Null-dereference READ in chrome |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6308458874535936 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000018 Crash State: chrome blink::AffineTransform::MapPoint blink::LayoutSVGShape::ShapeDependentStrokeContains Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=564539:564589 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6308458874535936 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 6 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/85b96ea98619ea7d775e1277ab859cea6d613dbb ([PE] Ensure update of LayoutSVGShape::NoScalingStrokeTransform). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jun 6 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e2d97e7a96b86e8dca294ce59c3bf04a1c3c1cdd commit e2d97e7a96b86e8dca294ce59c3bf04a1c3c1cdd Author: Xianzhu Wang <wangxianzhu@chromium.org> Date: Wed Jun 06 05:24:49 2018 Revert "[PE] Ensure update of LayoutSVGShape::NoScalingStrokeTransform" This reverts commit 85b96ea98619ea7d775e1277ab859cea6d613dbb. Reason for revert: crbug.com/849968 Original change's description: > [PE] Ensure update of LayoutSVGShape::NoScalingStrokeTransform > > In Pre-SPv175 we forced subtree paint invalidation on non-composited > transform change. SPv175 no longer does that, causing > NonScalingStrokeTransform not updated on ancestor transform change. > > We also had a non-obvious bug that LayoutSVGShape::StrokeBoundingBox > didn't get updated on ancestor transform change. > > Now always explicitly update non-scaling-stroke data during layout. > > Bug: 849080 > Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 > Change-Id: Ia61eb94f43e53a71a80e1102e4d605e4331f44b1 > Reviewed-on: https://chromium-review.googlesource.com/1086715 > Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> > Reviewed-by: Fredrik Söderquist <fs@opera.com> > Cr-Commit-Position: refs/heads/master@{#564584} TBR=wangxianzhu@chromium.org,fs@opera.com Change-Id: Ifbdd23b74dc45b5c8bc66c3d64bff580d5306f78 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 849080 , 849968 Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Reviewed-on: https://chromium-review.googlesource.com/1087332 Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org> Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> Cr-Commit-Position: refs/heads/master@{#564793} [delete] https://crrev.com/eeb362f202da18d3eb477b2ab5e09b271a91d248/third_party/WebKit/LayoutTests/paint/invalidation/svg/non-scaling-stroke-change-container-transform-expected.html [delete] https://crrev.com/eeb362f202da18d3eb477b2ab5e09b271a91d248/third_party/WebKit/LayoutTests/paint/invalidation/svg/non-scaling-stroke-change-container-transform.html [modify] https://crrev.com/e2d97e7a96b86e8dca294ce59c3bf04a1c3c1cdd/third_party/blink/renderer/core/layout/svg/layout_svg_shape.cc [modify] https://crrev.com/e2d97e7a96b86e8dca294ce59c3bf04a1c3c1cdd/third_party/blink/renderer/core/layout/svg/layout_svg_shape.h [modify] https://crrev.com/e2d97e7a96b86e8dca294ce59c3bf04a1c3c1cdd/third_party/blink/renderer/core/paint/svg_shape_painter.cc
,
Jun 6 2018
ClusterFuzz has detected this issue as fixed in range 564791:564810. Detailed report: https://clusterfuzz.com/testcase?key=6308458874535936 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000018 Crash State: chrome blink::AffineTransform::MapPoint blink::LayoutSVGShape::ShapeDependentStrokeContains Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=564539:564589 Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=564791:564810 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6308458874535936 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 6 2018
ClusterFuzz testcase 6308458874535936 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 6 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7eec667b47b35671945e6d9b20238636c303e50c commit 7eec667b47b35671945e6d9b20238636c303e50c Author: Xianzhu Wang <wangxianzhu@chromium.org> Date: Wed Jun 06 22:01:27 2018 Reland "[PE] Ensure update of LayoutSVGShape::NoScalingStrokeTransform" This reverts commit e2d97e7a96b86e8dca294ce59c3bf04a1c3c1cdd. Reason for revert: Reland with the null pointer issue fixed. LayoutSVGEllipse and LayoutSVGRect override LayoutSVGShape methods not to create paths in case that optimized algorithm can be used. However, the original condition in their ShapeDependentStrokeContains() might call LayoutSVGShape::ShapeDependentStrokeContains() without use_path_fallback_ in some cases (e.g. when the shape is invalid). Now ensure ShapeDependentStrokeContains() is called only if use_path_fallback_ is set. Also ensure that use_path_fallback_ is set whenever we need it. Original change's description: > Revert "[PE] Ensure update of LayoutSVGShape::NoScalingStrokeTransform" > > This reverts commit 85b96ea98619ea7d775e1277ab859cea6d613dbb. > > Reason for revert: crbug.com/849968 > > Original change's description: > > [PE] Ensure update of LayoutSVGShape::NoScalingStrokeTransform > > > > In Pre-SPv175 we forced subtree paint invalidation on non-composited > > transform change. SPv175 no longer does that, causing > > NonScalingStrokeTransform not updated on ancestor transform change. > > > > We also had a non-obvious bug that LayoutSVGShape::StrokeBoundingBox > > didn't get updated on ancestor transform change. > > > > Now always explicitly update non-scaling-stroke data during layout. > > > > Bug: 849080 > > Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 > > Change-Id: Ia61eb94f43e53a71a80e1102e4d605e4331f44b1 > > Reviewed-on: https://chromium-review.googlesource.com/1086715 > > Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> > > Reviewed-by: Fredrik Söderquist <fs@opera.com> > > Cr-Commit-Position: refs/heads/master@{#564584} > > Change-Id: Ifbdd23b74dc45b5c8bc66c3d64bff580d5306f78 > No-Presubmit: true > No-Tree-Checks: true > No-Try: true > Bug: 849080 , 849968 > Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 > Reviewed-on: https://chromium-review.googlesource.com/1087332 > Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org> > Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> > Cr-Commit-Position: refs/heads/master@{#564793} Bug: 849080 , 849968 Change-Id: I15c2f80a2f80d11ccf356328ad41e8ab9d8de72f Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Reviewed-on: https://chromium-review.googlesource.com/1089090 Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> Reviewed-by: Fredrik Söderquist <fs@opera.com> Cr-Commit-Position: refs/heads/master@{#565050} [add] https://crrev.com/7eec667b47b35671945e6d9b20238636c303e50c/third_party/WebKit/LayoutTests/paint/invalidation/svg/non-scaling-stroke-change-container-transform-expected.html [add] https://crrev.com/7eec667b47b35671945e6d9b20238636c303e50c/third_party/WebKit/LayoutTests/paint/invalidation/svg/non-scaling-stroke-change-container-transform.html [add] https://crrev.com/7eec667b47b35671945e6d9b20238636c303e50c/third_party/WebKit/LayoutTests/svg/stroke/isPointInStroke-non-scaling-stroke-invalid-shape-crash.html [modify] https://crrev.com/7eec667b47b35671945e6d9b20238636c303e50c/third_party/blink/renderer/core/layout/svg/layout_svg_ellipse.cc [modify] https://crrev.com/7eec667b47b35671945e6d9b20238636c303e50c/third_party/blink/renderer/core/layout/svg/layout_svg_rect.cc [modify] https://crrev.com/7eec667b47b35671945e6d9b20238636c303e50c/third_party/blink/renderer/core/layout/svg/layout_svg_shape.cc [modify] https://crrev.com/7eec667b47b35671945e6d9b20238636c303e50c/third_party/blink/renderer/core/layout/svg/layout_svg_shape.h [modify] https://crrev.com/7eec667b47b35671945e6d9b20238636c303e50c/third_party/blink/renderer/core/paint/svg_shape_painter.cc
,
Jun 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/004fdd2c991083ce71b559cc20acc358cf82350d commit 004fdd2c991083ce71b559cc20acc358cf82350d Author: Xianzhu Wang <wangxianzhu@chromium.org> Date: Mon Jun 11 19:31:37 2018 Reland "[PE] Ensure update of LayoutSVGShape::NoScalingStrokeTransform" This reverts commit e2d97e7a96b86e8dca294ce59c3bf04a1c3c1cdd. Reason for revert: Reland with the null pointer issue fixed. LayoutSVGEllipse and LayoutSVGRect override LayoutSVGShape methods not to create paths in case that optimized algorithm can be used. However, the original condition in their ShapeDependentStrokeContains() might call LayoutSVGShape::ShapeDependentStrokeContains() without use_path_fallback_ in some cases (e.g. when the shape is invalid). Now ensure ShapeDependentStrokeContains() is called only if use_path_fallback_ is set. Also ensure that use_path_fallback_ is set whenever we need it. Original change's description: > Revert "[PE] Ensure update of LayoutSVGShape::NoScalingStrokeTransform" > > This reverts commit 85b96ea98619ea7d775e1277ab859cea6d613dbb. > > Reason for revert: crbug.com/849968 > > Original change's description: > > [PE] Ensure update of LayoutSVGShape::NoScalingStrokeTransform > > > > In Pre-SPv175 we forced subtree paint invalidation on non-composited > > transform change. SPv175 no longer does that, causing > > NonScalingStrokeTransform not updated on ancestor transform change. > > > > We also had a non-obvious bug that LayoutSVGShape::StrokeBoundingBox > > didn't get updated on ancestor transform change. > > > > Now always explicitly update non-scaling-stroke data during layout. > > > > Bug: 849080 > > Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 > > Change-Id: Ia61eb94f43e53a71a80e1102e4d605e4331f44b1 > > Reviewed-on: https://chromium-review.googlesource.com/1086715 > > Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> > > Reviewed-by: Fredrik Söderquist <fs@opera.com> > > Cr-Commit-Position: refs/heads/master@{#564584} > > Change-Id: Ifbdd23b74dc45b5c8bc66c3d64bff580d5306f78 > No-Presubmit: true > No-Tree-Checks: true > No-Try: true > Bug: 849080 , 849968 > Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 > Reviewed-on: https://chromium-review.googlesource.com/1087332 > Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org> > Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> > Cr-Commit-Position: refs/heads/master@{#564793} TBR=wangxianzhu@chromium.org (cherry picked from commit 7eec667b47b35671945e6d9b20238636c303e50c) Bug: 849080 , 849968 Change-Id: I15c2f80a2f80d11ccf356328ad41e8ab9d8de72f Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Reviewed-on: https://chromium-review.googlesource.com/1089090 Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> Reviewed-by: Fredrik Söderquist <fs@opera.com> Cr-Original-Commit-Position: refs/heads/master@{#565050} Reviewed-on: https://chromium-review.googlesource.com/1096026 Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org> Cr-Commit-Position: refs/branch-heads/3440@{#282} Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733} [add] https://crrev.com/004fdd2c991083ce71b559cc20acc358cf82350d/third_party/WebKit/LayoutTests/paint/invalidation/svg/non-scaling-stroke-change-container-transform-expected.html [add] https://crrev.com/004fdd2c991083ce71b559cc20acc358cf82350d/third_party/WebKit/LayoutTests/paint/invalidation/svg/non-scaling-stroke-change-container-transform.html [add] https://crrev.com/004fdd2c991083ce71b559cc20acc358cf82350d/third_party/WebKit/LayoutTests/svg/stroke/isPointInStroke-non-scaling-stroke-invalid-shape-crash.html [modify] https://crrev.com/004fdd2c991083ce71b559cc20acc358cf82350d/third_party/blink/renderer/core/layout/svg/layout_svg_ellipse.cc [modify] https://crrev.com/004fdd2c991083ce71b559cc20acc358cf82350d/third_party/blink/renderer/core/layout/svg/layout_svg_rect.cc [modify] https://crrev.com/004fdd2c991083ce71b559cc20acc358cf82350d/third_party/blink/renderer/core/layout/svg/layout_svg_shape.cc [modify] https://crrev.com/004fdd2c991083ce71b559cc20acc358cf82350d/third_party/blink/renderer/core/layout/svg/layout_svg_shape.h [modify] https://crrev.com/004fdd2c991083ce71b559cc20acc358cf82350d/third_party/blink/renderer/core/paint/svg_shape_painter.cc |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Jun 6 2018Labels: Test-Predator-Auto-Components