Null-dereference READ in blink::Node::UpdateDistribution |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5063963793162240 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000011 Crash State: blink::Node::UpdateDistribution blink::ComparePositions blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > bli Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=540771:540772 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5063963793162240 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Mar 7 2018
,
Mar 7 2018
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Mar 7 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/822be90274eab3c047fea8cf2d7dd35cd5d0db49 (Enable slot-in-flat-tree flag in stable.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Mar 7 2018
Attached simplified crash demo.
,
Mar 7 2018
Before it crashes, it fails the DCHECK here: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/editing/SelectionAdjuster.cpp?sq=package:chromium&dr=CSs&l=739-742 yosin@: any ideas here?
,
Mar 8 2018
,
Mar 8 2018
,
Mar 20 2018
,
May 2 2018
Issue 834691 has been merged into this issue.
,
Jun 29 2018
Issue 857531 has been merged into this issue.
,
Jul 19
ClusterFuzz has detected this issue as fixed in range 575972:575977. Detailed report: https://clusterfuzz.com/testcase?key=5063963793162240 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000011 Crash State: blink::Node::UpdateDistribution blink::ComparePositions blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > bli Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=540771:540772 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=575972:575977 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5063963793162240 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 19
ClusterFuzz testcase 5063963793162240 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by tkent@chromium.org
, Mar 7 2018