CHECK failure: !ScriptForbiddenScope::IsScriptForbidden() in v8_per_isolate_data.cc |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5697716475396096 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !ScriptForbiddenScope::IsScriptForbidden() in v8_per_isolate_data.cc blink::BeforeCallEnteredCallback FireBeforeCallEnteredCallback Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=523898:523900 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5697716475396096 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Apr 25 2018
Not immediately obvious what's going on here. adithyas@, mind having a look? (I know how much you adore ScriptForbiddenScope bugs...)
,
May 1 2018
Looks like we call RemoveChildren inside SVGUseElement::BuildPendingResource() which runs in a ScriptForbiddenScope. Calling RemoveChildren (even with kOmitSubtreeModifiedEvent) can result in script execution if the focused element is removed (which is what happens in this case).
,
May 1 2018
fs@, could you look into this please?
,
May 3 2018
We lack a good place where we can tear down the old instance tree (which is what's happening here.) For most cases blurring in InvalidateShadowTree would work I think, but not in this case apparently (since we get a id-change notification which is synchronous from RemoveChild.) FWIW, this must've been around for a while, appears similar to issue 656160. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Apr 20 2018Labels: Test-Predator-Auto-Components