Null-dereference READ in blink::ComputedAccessibleNodePromiseResolver::UpdateTreeAndResolve |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5167909203345408 Fuzzer: inferno_twister Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x000000000050 Crash State: blink::ComputedAccessibleNodePromiseResolver::UpdateTreeAndResolve blink::FrameRequestCallbackCollection::ExecuteCallbacks blink::ScriptedAnimationController::ServiceScriptedAnimations Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=538675:538682 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5167909203345408 Additional requirements: Requires HTTP Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
May 18 2018
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
May 18 2018
Automatically adding ccs based on suspected regression changelists: Refactors ensureUpToDate to use rAF callback. by meredithl@google.com - https://chromium.googlesource.com/chromium/src/+/e35fb3af9c9e2ce800e8f5c9bca93cb650c6f738 If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
,
May 21 2018
The problem seems to be https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/dom/computed_accessible_node.cc?q=symbol:%5Eblink::ComputedAccessibleNodePromiseResolver::UpdateTreeAndResolve$&sq=package:chromium&g=0&l=83 void ComputedAccessibleNodePromiseResolver::UpdateTreeAndResolve() { LocalFrame* local_frame = element_->ownerDocument()->GetFrame(); WebFrameClient* client = WebLocalFrameImpl::FromFrame(local_frame)->Client(); since GetFrame may return nullptr (e.g. if the document has been constructed via JS).
,
May 31 2018
Predator and CL could not provide any possible suspects. Using the code search for the file, “computed_accessible_node.cc” assigning to concern owner from GIT revision log. Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/06bafdfb50ee7ede3709742290c256e60ad50bdb @aboxhall -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes. Thank You.
,
Jul 12
ClusterFuzz testcase 5167909203345408 appears to be flaky, updating reproducibility label.
,
Jul 13
ClusterFuzz testcase 5167909203345408 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, May 18 2018