Issue 848013 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 847949
Owner:	----
Closed:	May 2018
Cc:	ifratric@google.com
Components:	Blink>DOM
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Reproducible Clusterfuzz Stability-UndefinedBehaviorSanitizer Test-Predator-Auto-Components Test-Predator-Auto-Owner

EMBED element should not call Document::ImplicitClose() during ReattachLayoutTree

Project Member Reported by ClusterFuzz, May 30 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6027785580314624

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000018
Crash State:
  IsForcingLegacyLayout
  blink::LayoutTreeBuilderForElement::CreateLayoutObject
  CreateLayoutObjectIfNeeded
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=562790:562795

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6027785580314624

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Project Member

Comment 1 by ClusterFuzz, May 30 2018

Components: Blink>DOM
Labels: Test-Predator-Auto-Components

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Project Member

Comment 2 by ClusterFuzz, May 30 2018

Labels: Test-Predator-Auto-Owner
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/181c301956206601a8a4e90b5b903cd9743a8895 ([LayoutNG] Introduce ReattachLegacyLayoutObjectList to replace NG objects to legacy objects).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by yosin@chromium.org, May 31 2018

Mergedinto: 847949
Owner: ----
Status: Duplicate (was: Assigned)
Summary: EMBED element should not call Document::ImplicitClose() during ReattachLayoutTree (was: Null-dereference READ in IsForcingLegacyLayout)

Hit DCHECK(!InStyleRecalc()) in Document::ImplicitClose()

Document::ImplicitClose() Line 3252
Document::CheckCompleted() Line 3365
LocalFrame::CheckCompleted() Line 427
FrameLoader::DidFinishNavigation() Line 485
DocumentLoader::LoadFailed(const blink::ResourceError & error) Line 440
DocumentLoader::StopLoading() Line 811
FrameLoader::StopAllLoaders() Line 1035
LocalFrame::Detach(blink::FrameDetachType type) Line 354
HTMLFrameOwnerElement::DisconnectContentFrame() Line 203
HTMLPlugInElement::DisconnectContentFrame() Line 486
ChildFrameDisconnector::DisconnectCollectedFrameOwners() Line 60
ChildFrameDisconnector::Disconnect(blink::ChildFrameDisconnector::DisconnectPolicy policy) Line 33
HTMLPlugInElement::DetachLayoutTree(const blink::Node::AttachContext & context) Line 315
Node::ReattachLayoutTree(blink::Node::AttachContext & context) Line 1089
Element::RebuildLayoutTree(blink::WhitespaceAttacher & whitespace_attacher) Line 2375
ContainerNode::RebuildLayoutTreeForChild(blink::Node * child, blink::WhitespaceAttacher & whitespace_attacher) Line 1365
ContainerNode::RebuildChildrenLayoutTrees(blink::WhitespaceAttacher & whitespace_attacher) Line 1409
Element::RebuildLayoutTree(blink::WhitespaceAttacher & whitespace_attacher) Line 2402
ContainerNode::RebuildLayoutTreeForChild(blink::Node * child, blink::WhitespaceAttacher & whitespace_attacher) Line 1365
ContainerNode::RebuildChildrenLayoutTrees(blink::WhitespaceAttacher & whitespace_attacher) Line 1409
Element::RebuildLayoutTree(blink::WhitespaceAttacher & whitespace_attacher) Line 2402
Document::UpdateStyle() Line 2253
Document::UpdateStyleAndLayoutTree() Line 2156
Document::UpdateStyleAndLayoutTree() Line 2090
Document::ImplicitClose() Line 3304
Document::CheckCompleted() Line 3365
FrameLoader::FinishedParsing() Line 447
Document::FinishedParsing() Line 5868
HTMLConstructionSite::FinishedParsing() Line 621
HTMLTreeBuilder::Finished() Line 2750
HTMLDocumentParser::end() Line 893
HTMLDocumentParser::AttemptToRunDeferredScriptsAndEnd() Line 906
HTMLDocumentParser::PrepareToStopParsing() Line 239
HTMLDocumentParser::ProcessTokenizedChunkFromBackgroundParser(std::unique_ptr<blink::HTMLDocumentParser::TokenizedChunk,std::default_delete<blink::HTMLDocumentParser::TokenizedChunk> > pop_chunk) Line 544
HTMLDocumentParser::PumpPendingSpeculations() Line 590
HTMLDocumentParser::ResumeParsingAfterYield() Line 267
HTMLParserScheduler::ContinueParsing() Line 150
blink_core.dll!base::internal::FunctorTraits<void (blink::HTMLParserScheduler::*)(),void>::Invoke<void (blink::HTMLParserScheduler::*)(),blink::WeakPersistent<blink::HTMLParserScheduler>>(void(blink::HTMLParserScheduler::*)() method, blink::WeakPersistent<blink::HTMLParserScheduler> && receiver_ptr) Line 447
blink_core.dll!base::internal::InvokeHelper<1,void>::MakeItSo<void (blink::HTMLParserScheduler::*)(),blink::WeakPersistent<blink::HTMLParserScheduler>>(void(blink::HTMLParserScheduler::*)() && functor, blink::WeakPersistent<blink::HTMLParserScheduler> && weak_ptr) Line 570
blink_core.dll!base::internal::Invoker<base::internal::BindState<void (blink::HTMLParserScheduler::*)(),blink::WeakPersistent<blink::HTMLParserScheduler> >,void ()>::RunImpl<void (blink::HTMLParserScheduler::*)(),std::tuple<blink::WeakPersistent<blink::HTMLParserScheduler> >,0>(void(blink::HTMLParserScheduler::*)() && functor, std::tuple<blink::WeakPersistent<blink::HTMLParserScheduler> > && bound, std::integer_sequence<unsigned long long,0>) Line 621
blink_core.dll!base::internal::Invoker<base::internal::BindState<void (blink::HTMLParserScheduler::*)(),blink::WeakPersistent<blink::HTMLParserScheduler> >,void ()>::RunOnce(base::internal::BindStateBase * base) Line 589
blink_core.dll!base::OnceCallback<void ()>::Run() Line 97
blink_core.dll!WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::RunInternal(base::OnceCallback<void ()> * callback) Line 258
blink_core.dll!WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::Run() Line 245
blink_core.dll!base::internal::FunctorTraits<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),void>::Invoke<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > >>(void(WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)() method, std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > && receiver_ptr) Line 447
blink_core.dll!base::internal::InvokeHelper<0,void>::MakeItSo<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >(void(WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)() && functor, std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > && args) Line 547
blink_core.dll!base::internal::Invoker<base::internal::BindState<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >,void ()>::RunImpl<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::tuple<std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >,0>(void(WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)() && functor, std::tuple<std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > > && bound, std::integer_sequence<unsigned long long,0>) Line 621
blink_core.dll!base::internal::Invoker<base::internal::BindState<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >,void ()>::RunOnce(base::internal::BindStateBase * base) Line 589
blink_platform.dll!base::OnceCallback<void ()>::Run() Line 97
blink_platform.dll!blink::TaskHandle::Runner::Run(const blink::TaskHandle &) Line 56
blink_platform.dll!base::internal::FunctorTraits<void (blink::TaskHandle::Runner::*)(const blink::TaskHandle &),void>::Invoke<void (blink::TaskHandle::Runner::*)(const blink::TaskHandle &),base::WeakPtr<blink::TaskHandle::Runner>,blink::TaskHandle>(void(blink::TaskHandle::Runner::*)(const blink::TaskHandle &) method, base::WeakPtr<blink::TaskHandle::Runner> && receiver_ptr, blink::TaskHandle && args) Line 447
blink_platform.dll!base::internal::InvokeHelper<1,void>::MakeItSo<void (blink::TaskHandle::Runner::*)(const blink::TaskHandle &),base::WeakPtr<blink::TaskHandle::Runner>,blink::TaskHandle>(void(blink::TaskHandle::Runner::*)(const blink::TaskHandle &) && functor, base::WeakPtr<blink::TaskHandle::Runner> && weak_ptr, blink::TaskHandle && args) Line 570
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (blink::TaskHandle::Runner::*)(const blink::TaskHandle &),base::WeakPtr<blink::TaskHandle::Runner>,blink::TaskHandle>,void ()>::RunImpl<void (blink::TaskHandle::Runner::*)(const blink::TaskHandle &),std::tuple<base::WeakPtr<blink::TaskHandle::Runner>,blink::TaskHandle>,0,1>(void(blink::TaskHandle::Runner::*)(const blink::TaskHandle &) && functor, std::tuple<base::WeakPtr<blink::TaskHandle::Runner>,blink::TaskHandle> && bound, std::integer_sequence<unsigned long long,0,1>) Line 621
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (blink::TaskHandle::Runner::*)(const blink::TaskHandle &),base::WeakPtr<blink::TaskHandle::Runner>,blink::TaskHandle>,void ()>::RunOnce(base::internal::BindStateBase * base) Line 589
blink_platform.dll!base::OnceCallback<void ()>::Run() Line 97
blink_platform.dll!WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::RunInternal(base::OnceCallback<void ()> * callback) Line 258
blink_platform.dll!WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::Run() Line 245
blink_platform.dll!base::internal::FunctorTraits<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),void>::Invoke<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > >>(void(WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)() method, std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > && receiver_ptr) Line 447
blink_platform.dll!base::internal::InvokeHelper<0,void>::MakeItSo<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >(void(WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)() && functor, std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > && args) Line 547
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >,void ()>::RunImpl<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::tuple<std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >,0>(void(WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)() && functor, std::tuple<std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > > && bound, std::integer_sequence<unsigned long long,0>) Line 621
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>::*)(),std::unique_ptr<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()>,std::default_delete<WTF::ThreadCheckingCallbackWrapper<base::OnceCallback<void ()>,void ()> > > >,void ()>::RunOnce(base::internal::BindStateBase * base) Line 589
base.dll!base::OnceCallback<void ()>::Run() Line 97
base.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task) Line 103
blink_platform.dll!base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType work_type) Line 168
blink_platform.dll!base::internal::FunctorTraits<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),void>::Invoke<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),const base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> &,const base::sequence_manager::internal::ThreadControllerImpl::WorkType &>(void(base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType) method, const base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> & receiver_ptr, const base::sequence_manager::internal::ThreadControllerImpl::WorkType & args) Line 447
blink_platform.dll!base::internal::InvokeHelper<1,void>::MakeItSo<void (base::sequence_manager::internal::ThreadControllerImpl::*const &)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),const base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> &,const base::sequence_manager::internal::ThreadControllerImpl::WorkType &>(void(base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType) & functor, const base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl> & weak_ptr, const base::sequence_manager::internal::ThreadControllerImpl::WorkType & args) Line 570
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>,base::sequence_manager::internal::ThreadControllerImpl::WorkType>,void ()>::RunImpl<void (base::sequence_manager::internal::ThreadControllerImpl::*const &)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),const std::tuple<base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>,base::sequence_manager::internal::ThreadControllerImpl::WorkType> &,0,1>(void(base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType) & functor, const std::tuple<base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>,base::sequence_manager::internal::ThreadControllerImpl::WorkType> & bound, std::integer_sequence<unsigned long long,0,1>) Line 621
blink_platform.dll!base::internal::Invoker<base::internal::BindState<void (base::sequence_manager::internal::ThreadControllerImpl::*)(base::sequence_manager::internal::ThreadControllerImpl::WorkType),base::WeakPtr<base::sequence_manager::internal::ThreadControllerImpl>,base::sequence_manager::internal::ThreadControllerImpl::WorkType>,void ()>::Run(base::internal::BindStateBase * base) Line 603
base.dll!base::OnceCallback<void ()>::Run() Line 97
base.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task) Line 103
base.dll!base::internal::IncomingTaskQueue::RunTask(base::PendingTask * pending_task) Line 124
base.dll!base::MessageLoop::RunTask(base::PendingTask * pending_task) Line 320
base.dll!base::MessageLoop::DeferOrRunPendingTask(base::PendingTask pending_task) Line 332
base.dll!base::MessageLoop::DoWork() Line 373
base.dll!base::MessagePumpForUI::DoRunLoop() Line 173
base.dll!base::MessagePumpWin::Run(base::MessagePump::Delegate * delegate) Line 58
base.dll!base::MessageLoop::Run(bool application_tasks_allowed) Line 273
base.dll!base::RunLoop::Run() Line 105
base.dll!base::Thread::Run(base::RunLoop * run_loop) Line 255
base.dll!base::Thread::ThreadMain() Line 340
base.dll!base::`anonymous namespace'::ThreadFunc(void * params) Line 93

Project Member

Comment 4 by ClusterFuzz, May 31 2018

ClusterFuzz has detected this issue as fixed in range 563064:563065.

Detailed report: https://clusterfuzz.com/testcase?key=6027785580314624

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000018
Crash State:
  IsForcingLegacyLayout
  blink::LayoutTreeBuilderForElement::CreateLayoutObject
  CreateLayoutObjectIfNeeded
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=562790:562795
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=563064:563065

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6027785580314624

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

►

Issue 848013 link

Issue metadata

EMBED element should not call Document::ImplicitClose() during ReattachLayoutTree

Issue description

Comment 1 by ClusterFuzz, May 30 2018

Comment 1 Deleted

Comment 2 by ClusterFuzz, May 30 2018

Comment 2 Deleted

Comment 3 by yosin@chromium.org, May 31 2018

Comment 3 Deleted

Comment 4 by ClusterFuzz, May 31 2018

Comment 4 Deleted

Sign in to add a comment