Null-dereference WRITE in blink::PaintLayer::SetNeedsCompositingInputsUpdateInternal |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5624993598406656 Fuzzer: ochang_domfuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x00000009 Crash State: blink::PaintLayer::SetNeedsCompositingInputsUpdateInternal blink::PaintLayer::SetNeedsCompositingInputsUpdate blink::HTMLFrameOwnerElement::SetContentFrame Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=565924:565925 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5624993598406656 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 26 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/38825770276009fd291931b3a8027102dd80a558 ([PE] Rationalize compositing triggers.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jun 29 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2f787c5b22855ac26bf367b26a033c2b4c11c4d6 commit 2f787c5b22855ac26bf367b26a033c2b4c11c4d6 Author: Chris Harrelson <chrishtr@chromium.org> Date: Fri Jun 29 19:35:14 2018 Null-check the PaintLayer before accessing it during invalidation. Not sure why there is no PaintLayer in this case, but harmless to add the check. Bug:856399 Change-Id: Iaecb8e7dcb6b6d2932bae21a4ce428208c8c7653 Reviewed-on: https://chromium-review.googlesource.com/1119636 Reviewed-by: Stephen Chenney <schenney@chromium.org> Commit-Queue: Chris Harrelson <chrishtr@chromium.org> Cr-Commit-Position: refs/heads/master@{#571593} [add] https://crrev.com/2f787c5b22855ac26bf367b26a033c2b4c11c4d6/third_party/WebKit/LayoutTests/http/tests/object/remote-frame-crash-expected.txt [add] https://crrev.com/2f787c5b22855ac26bf367b26a033c2b4c11c4d6/third_party/WebKit/LayoutTests/http/tests/object/remote-frame-crash.html [modify] https://crrev.com/2f787c5b22855ac26bf367b26a033c2b4c11c4d6/third_party/blink/renderer/core/html/html_frame_owner_element.cc
,
Jun 29 2018
,
Jun 30 2018
ClusterFuzz has detected this issue as fixed in range 571592:571593. Detailed report: https://clusterfuzz.com/testcase?key=5624993598406656 Fuzzer: ochang_domfuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x00000009 Crash State: blink::PaintLayer::SetNeedsCompositingInputsUpdateInternal blink::PaintLayer::SetNeedsCompositingInputsUpdate blink::HTMLFrameOwnerElement::SetContentFrame Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=565924:565925 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=571592:571593 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5624993598406656 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 30 2018
ClusterFuzz testcase 5624993598406656 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Jun 26 2018Labels: Test-Predator-Auto-Components