Null-dereference READ in chrome |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5353426771509248 Fuzzer: bj_broddelwerk Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: chrome blink::RefCountedPropertyTreeState::GetPropertyTreeState blink::FragmentData::LocalBorderBoxProperties Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=537426:537470 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5353426771509248 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Feb 24 2018
Automatically adding ccs based on suspected regression changelists: canvas: Avoid unnecessary book-keeping of images in CanvasImageProvider. by khushalsagar@chromium.org - https://chromium.googlesource.com/chromium/src/+/cde9d1d1e464957716e4e15f44810fe28753e4df [PE] Add a test case for crbug.com/809102 by wangxianzhu@chromium.org - https://chromium.googlesource.com/chromium/src/+/4926f8217a1795cedffc9c64113eb7944b0cf504 If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
,
Feb 24 2018
,
Feb 26 2018
With DCHECK:
[1:1:0226/094940.013224:FATAL:FindPropertiesNeedingUpdate.h(214)] Check failed: *original_local_border_box_properties_->Clip() == *object_border_box.Clip(). Property was updated without the layout object ("LayoutSVGRoot svg") needing a paint property update.
Original:
FragmentClip (LayoutMultiColumnFlowThread (anonymous)) 0x3c75b8e5b810 {"parent":"0x3c75b8e58f10","localTransformSpace":"0x3c75b8ebabd0","rect":"442,8 24x21"}
Updated:
FragmentClip (LayoutMultiColumnFlowThread (anonymous)) 0x3c75b8e5b210 {"parent":"0x3c75b8e58f10","localTransformSpace":"0x3c75b8ebabd0","rect":"298,8 24x21"}
#0 0x000003388a7c base::debug::StackTrace::StackTrace()
#1 0x0000033a791c logging::LogMessage::~LogMessage()
#2 0x000005a700d7 blink::FindObjectPropertiesNeedingUpdateScope::~FindObjectPropertiesNeedingUpdateScope()
#3 0x000005a62238 blink::ObjectPaintPropertyTreeBuilder::UpdateForSelf()
#4 0x000005a5304b blink::PrePaintTreeWalk::WalkInternal()
,
Feb 27 2018
,
Feb 27 2018
ClusterFuzz has detected this issue as fixed in range 539387:539402. Detailed report: https://clusterfuzz.com/testcase?key=5353426771509248 Fuzzer: bj_broddelwerk Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: chrome blink::RefCountedPropertyTreeState::GetPropertyTreeState blink::FragmentData::LocalBorderBoxProperties Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=537426:537470 Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=539387:539402 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5353426771509248 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 27 2018
ClusterFuzz testcase 5353426771509248 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Feb 24 2018Labels: Test-Predator-Auto-Components