Null-dereference READ in blink::Node::GetLayoutBoxModelObject |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5209145423429632 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: blink::Node::GetLayoutBoxModelObject blink::MediaControlSliderElement::TrackWidth blink::MediaControlSliderElement::SetBeforeSegmentPosition Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=550802:550806 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5209145423429632 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Apr 17 2018
Predator could not provide any possible suspects. https://chromium.googlesource.com/chromium/src/+log/38d7bc8297a2985dc0c8aebe31455890baa598f4..0fade57cc302b008312a196c44bd172ae2b70eac?pretty=fuller&n=10000 From the above CL observing some changes related to 'layout tests' , hence suspecting the below https://chromium.googlesource.com/chromium/src/+/0fade57cc302b008312a196c44bd172ae2b70eac steimel@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Thanks!
,
Apr 17 2018
This is related to my change, but what's happening is that the fuzzer is using internals to change the ids of elements inside the shadow dom, causing us to not find the track element by ID here: https://cs.chromium.org/chromium/src/third_party/blink/renderer/modules/media_controls/elements/media_control_slider_element.cc?l=96 Since this isn't actually something that can happen without using internals, I'm closing this as WontFix. Thanks!
,
Apr 19 2018
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Apr 19 2018
,
Apr 24 2018
ClusterFuzz testcase 6739874502410240 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.
,
Apr 24 2018
,
May 16 2018
ClusterFuzz has detected this issue as fixed in range 558997:559001. Detailed report: https://clusterfuzz.com/testcase?key=5209145423429632 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: blink::Node::GetLayoutBoxModelObject blink::MediaControlSliderElement::TrackWidth blink::MediaControlSliderElement::SetBeforeSegmentPosition Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=550802:550806 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=558997:559001 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5209145423429632 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 18 2018
Issue 844241 has been merged into this issue.
,
Jun 18 2018
Issue 845068 has been merged into this issue.
,
Jun 18 2018
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Apr 16 2018