New issue
Advanced search Search tips

Issue 838075 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::PositionWithAffinityTemplate<blink::EditingAlgorithm<blink::NodeTraversal

Project Member Reported by ClusterFuzz, Apr 30 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6481772402180096

Fuzzer: bj_broddelwerk
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  blink::PositionWithAffinityTemplate<blink::EditingAlgorithm<blink::NodeTraversal
  blink::ComputeInlineBoxPosition
  blink::NextLinePosition
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=553007:553010

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6481772402180096

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Cc: pnangunoori@chromium.org
Components: Blink>CSS
Labels: M-68 Test-Predator-Wrong
Owner: xiaoche...@chromium.org
Status: Assigned (was: Untriaged)
Using the provided regression range assigning to the possible suspect as per the change made for the file, “visible_units_line.cc”
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/85d8d125def54d5c6ce28fec310f8cf5738caf48

@xiaochengh -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.

Thanks!

Components: -Blink>CSS Blink>Editing>Selection
Project Member

Comment 3 by bugdroid1@chromium.org, May 3 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7442d6e4e1f40aed18c17dcd8f480e922ce1e56a

commit 7442d6e4e1f40aed18c17dcd8f480e922ce1e56a
Author: Xiaocheng Hu <xiaochengh@chromium.org>
Date: Thu May 03 06:18:02 2018

Revert "Stop using RenderedPosition in VisibleUnitsLine"

This reverts commit 85d8d125def54d5c6ce28fec310f8cf5738caf48.

Reason for revert: causing  crbug.com/838075 

Original change's description:
> Stop using RenderedPosition in VisibleUnitsLine
> 
> VisibleUnitsLine uses RenderedPosition instances without using
> the bidi-related functionalities.
> 
> Since RenderedPosition is a wrapper of InlineBoxPosition with bidi
> utility functions added, this patch changes VisibleUnitsLine to
> use InlineBoxPosition directly for simplicity.
> 
> Bug: 822575
> Change-Id: I158ddfb3dec1ead3f8b66e1255f3465f3f0353a2
> Reviewed-on: https://chromium-review.googlesource.com/1024645
> Reviewed-by: Yoichi Osato <yoichio@chromium.org>
> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
> Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#553008}

TBR=yosin@chromium.org,yoichio@chromium.org,xiaochengh@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: 822575,  838075 
Change-Id: Ifa8429f7749d5c6bdb6dda3f2ed3471c523756ce
Reviewed-on: https://chromium-review.googlesource.com/1040611
Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org>
Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#555673}
[modify] https://crrev.com/7442d6e4e1f40aed18c17dcd8f480e922ce1e56a/third_party/blink/renderer/core/editing/visible_units_line.cc

Project Member

Comment 4 by ClusterFuzz, May 3 2018

ClusterFuzz has detected this issue as fixed in range 555672:555673.

Detailed report: https://clusterfuzz.com/testcase?key=6481772402180096

Fuzzer: bj_broddelwerk
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  blink::PositionWithAffinityTemplate<blink::EditingAlgorithm<blink::NodeTraversal
  blink::ComputeInlineBoxPosition
  blink::NextLinePosition
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=553007:553010
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=555672:555673

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6481772402180096

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, May 3 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6481772402180096 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment