New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 844385 link

Starred by 2 users
Status: WontFix
Owner:
aboxhall@chromium.org
Closed: Jul 13
Cc:
pnangunoori@chromium.org
meredithl@google.com
aboxhall@chromium.org
dmazz...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug
Team-Accessibility


Show other hotlists

Hotlists containing this issue:
Hotlist-3


Sign in to add a comment

Null-dereference READ in blink::ComputedAccessibleNodePromiseResolver::UpdateTreeAndResolve

Project Member Reported by ClusterFuzz, May 18 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5167909203345408

Fuzzer: inferno_twister
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x000000000050
Crash State:
  blink::ComputedAccessibleNodePromiseResolver::UpdateTreeAndResolve
  blink::FrameRequestCallbackCollection::ExecuteCallbacks
  blink::ScriptedAnimationController::ServiceScriptedAnimations
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=538675:538682

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5167909203345408

Additional requirements: Requires HTTP

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, May 18 2018

Labels: OS-Mac OS-Linux
Project Member

Comment 2 by ClusterFuzz, May 18 2018

Components: Blink>DOM
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 3 by ClusterFuzz, May 18 2018

Cc: meredithl@google.com
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

Refactors ensureUpToDate to use rAF callback. by meredithl@google.com - https://chromium.googlesource.com/chromium/src/+/e35fb3af9c9e2ce800e8f5c9bca93cb650c6f738

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

Comment 4 by fergal@chromium.org, May 21 2018

Components: -Blink>DOM Blink>Accessibility
The problem seems to be

https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/dom/computed_accessible_node.cc?q=symbol:%5Eblink::ComputedAccessibleNodePromiseResolver::UpdateTreeAndResolve$&sq=package:chromium&g=0&l=83

void ComputedAccessibleNodePromiseResolver::UpdateTreeAndResolve() {
  LocalFrame* local_frame = element_->ownerDocument()->GetFrame();
  WebFrameClient* client = WebLocalFrameImpl::FromFrame(local_frame)->Client();

since GetFrame may return nullptr (e.g. if the document has been constructed via JS).

Comment 5 by pnangunoori@chromium.org, May 31 2018

Cc: pnangunoori@chromium.org
Labels: M-67
Owner: aboxhall@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.
Using the code search for the file, “computed_accessible_node.cc” assigning to concern owner from GIT revision log.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/06bafdfb50ee7ede3709742290c256e60ad50bdb

@aboxhall -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.
Thank You.
Project Member

Comment 6 by ClusterFuzz, Jul 12

Labels: -Reproducible Unreproducible
ClusterFuzz testcase 5167909203345408 appears to be flaky, updating reproducibility label.
Project Member

Comment 7 by ClusterFuzz, Jul 13

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5167909203345408 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment