New issue
Advanced search Search tips

Issue 856806 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jun 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::PaintLayerStackingNodeIterator::PaintLayerStackingNodeIterator

Project Member Reported by ClusterFuzz, Jun 26 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5577394522685440

Fuzzer: marty_html_twiddler
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::PaintLayerStackingNodeIterator::PaintLayerStackingNodeIterator
  blink::CompositingRequirementsUpdater::UpdateRecursive
  blink::CompositingRequirementsUpdater::UpdateRecursive
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=570442:570453

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5577394522685440

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jun 26 2018

Components: Blink>Compositing Blink>Paint
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jun 26 2018

Labels: Test-Predator-Auto-Owner
Owner: chrishtr@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/88151691ad1b7388b29400a8ecf84ecc82fefcd1 (Only allocate a PaintLayerStackingNode if actually needed.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Cc: chrishtr@chromium.org
 Issue 856963  has been merged into this issue.
Project Member

Comment 5 by ClusterFuzz, Jun 28 2018

Labels: OS-Linux
Project Member

Comment 6 by bugdroid1@chromium.org, Jun 29 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a714568fbead4c4b8d97826f7029b8169f289070

commit a714568fbead4c4b8d97826f7029b8169f289070
Author: Rune Lillesveen <futhark@chromium.org>
Date: Fri Jun 29 16:37:20 2018

Make sure stacking context is always updated for ::first-letter.

::first-letter sadly has at least three code paths for computing its
computed style. Two of them were lacking stacking context update. There
is work in progress for Squad to mend this, but let's fix the current
code paths for now.

Bug:  856806 
Change-Id: Ifeea799643bfa266e58c948f476bc23481fcdd5e
Reviewed-on: https://chromium-review.googlesource.com/1120249
Commit-Queue: Chris Harrelson <chrishtr@chromium.org>
Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#571512}
[add] https://crrev.com/a714568fbead4c4b8d97826f7029b8169f289070/third_party/WebKit/LayoutTests/external/wpt/css/css-pseudo/first-letter-opacity-float-001-ref.html
[add] https://crrev.com/a714568fbead4c4b8d97826f7029b8169f289070/third_party/WebKit/LayoutTests/external/wpt/css/css-pseudo/first-letter-opacity-float-001.html
[modify] https://crrev.com/a714568fbead4c4b8d97826f7029b8169f289070/third_party/blink/renderer/core/css/resolver/style_resolver.cc
[modify] https://crrev.com/a714568fbead4c4b8d97826f7029b8169f289070/third_party/blink/renderer/core/dom/first_letter_pseudo_element.cc

Status: Fixed (was: Assigned)
Project Member

Comment 8 by ClusterFuzz, Jun 30 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5265172277755904 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 9 by ClusterFuzz, Jun 30 2018

ClusterFuzz has detected this issue as fixed in range 571511:571512.

Detailed report: https://clusterfuzz.com/testcase?key=5577394522685440

Fuzzer: marty_html_twiddler
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::PaintLayerStackingNodeIterator::PaintLayerStackingNodeIterator
  blink::CompositingRequirementsUpdater::UpdateRecursive
  blink::CompositingRequirementsUpdater::UpdateRecursive
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=570442:570453
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=571511:571512

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5577394522685440

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment