Issue 847949 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 846708
Owner:	ekaramad@chromium.org
Closed:	May 2018
Cc:	ifratric@google.com yosin@chromium.org ekaramad@chromium.org dcheng@chromium.org
Components:	Blink>HTML>Embed
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Reproducible Clusterfuzz Stability-UndefinedBehaviorSanitizer ClusterFuzz-Verified ClusterFuzz-Wrong Test-Predator-Auto-Components Test-Predator-Auto-Owner

EMBED element should not call Document::ImplicitClose() during ReattachLayoutTree

Project Member Reported by ClusterFuzz, May 30 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6034305877540864

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000018
Crash State:
  chrome
  blink::LayoutTreeBuilderForElement::CreateLayoutObject
  blink::Element::AttachLayoutTree
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=562777:562798

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6034305877540864

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Project Member

Comment 1 by ClusterFuzz, May 30 2018

Components: Blink>DOM Blink>HTML
Labels: Test-Predator-Auto-Components

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Project Member

Comment 2 by ClusterFuzz, May 30 2018

Labels: Test-Predator-Auto-Owner
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/181c301956206601a8a4e90b5b903cd9743a8895 ([LayoutNG] Introduce ReattachLegacyLayoutObjectList to replace NG objects to legacy objects).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by yosin@chromium.org, May 31 2018

Components: -Blink>HTML -Blink>DOM Blink>Layout
Status: Started (was: Assigned)
Summary: EMBED element should not call Document::ImplicitClose() during ReattachLayoutTree (was: Null-dereference READ in chrome)

Hit DCHECK(!InStyleRecalc()) in Document::ImplicitClose()

Thus, my patch exposes this instead of changing behavior.

Document::ImplicitClose() Line 3252
Document::CheckCompleted() Line 3365
LocalFrame::CheckCompleted() Line 427
FrameLoader::DidFinishNavigation() Line 485
FrameLoader::DetachProvisionalDocumentLoader(blink::DocumentLoader * loader) Line 1297
DocumentLoader::LoadFailed(const blink::ResourceError & error) Line 433
DocumentLoader::StopLoading() Line 811
DocumentLoader::DetachFromFrame() Line 817
WebDocumentLoaderImpl::DetachFromFrame() Line 172
FrameLoader::DetachDocumentLoader(blink::Member<blink::DocumentLoader> & loader) Line 548
FrameLoader::StopAllLoaders() Line 1037
LocalFrame::Detach(blink::FrameDetachType type) Line 354
HTMLFrameOwnerElement::DisconnectContentFrame() Line 203
HTMLPlugInElement::DisconnectContentFrame() Line 486
ChildFrameDisconnector::DisconnectCollectedFrameOwners() Line 60
ChildFrameDisconnector::Disconnect(blink::ChildFrameDisconnector::DisconnectPolicy policy) Line 33
HTMLPlugInElement::DetachLayoutTree(const blink::Node::AttachContext & context) Line 315
Node::ReattachLayoutTree(blink::Node::AttachContext & context) Line 1089
Element::RebuildLayoutTree(blink::WhitespaceAttacher & whitespace_attacher) Line 2375
ContainerNode::RebuildLayoutTreeForChild(blink::Node * child, blink::WhitespaceAttacher & whitespace_attacher) Line 1365
ContainerNode::RebuildChildrenLayoutTrees(blink::WhitespaceAttacher & whitespace_attacher) Line 1409
Element::RebuildLayoutTree(blink::WhitespaceAttacher & whitespace_attacher) Line 2402
ContainerNode::RebuildLayoutTreeForChild(blink::Node * child, blink::WhitespaceAttacher & whitespace_attacher) Line 1365
ContainerNode::RebuildChildrenLayoutTrees(blink::WhitespaceAttacher & whitespace_attacher) Line 1409
Element::RebuildLayoutTree(blink::WhitespaceAttacher & whitespace_attacher) Line 2402
Document::UpdateStyle() Line 2253
Document::UpdateStyleAndLayoutTree() Line 2156
LocalFrameView::UpdateStyleAndLayoutIfNeededRecursiveInternal() Line 3354
LocalFrameView::UpdateStyleAndLayoutIfNeededRecursive() Line 3329
LocalFrameView::UpdateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState target_state) Line 2969
LocalFrameView::UpdateLifecycleToPrePaintClean() Line 2793
LayoutView::HitTest(blink::HitTestResult & result) Line 119
Document::PerformMouseEventHitTest(const blink::HitTestRequest & request, const blink::LayoutPoint & document_point, const blink::WebMouseEvent & event) Line 4160
EventHandlingUtil::PerformMouseEventHitTest(blink::LocalFrame * frame, const blink::HitTestRequest & request, const blink::WebMouseEvent & mev) Line 125
EventHandler::HandleMouseMoveOrLeaveEvent(const blink::WebMouseEvent & mouse_event, const WTF::Vector<blink::WebMouseEvent,0,WTF::PartitionAllocator> & coalesced_events, blink::HitTestResult * hovered_node, bool only_update_scrollbars, bool force_leave) Line 867
EventHandler::HandleMouseMoveEvent(const blink::WebMouseEvent & event, const WTF::Vector<blink::WebMouseEvent,0,WTF::PartitionAllocator> & coalesced_events) Line 753
MouseEventManager::FakeMouseMoveEventTimerFired(blink::TimerBase * timer) Line 377
TaskRunnerTimer<blink::MouseEventManager>::Fired() Line 158
blink_platform.dll!blink::TimerBase::RunInternal() Line 162
blink_platform.dll!base::internal::FunctorTraits<void (blink::TimerBase::*)(),void>::Invoke<void (blink::TimerBase::*)(),base::WeakPtr<blink::TimerBase>>(void(blink::TimerBase::*)() method, base::WeakPtr<blink::TimerBase> && receiver_ptr) Line 447
blink_platform.dll!base::internal::InvokeHelper<1,void>::MakeItSo<void (blink::TimerBase::*)(),base::WeakPtr<blink::TimerBase>>(void(blink::TimerBase::*)() && functor, base::WeakPtr<blink::TimerBase> && weak_ptr) Line 570
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (blink::TimerBase::*)(),base::WeakPtr<blink::TimerBase> >,void ()>::RunImpl<void (blink::TimerBase::*)(),std::tuple<base::WeakPtr<blink::TimerBase> >,0>(void(blink::TimerBase::*)() && functor, std::tuple<base::WeakPtr<blink::TimerBase> > && bound, std::integer_sequence<unsigned long long,0>) Line 621
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (blink::TimerBase::*)(),base::WeakPtr<blink::TimerBase> >,void ()>::RunOnce(base::internal::BindStateBase * base) Line 589
blink_platform.dll!base::OnceCallback<void ()>::Run() Line 97
blink_platform.dll!WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::RunInternal(base::OnceCallback<void ()> * callback) Line 258
blink_platform.dll!WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::Run() Line 245
blink_platform.dll!base::internal::FunctorTraits<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),void>::Invoke<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > >>(void(WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)() method, std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > && receiver_ptr) Line 447
blink_platform.dll!base::internal::InvokeHelper<0,void>::MakeItSo<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >(void(WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)() && functor, std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > && args) Line 547
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >,void ()>::RunImpl<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::tuple<std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >,0>(void(WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)() && functor, std::tuple<std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > > && bound, std::integer_sequence<unsigned long long,0>) Line 621
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >,void ()>::RunOnce(base::internal::BindStateBase * base) Line 589
base::OnceCallback<void ()>::Run() Line 97
base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task) Line 103
blink_platform.dll!base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType work_type) Line 168
blink_platform.dll!base::internal::FunctorTraits<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),void>::Invoke<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),const base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> &,const base::sequence_manager::internal::ThreadControllerImpl::WorkType &>(void(base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType) method, const base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> & receiver_ptr, const base::sequence_manager::internal::ThreadControllerImpl::WorkType & args) Line 447
blink_platform.dll!base::internal::InvokeHelper<1,void>::MakeItSo<void (base::sequence_manager::internal::ThreadControllerImpl::*const &)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),const base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> &,const base::sequence_manager::internal::ThreadControllerImpl::WorkType &>(void(base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType) & functor, const base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> & weak_ptr, const base::sequence_manager::internal::ThreadControllerImpl::WorkType & args) Line 570
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>,base::sequence_manager::internal::ThreadControllerImpl::WorkType>,void ()>::RunImpl<void (base::sequence_manager::internal::ThreadControllerImpl::*const &)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),const std::tuple<base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>,base::sequence_manager::internal::ThreadControllerImpl::WorkType> &,0,1>(void(base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType) & functor, const std::tuple<base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>,base::sequence_manager::internal::ThreadControllerImpl::WorkType> & bound, std::integer_sequence<unsigned long long,0,1>) Line 621
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>,base::sequence_manager::internal::ThreadControllerImpl::WorkType>,void ()>::Run(base::internal::BindStateBase * base) Line 603
base::OnceCallback<void ()>::Run() Line 97
base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task) Line 103
base::internal::IncomingTaskQueue::RunTask(base::PendingTask * pending_task) Line 124
base::MessageLoop::RunTask(base::PendingTask * pending_task) Line 320
base::MessageLoop::DeferOrRunPendingTask(base::PendingTask pending_task) Line 332
base::MessageLoop::DoWork() Line 373
base::MessagePumpForUI::DoRunLoop() Line 173
base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate) Line 58
base::MessageLoop::Run(bool application_tasks_allowed) Line 273
base::RunLoop::Run() Line 105
base::Thread::Run(base::RunLoop * run_loop) Line 255
base::Thread::ThreadMain() Line 340

Comment 4 by yosin@chromium.org, May 31 2018

Cc: yosin@chromium.org

 Issue 848013  has been merged into this issue.

Comment 5 by yosin@chromium.org, May 31 2018

Minimal reproduce HTML:

<!doctype html>
<embed src="foo"></embed>
<script>
document.querySelector('embed').align = 'right';
</script>

Comment 6 by yosin@chromium.org, May 31 2018

Cc: ekaramad@chromium.org dcheng@chromium.org

The patch[1] starts calling Document::ImplicitClose() in HTMLPluginElement::DetachLayoutTree().

[1] http://crrev.com/c/996314 Cleanup plugin element frames when the layout tree is detached

Comment 7 by yosin@chromium.org, May 31 2018

Components: -Blink>Layout Blink>HTML>Embed
Owner: ekaramad@chromium.org
Status: Assigned (was: Started)

ekaramad@, could you take look?

Simple solution, not to call Disconnect() for |!performing_reattach| doesn't work.
To fix this issue, needs plug-in expert knowledge.

Stack trace when not calling Disconnect() for reattach.

HTMLPlugInElement::RequestObjectInternal(const blink::PluginParameters & plugin_params) Line 153
HTMLPlugInElement::RequestObject(const blink::PluginParameters & plugin_params) Line 558
HTMLEmbedElement::UpdatePluginInternal() Line 170
HTMLPlugInElement::UpdatePlugin() Line 249
LocalFrameView::UpdatePlugins() Line 2359
LocalFrameView::UpdatePluginsTimerFired(blink::TimerBase *) Line 2373
TaskRunnerTimer<blink::LocalFrameView>::Fired() Line 158
blink_platform.dll!blink::TimerBase::RunInternal() Line 162
blink_platform.dll!base::internal::FunctorTraits<void (blink::TimerBase::*)(),void>::Invoke<void (blink::TimerBase::*)(),base::WeakPtr<blink::TimerBase>>(void(blink::TimerBase::*)() method, base::WeakPtr<blink::TimerBase> && receiver_ptr) Line 447
blink_platform.dll!base::internal::InvokeHelper<1,void>::MakeItSo<void (blink::TimerBase::*)(),base::WeakPtr<blink::TimerBase>>(void(blink::TimerBase::*)() && functor, base::WeakPtr<blink::TimerBase> && weak_ptr) Line 570
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (blink::TimerBase::*)(),base::WeakPtr<blink::TimerBase> >,void ()>::RunImpl<void (blink::TimerBase::*)(),std::tuple<base::WeakPtr<blink::TimerBase> >,0>(void(blink::TimerBase::*)() && functor, std::tuple<base::WeakPtr<blink::TimerBase> > && bound, std::integer_sequence<unsigned long long,0>) Line 621
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (blink::TimerBase::*)(),base::WeakPtr<blink::TimerBase> >,void ()>::RunOnce(base::internal::BindStateBase * base) Line 589
blink_platform.dll!base::OnceCallback<void ()>::Run() Line 97
blink_platform.dll!WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::RunInternal(base::OnceCallback<void ()> * callback) Line 258
blink_platform.dll!WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::Run() Line 245
blink_platform.dll!base::internal::FunctorTraits<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),void>::Invoke<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > >>(void(WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)() method, std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > && receiver_ptr) Line 447
blink_platform.dll!base::internal::InvokeHelper<0,void>::MakeItSo<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >(void(WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)() && functor, std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > && args) Line 547
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >,void ()>::RunImpl<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::tuple<std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >,0>(void(WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)() && functor, std::tuple<std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > > && bound, std::integer_sequence<unsigned long long,0>) Line 621
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >,void ()>::RunOnce(base::internal::BindStateBase * base) Line 589
base.dll!base::OnceCallback<void ()>::Run() Line 97
base.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task) Line 103
blink_platform.dll!base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType work_type) Line 168
blink_platform.dll!base::internal::FunctorTraits<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),void>::Invoke<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),const base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> &,const base::sequence_manager::internal::ThreadControllerImpl::WorkType &>(void(base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType) method, const base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> & receiver_ptr, const base::sequence_manager::internal::ThreadControllerImpl::WorkType & args) Line 447
blink_platform.dll!base::internal::InvokeHelper<1,void>::MakeItSo<void (base::sequence_manager::internal::ThreadControllerImpl::*const &)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),const base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> &,const base::sequence_manager::internal::ThreadControllerImpl::WorkType &>(void(base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType) & functor, const base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> & weak_ptr, const base::sequence_manager::internal::ThreadControllerImpl::WorkType & args) Line 570
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>,base::sequence_manager::internal::ThreadControllerImpl::WorkType>,void ()>::RunImpl<void (base::sequence_manager::internal::ThreadControllerImpl::*const &)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),const std::tuple<base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>,base::sequence_manager::internal::ThreadControllerImpl::WorkType> &,0,1>(void(base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType) & functor, const std::tuple<base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>,base::sequence_manager::internal::ThreadControllerImpl::WorkType> & bound, std::integer_sequence<unsigned long long,0,1>) Line 621
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>,base::sequence_manager::internal::ThreadControllerImpl::WorkType>,void ()>::Run(base::internal::BindStateBase * base) Line 603
base.dll!base::OnceCallback<void ()>::Run() Line 97
base.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task) Line 103
base.dll!base::internal::IncomingTaskQueue::RunTask(base::PendingTask * pending_task) Line 124
base.dll!base::MessageLoop::RunTask(base::PendingTask * pending_task) Line 320
base.dll!base::MessageLoop::DeferOrRunPendingTask(base::PendingTask pending_task) Line 332
base.dll!base::MessageLoop::DoWork() Line 373
base.dll!base::MessagePumpForUI::DoRunLoop() Line 173
base.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate) Line 58
base.dll!base::MessageLoop::Run(bool application_tasks_allowed) Line 273
base.dll!base::RunLoop::Run() Line 105
base.dll!base::Thread::Run(base::RunLoop * run_loop) Line 255
base.dll!base::Thread::ThreadMain() Line 340

Project Member

Comment 8 by ClusterFuzz, May 31 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)

ClusterFuzz testcase 6027785580314624 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 9 by yosin@chromium.org, May 31 2018

Labels: ClusterFuzz-Wrong
Status: Assigned (was: Verified)

Still reproduce in ToT with debug build.

Comment 10 by ekaramad@chromium.org, May 31 2018

Mergedinto: 846708
Status: Duplicate (was: Assigned)

Thanks. Yes this is not fixed yet. This all goes to detaching a content frame of plugin element during Document::InStyleRecacl(). There is a CL under review for the fix.

Marking as duplicate.

Project Member

Comment 11 by ClusterFuzz, Jun 2 2018

ClusterFuzz has detected this issue as fixed in range 563896:563919.

Detailed report: https://clusterfuzz.com/testcase?key=6034305877540864

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000018
Crash State:
  chrome
  blink::LayoutTreeBuilderForElement::CreateLayoutObject
  blink::Element::AttachLayoutTree
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=562777:562798
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=563896:563919

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6034305877540864

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

►

Issue 847949 link

Issue metadata

EMBED element should not call Document::ImplicitClose() during ReattachLayoutTree

Issue description

Comment 1 by ClusterFuzz, May 30 2018

Comment 1 Deleted

Comment 2 by ClusterFuzz, May 30 2018

Comment 2 Deleted

Comment 3 by yosin@chromium.org, May 31 2018

Comment 3 Deleted

Comment 4 by yosin@chromium.org, May 31 2018

Comment 4 Deleted

Comment 5 by yosin@chromium.org, May 31 2018

Comment 5 Deleted

Comment 6 by yosin@chromium.org, May 31 2018

Comment 6 Deleted

Comment 7 by yosin@chromium.org, May 31 2018

Comment 7 Deleted

Comment 8 by ClusterFuzz, May 31 2018

Comment 8 Deleted

Comment 9 by yosin@chromium.org, May 31 2018

Comment 9 Deleted

Comment 10 by ekaramad@chromium.org, May 31 2018

Comment 10 Deleted

Comment 11 by ClusterFuzz, Jun 2 2018

Comment 11 Deleted

Sign in to add a comment