Null-dereference READ in blink::AffineTransform::MapPoint |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4866702710669312 Fuzzer: inferno_twister Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x00000010 Crash State: blink::AffineTransform::MapPoint blink::LayoutSVGShape::ShapeDependentStrokeContains blink::LayoutSVGEllipse::ShapeDependentStrokeContains Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=565049:565051 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4866702710669312 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 7 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/7eec667b47b35671945e6d9b20238636c303e50c (Reland "[PE] Ensure update of LayoutSVGShape::NoScalingStrokeTransform"). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jun 7 2018
,
Jun 7 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1c3ac04b49c759723df25a6b0a2c5e22385a970b commit 1c3ac04b49c759723df25a6b0a2c5e22385a970b Author: Xianzhu Wang <wangxianzhu@chromium.org> Date: Thu Jun 07 23:31:30 2018 [PE] Harden LayoutSVGShape::ShapeDependentStrokeContains() There are still cases that LayoutSVGEllipse asks LayoutSVGShape for ShapeDependentStrokeContains() when it decided to bypass the path for optmization in UpdateShapeFromElement(). Bug: 850659 Change-Id: If8f8fd512183477ec7472ebb5b28c7d8333aa0bd Reviewed-on: https://chromium-review.googlesource.com/1091871 Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> Reviewed-by: Fredrik Söderquist <fs@opera.com> Cr-Commit-Position: refs/heads/master@{#565460} [add] https://crrev.com/1c3ac04b49c759723df25a6b0a2c5e22385a970b/third_party/WebKit/LayoutTests/svg/stroke/isPointInStroke-non-scaling-stroke-empty-ellipse-crash.html [modify] https://crrev.com/1c3ac04b49c759723df25a6b0a2c5e22385a970b/third_party/blink/renderer/core/layout/svg/layout_svg_ellipse.cc [modify] https://crrev.com/1c3ac04b49c759723df25a6b0a2c5e22385a970b/third_party/blink/renderer/core/layout/svg/layout_svg_shape.cc
,
Jun 8 2018
ClusterFuzz has detected this issue as fixed in range 565458:565461. Detailed report: https://clusterfuzz.com/testcase?key=4866702710669312 Fuzzer: inferno_twister Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x00000010 Crash State: blink::AffineTransform::MapPoint blink::LayoutSVGShape::ShapeDependentStrokeContains blink::LayoutSVGEllipse::ShapeDependentStrokeContains Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=565049:565051 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=565458:565461 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4866702710669312 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 8 2018
ClusterFuzz testcase 4866702710669312 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 8 2018
,
Jun 9 2018
,
Jun 9 2018
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 9 2018
,
Jun 11 2018
Approving merge for M68. Branch:3440
,
Jun 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9f871f23440913f496b969b12dd6ae369d5197e4 commit 9f871f23440913f496b969b12dd6ae369d5197e4 Author: Xianzhu Wang <wangxianzhu@chromium.org> Date: Mon Jun 11 19:37:57 2018 [PE] Harden LayoutSVGShape::ShapeDependentStrokeContains() There are still cases that LayoutSVGEllipse asks LayoutSVGShape for ShapeDependentStrokeContains() when it decided to bypass the path for optmization in UpdateShapeFromElement(). TBR=wangxianzhu@chromium.org (cherry picked from commit 1c3ac04b49c759723df25a6b0a2c5e22385a970b) Bug: 850659 Change-Id: If8f8fd512183477ec7472ebb5b28c7d8333aa0bd Reviewed-on: https://chromium-review.googlesource.com/1091871 Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> Reviewed-by: Fredrik Söderquist <fs@opera.com> Cr-Original-Commit-Position: refs/heads/master@{#565460} Reviewed-on: https://chromium-review.googlesource.com/1096029 Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org> Cr-Commit-Position: refs/branch-heads/3440@{#284} Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733} [add] https://crrev.com/9f871f23440913f496b969b12dd6ae369d5197e4/third_party/WebKit/LayoutTests/svg/stroke/isPointInStroke-non-scaling-stroke-empty-ellipse-crash.html [modify] https://crrev.com/9f871f23440913f496b969b12dd6ae369d5197e4/third_party/blink/renderer/core/layout/svg/layout_svg_ellipse.cc [modify] https://crrev.com/9f871f23440913f496b969b12dd6ae369d5197e4/third_party/blink/renderer/core/layout/svg/layout_svg_shape.cc |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ClusterFuzz
, Jun 7 2018Labels: Test-Predator-Auto-Components