Null-dereference READ in blink::TreeScope::getElementById |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5636247473881088 Fuzzer: inferno_layout_test_unmodified Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::TreeScope::getElementById blink::StyleSheetList::GetNamedItem blink::StyleSheetList::AnonymousNamedGetter Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=543652:543654 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5636247473881088 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Mar 18 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/a46b62e9900f5ac48951f8ad68d9e03eded4cc8d (Create an empty StyleSheetList for moreStyleSheets.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Mar 23 2018
,
Mar 23 2018
,
Mar 23 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9d5d29127490e791084b7727b062fb0cf50d29dd commit 9d5d29127490e791084b7727b062fb0cf50d29dd Author: Rune Lillesveen <futhark@chromium.org> Date: Fri Mar 23 12:11:39 2018 Missing nullptr check for scope in StyleSheetList. The StyleSheetList for the moreStyleSheets API does not have a TreeScope which made the named getter crash. Bug: 823115 Change-Id: Ibc67ff06d328f9f771cba4e0c74080133e4fcfbb Reviewed-on: https://chromium-review.googlesource.com/977901 Reviewed-by: Morten Stenshorne <mstensho@chromium.org> Commit-Queue: Rune Lillesveen <futhark@chromium.org> Cr-Commit-Position: refs/heads/master@{#545411} [modify] https://crrev.com/9d5d29127490e791084b7727b062fb0cf50d29dd/third_party/WebKit/Source/core/css/StyleSheetList.cpp [modify] https://crrev.com/9d5d29127490e791084b7727b062fb0cf50d29dd/third_party/WebKit/Source/core/css/StyleSheetListTest.cpp
,
Mar 24 2018
ClusterFuzz has detected this issue as fixed in range 545408:545411. Detailed report: https://clusterfuzz.com/testcase?key=5636247473881088 Fuzzer: inferno_layout_test_unmodified Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::TreeScope::getElementById blink::StyleSheetList::GetNamedItem blink::StyleSheetList::AnonymousNamedGetter Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=543652:543654 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=545408:545411 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5636247473881088 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 24 2018
ClusterFuzz testcase 5636247473881088 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Mar 18 2018Labels: Test-Predator-Auto-Components