New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 852396 link

Starred by 1 user
Status: Fixed
Owner:
futhark@chromium.org
Closed: Jun 2018
Cc:
ifratric@google.com
brajkumar@chromium.org
style-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::StyleResolver::CreatePseudoElementIfNeeded

Project Member Reported by ClusterFuzz, Jun 13 2018 
Detailed report: https://clusterfuzz.com/testcase?key=6278622542036992

Fuzzer: ifratric-browserfuzzer-v3
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  blink::StyleResolver::CreatePseudoElementIfNeeded
  blink::Element::CreatePseudoElementIfNeeded
  blink::Element::RebuildPseudoElementLayoutTree
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=565667:565668

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6278622542036992

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by brajkumar@chromium.org, Jun 14 2018

Cc: brajkumar@chromium.org
Components: Blink>CSS
Labels: M-69 Test-Predator-Wrong CF-NeedsTriage
Unable to find actual suspect through code search and also observing no suspected CL under regression range, hence adding appropriate label and requesting someone from blink team to look in to this issue.

Thanks!

Comment 2 by futhark@chromium.org, Jun 18 2018

Owner: futhark@chromium.org
Status: Assigned (was: Untriaged)

Comment 3 by futhark@chromium.org, Jun 18 2018

Status: Started (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Jun 19 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5128d4bb52aecc0601f20148af365f723be045e8

commit 5128d4bb52aecc0601f20148af365f723be045e8
Author: Rune Lillesveen <futhark@chromium.org>
Date: Tue Jun 19 10:35:16 2018

Only create first-letter pseudo elements for rebuild step.

::before, ::after, and ::backdrop should be created during style recalc,
or they will be created from AttachLayoutTree() if parent needs to
create its layout box. ::first-letter is still special because its
creation depends on the layout tree and it needs to be constructed in
RebuildPseudoElementLayoutTree for the case below when #outer has a
::first-letter, #inner is initially display:none and changes to block:

  <div id=outer><div id=inner>Text</div></div>

This fixes crashers after:

https://crrev.com/2d21d004fa5157a1c4409b19e2f808001d026304

Bug:  852396 ,  853551 
Change-Id: Ib58e211defe44a5d2ca04222be5eeb6aecfa59af
Reviewed-on: https://chromium-review.googlesource.com/1105055
Reviewed-by: Anders Ruud <andruud@chromium.org>
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#568394}
[add] https://crrev.com/5128d4bb52aecc0601f20148af365f723be045e8/third_party/WebKit/LayoutTests/fast/css/pseudo-element-rebuild-crash.html
[modify] https://crrev.com/5128d4bb52aecc0601f20148af365f723be045e8/third_party/blink/renderer/core/dom/element.cc

Comment 5 by futhark@chromium.org, Jun 19 2018

Status: Fixed (was: Started)
Project Member

Comment 6 by ClusterFuzz, Jun 21 2018

Labels: -Reproducible Unreproducible
ClusterFuzz testcase 6278622542036992 appears to be flaky, updating reproducibility label.

Sign in to add a comment