Null-dereference READ in blink::ClipPathClipper::~ClipPathClipper |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6332419435921408 Fuzzer: ochang_domfuzzer Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x000000000018 Crash State: blink::ClipPathClipper::~ClipPathClipper blink::SVGPaintContext::~SVGPaintContext blink::SVGShapePainter::Paint Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=537371:537402 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6332419435921408 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Mar 6 2018
,
Mar 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ffd1f3f4a411eab4f5c14a78da2833ba692109f7 commit ffd1f3f4a411eab4f5c14a78da2833ba692109f7 Author: Tien-Ren Chen <trchen@chromium.org> Date: Tue Mar 13 04:44:16 2018 [Blink/SPv175] Fix failure to clear ClipPath effect node This CL fixes a combination of two bugs that resulted in crash due to internal inconsistencies. The first bug is that we forgot to clear ClipPath node when an element lost all of its effect nodes. The second bug is that the paint property nodes were not invalidated when a SVG clipPath element was removed. BUG= 818821 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Change-Id: I3e7ba8507c60c4a09f4e88417c76c7e33f1bd1c1 Reviewed-on: https://chromium-review.googlesource.com/959595 Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org> Cr-Commit-Position: refs/heads/master@{#542728} [modify] https://crrev.com/ffd1f3f4a411eab4f5c14a78da2833ba692109f7/third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceClipper.cpp [modify] https://crrev.com/ffd1f3f4a411eab4f5c14a78da2833ba692109f7/third_party/WebKit/Source/core/layout/svg/LayoutSVGResourceClipper.h [modify] https://crrev.com/ffd1f3f4a411eab4f5c14a78da2833ba692109f7/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilder.cpp [modify] https://crrev.com/ffd1f3f4a411eab4f5c14a78da2833ba692109f7/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilderTest.cpp
,
Mar 13 2018
ClusterFuzz has detected this issue as fixed in range 542723:542739. Detailed report: https://clusterfuzz.com/testcase?key=6332419435921408 Fuzzer: ochang_domfuzzer Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x000000000018 Crash State: blink::ClipPathClipper::~ClipPathClipper blink::SVGPaintContext::~SVGPaintContext blink::SVGShapePainter::Paint Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=537371:537402 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=542723:542739 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6332419435921408 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 14 2018
|
|||
►
Sign in to add a comment |
|||
Comment 1 by brajkumar@chromium.org
, Mar 6 2018Components: Blink>Paint
Labels: -Pri-1 M-67 Test-Predator-Wrong Pri-2
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Untriaged)