Null-dereference WRITE in blink::LayoutBlock::ComputeIntrinsicLogicalWidths |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5192753789796352 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x000000000010 Crash State: blink::LayoutBlock::ComputeIntrinsicLogicalWidths blink::LayoutBlock::ComputePreferredLogicalWidths blink::LayoutBox::MinPreferredLogicalWidth Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=197937:198046 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5192753789796352 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Feb 28 2018
,
Mar 1 2018
I am unable to reproduce this on current build on my Linux workstation. It does not hit null deref, with or without SlimmingPaint175.
It does crash M64 chrome-stable renderer.
I did hit several DCHECKs:
paint/FindPropertiesNeedingUpdate.h:189
DCHECK_OBJECT_PROPERTY_EQ(object_, OverflowClip(*original_properties_),
OverflowClip(*object_properties));
ElementAnimations.cpp:131
void ElementAnimations::UpdateBaseComputedStyle
DCHECK(*base_computed_style_ == *computed_style);
editing/SelectionTemplate.cpp:40
SelectionTemplate<Strategy>::operator==
DCHECK_EQ(base_.GetDocument()->DomTreeVersion(), dom_tree_version_) << *this;
Would you like me to investigate further. Next step would be to build M64.
,
Mar 1 2018
Thanks Alex, that's great! If it doesn't reproduce on tip of tree then it doesn't seem worth it to investigate further. Thanks again.
,
Aug 20
,
Aug 27
ClusterFuzz testcase 5192753789796352 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by brajkumar@chromium.org
, Feb 28 2018Components: Blink>Layout
Labels: M-65 Test-Predator-Wrong CF-NeedsTriage