Null-dereference READ in blink::CSSValue::CssText |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6273565817831424 Fuzzer: inferno_layout_test_fuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::CSSValue::CssText blink::CSSStyleValue::toString blink::V8CSSStyleValue::toStringMethodCallback Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=533529:533534 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6273565817831424 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Feb 15 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/3ce9c7d39f0e493c5c1a0b334c701bed665dd8b2 ([css-typed-om] Implement CSSMathValue serialization.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Feb 19 2018
,
Feb 19 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b70861941ae730a1769f1793627b1bda94cf3210 commit b70861941ae730a1769f1793627b1bda94cf3210 Author: Darren Shen <shend@chromium.org> Date: Mon Feb 19 23:21:09 2018 [css-typed-om] Fix crash involving negative length perspectives. We were crashing because converting CSSPerspective(-1px) to a CSSValue returns nullptr. The correct behaviour should be to convert it as CSSPerspective(calc(-1px)). Bug: 812620 Change-Id: I5ee70d4fb5eed064bcdad67391c3eb84531144d6 Reviewed-on: https://chromium-review.googlesource.com/924742 Commit-Queue: Darren Shen <shend@chromium.org> Reviewed-by: nainar <nainar@chromium.org> Cr-Commit-Position: refs/heads/master@{#537690} [modify] https://crrev.com/b70861941ae730a1769f1793627b1bda94cf3210/third_party/WebKit/LayoutTests/external/wpt/css/css-typed-om/stylevalue-serialization/cssTransformValue.tentative.html [modify] https://crrev.com/b70861941ae730a1769f1793627b1bda94cf3210/third_party/WebKit/Source/core/css/cssom/CSSPerspective.cpp
,
Feb 20 2018
ClusterFuzz has detected this issue as fixed in range 537689:537690. Detailed report: https://clusterfuzz.com/testcase?key=6273565817831424 Fuzzer: inferno_layout_test_fuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::CSSValue::CssText blink::CSSStyleValue::toString blink::V8CSSStyleValue::toStringMethodCallback Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=533529:533534 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=537689:537690 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6273565817831424 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 20 2018
ClusterFuzz testcase 6273565817831424 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Feb 15 2018Labels: Test-Predator-Auto-Components