Null-dereference READ in blink::Node::LazyReattachIfAttached |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4503707828617216 Fuzzer: mbarbella_webcomponents Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::Node::LazyReattachIfAttached blink::HTMLSlotElement::DetachLayoutTree blink::ContainerNode::DetachLayoutTree Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=569167:569168 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4503707828617216 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 21 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/deb6bb60b6d562719d04c6a564717b332d9c55bd (Let SelectionPaintRange iterator iterate on a flat tree.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jun 26 2018
,
Jun 26 2018
Got DCHECK break. Stack: blink_core.dll!blink::SlotAssignment::RecalcAssignment() Line 224 C++ blink_core.dll!blink::HTMLSlotElement::AssignedNodes() Line 107 C++ blink_core.dll!blink::FlatTreeTraversalNg::TraverseParent(const blink::Node & node, blink::LayoutTreeBuilderTraversal::ParentDetails * details) Line 176 C++ blink_core.dll!blink::FlatTreeTraversalNg::TraverseNext(const blink::Node & node) Line 246 C++ blink_core.dll!blink::FlatTreeTraversalNg::Next(const blink::Node & node) Line 221 C++ blink_core.dll!blink::FlatTreeTraversal::Next(const blink::Node & node) Line 232 C++ blink_core.dll!blink::NextLayoutObjectOnFlatTree(const blink::LayoutObject & layout_object) Line 108 C++ blink_core.dll!blink::SelectionPaintRange::Iterator::Iterator(const blink::SelectionPaintRange * range) Line 126 C++ blink_core.dll!blink::SelectionPaintRange::begin() Line 67 C++ blink_core.dll!blink::ResetOldSelectedLayoutObjects(const blink::SelectionPaintRange & old_range) Line 404 C++ blink_core.dll!blink::LayoutSelection::ClearSelection() Line 436 C++ blink_core.dll!blink::FrameSelection::ClearLayoutSelection() Line 1229 C++ blink_core.dll!blink::LayoutView::ClearSelection() Line 594 C++ blink_core.dll!blink::LayoutObjectChildList::RemoveChildNode(blink::LayoutObject * owner, blink::LayoutObject * old_child, bool notify_layout_object) Line 111 C++ blink_core.dll!blink::LayoutObject::RemoveChild(blink::LayoutObject * old_child) Line 393 C++ blink_core.dll!blink::LayoutBlockFlow::RemoveChild(blink::LayoutObject * old_child) Line 3248 C++ blink_core.dll!blink::LayoutObject::Remove() Line 1625 C++ blink_core.dll!blink::LayoutObject::WillBeDestroyed() Line 3043 C++ blink_core.dll!blink::LayoutText::WillBeDestroyed() Line 213 C++ blink_core.dll!blink::LayoutObject::Destroy() Line 3315 C++ blink_core.dll!blink::LayoutObject::DestroyAndCleanupAnonymousWrappers() Line 3311 C++ blink_core.dll!blink::Node::DetachLayoutTree(const blink::Node::AttachContext & context) Line 1123 C++ blink_core.dll!blink::Node::LazyReattachIfAttached() Line 1046 C++ blink_core.dll!blink::HTMLSlotElement::DetachLayoutTree(const blink::Node::AttachContext & context) Line 370 C++ blink_core.dll!blink::ContainerNode::DetachLayoutTree(const blink::Node::AttachContext & context) Line 979 C++ blink_core.dll!blink::ShadowRoot::DetachLayoutTree(const blink::Node::AttachContext & context) Line 185 C++ blink_core.dll!blink::Element::DetachLayoutTree(const blink::Node::AttachContext & context) Line 2064 C++ blink_core.dll!blink::ContainerNode::DetachLayoutTree(const blink::Node::AttachContext & context) Line 979 C++ blink_core.dll!blink::Element::DetachLayoutTree(const blink::Node::AttachContext & context) Line 2067 C++ blink_core.dll!blink::HTMLSlotElement::DetachLayoutTree(const blink::Node::AttachContext & context) Line 374 C++ blink_core.dll!blink::ContainerNode::DetachLayoutTree(const blink::Node::AttachContext & context) Line 979 C++ blink_core.dll!blink::ShadowRoot::DetachLayoutTree(const blink::Node::AttachContext & context) Line 185 C++ blink_core.dll!blink::Element::DetachLayoutTree(const blink::Node::AttachContext & context) Line 2064 C++ blink_core.dll!blink::ContainerNode::RemoveBetween(blink::Node * previous_child, blink::Node * next_child, blink::Node & old_child) Line 731 C++ blink_core.dll!blink::ContainerNode::RemoveChild(blink::Node * old_child, blink::ExceptionState & exception_state) Line 708 C++ blink_core.dll!blink::CollectChildrenAndRemoveFromOldParent(blink::Node & node, blink::HeapVector<blink::Member<blink::Node>,11> & nodes, blink::ExceptionState & exception_state) Line 147 C++ blink_core.dll!blink::ContainerNode::AppendChild(blink::Node * new_child, blink::ExceptionState & exception_state) Line 837 C++ blink_core.dll!blink::Node::appendChild(blink::Node * new_child, blink::ExceptionState & exception_state) Line 484 C++ blink_core.dll!blink::NodeV8Internal::appendChildMethodForMainWorld(const v8::FunctionCallbackInfo<v8::Value> & info) Line 589 C++ blink_core.dll!blink::V8Node::appendChildMethodCallbackForMainWorld(const v8::FunctionCallbackInfo<v8::Value> & info) Line 937 C++ v8.dll!v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo * handler) Line 95 C++
,
Jun 26 2018
Issue 855905 has been merged into this issue.
,
Jun 26 2018
Issue 855875 has been merged into this issue.
,
Jun 26 2018
Issue 855863 has been merged into this issue.
,
Jun 26 2018
,
Jun 26 2018
Issue 855845 has been merged into this issue.
,
Jun 26 2018
Issue 855750 has been merged into this issue.
,
Jun 26 2018
Issue 855358 has been merged into this issue.
,
Jun 26 2018
Issue 855355 has been merged into this issue.
,
Jun 26 2018
Issue 855333 has been merged into this issue.
,
Jun 26 2018
Issue 855314 has been merged into this issue.
,
Jun 26 2018
,
Jun 26 2018
Issue 855276 has been merged into this issue.
,
Jun 26 2018
Issue 855273 has been merged into this issue.
,
Jun 26 2018
Issue 855229 has been merged into this issue.
,
Jun 26 2018
Issue 855032 has been merged into this issue.
,
Jun 26 2018
Issue 855027 has been merged into this issue.
,
Jun 26 2018
,
Jun 27 2018
ClusterFuzz testcase 5681606837403648 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 28 2018
,
Jun 28 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/94766d09cff6f8aa625093bef39a844f70444ede commit 94766d09cff6f8aa625093bef39a844f70444ede Author: Yoichi Osato <yoichio@chromium.org> Date: Thu Jun 28 11:24:10 2018 Revert "Let SelectionPaintRange iterator iterate on a flat tree." This reverts commit deb6bb60b6d562719d04c6a564717b332d9c55bd. Reason for revert: This causes much crash on clusterfuzz. Original change's description: > Let SelectionPaintRange iterator iterate on a flat tree. > > SelectionPaintRange::Iterator iterated LayoutObjects using layout order > but we marks SelectionStatus on flat tree order. > This causes invalidation leak if they are not same order. > Ruby element is a reported example for that. > > This patch changes SelectionPaintRange::Iterator iterate on a flat tree > considering first-letter. > > Bug: 843144 > Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_layout_ng > Change-Id: I02cbad86e64d0a7781f8fb37e2d13c7aa00228fb > Reviewed-on: https://chromium-review.googlesource.com/1063521 > Commit-Queue: Yoichi Osato <yoichio@chromium.org> > Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org> > Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> > Cr-Commit-Position: refs/heads/master@{#569168} TBR=yosin@chromium.org,yoichio@chromium.org,xiaochengh@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: 843144 , 855026 Change-Id: I745ab57ed70bd10e59bac20cf4f6fd591e170abd Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_layout_ng Reviewed-on: https://chromium-review.googlesource.com/1118098 Reviewed-by: Yoichi Osato <yoichio@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Commit-Queue: Yoichi Osato <yoichio@chromium.org> Cr-Commit-Position: refs/heads/master@{#571076} [modify] https://crrev.com/94766d09cff6f8aa625093bef39a844f70444ede/third_party/blink/renderer/core/editing/layout_selection.cc [modify] https://crrev.com/94766d09cff6f8aa625093bef39a844f70444ede/third_party/blink/renderer/core/editing/layout_selection_test.cc
,
Jun 29 2018
,
Jun 29 2018
ClusterFuzz has detected this issue as fixed in range 571075:571076. Detailed report: https://clusterfuzz.com/testcase?key=4503707828617216 Fuzzer: mbarbella_webcomponents Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::Node::LazyReattachIfAttached blink::HTMLSlotElement::DetachLayoutTree blink::ContainerNode::DetachLayoutTree Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=569167:569168 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=571075:571076 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4503707828617216 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 2
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ClusterFuzz
, Jun 21 2018Labels: Test-Predator-Auto-Components