Feb 15 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5952542379606016 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment