New issue
Advanced search Search tips

Issue 866582 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Aug 22
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::Node::IsPseudoElement for ::first-letter style

Project Member Reported by ClusterFuzz, Jul 23

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5988876615942144

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::Node::IsPseudoElement
  blink::FlatTreeTraversalNg::TraverseParent
  blink::FlatTreeTraversalNg::Parent
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=577111:577118

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5988876615942144

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jul 23

Components: Blink>DOM
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jul 23

Labels: Test-Predator-Auto-Owner
Owner: yoichio@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/5d3212dab69f0b09168daaf14e3634e0a9d5ae62 (Stabilize LayoutSelection).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
#0 0x5598fef2eda9 in blink::Node::IsPseudoElement() const third_party/blink/renderer/core/dom/node.h:259
#1 0x5598ff35f484 in blink::FlatTreeTraversalNg::TraverseParent(blink::Node const&, blink::LayoutTreeBuilderTraversal::ParentDetails*) third_party/blink/renderer/core/dom/flat_tree_traversal_ng.cc:168:12
#2 0x5598fee78fcc in blink::FlatTreeTraversalNg::Parent(blink::Node const&, blink::LayoutTreeBuilderTraversal::ParentDetails*) third_party/blink/renderer/core/dom/flat_tree_traversal_ng.h:195:27
#3 0x5598ff426e85 in blink::TraversalAncestorsIterator<blink::FlatTreeTraversal>::TraversalAncestorsIterator(blink::Node const*) third_party/blink/renderer/core/dom/node_traversal.h:209:46
#4 0x5598ff426ceb in blink::TraversalRange<blink::TraversalAncestorsIterator<blink::FlatTreeTraversal> >::begin() third_party/blink/renderer/core/dom/node_traversal.h:177:29
#5 0x5598ff426bc1 in blink::SetSelectionStateIfNeeded(blink::LayoutObject*, blink::SelectionState) third_party/blink/renderer/core/editing/layout_selection.cc:212:23
#6 0x5598ff425bc6 in blink::MarkSelected(WTF::HashSet<blink::LayoutObject*, WTF::PtrHash<blink::LayoutObject>, WTF::HashTraits<blink::LayoutObject*>, WTF::PartitionAllocator>*, blink::LayoutObject*, blink::SelectionState) third_party/blink/renderer/core/editing/layout_selection.cc:409:3
#7 0x5598ff425dac in blink::MarkEnd(WTF::HashSet<blink::LayoutObject*, WTF::PtrHash<blink::LayoutObject>, WTF::HashTraits<blink::LayoutObject*>, WTF::PartitionAllocator>*, blink::LayoutObject*, base::Optional<unsigned int>) third_party/blink/renderer/core/editing/layout_selection.cc:545:7
#8 0x5598ff428f0c in blink::MarkStartAndEndInTwoNodes(WTF::HashSet<blink::LayoutObject*, WTF::PtrHash<blink::LayoutObject>, WTF::HashTraits<blink::LayoutObject*>, WTF::PartitionAllocator>, blink::LayoutObject*, base::Optional<unsigned int>, blink::LayoutObject*, base::Optional<unsigned int>) third_party/blink/renderer/core/editing/layout_selection.cc:570:7
#9 0x5598ff42671d in blink::CalcSelectionRangeAndSetSelectionState(blink::FrameSelection const&) third_party/blink/renderer/core/editing/layout_selection.cc:825:13
#10 0x5598ff4263b4 in blink::LayoutSelection::Commit() third_party/blink/renderer/core/editing/layout_selection.cc:882:7
#11 0x5598ffa1f968 in blink::LayoutView::CommitPendingSelection() third_party/blink/renderer/core/layout/layout_view.cc:590:39
#12 0x5598ffbc3272 in blink::PaintLayerCompositor::UpdateIfNeededRecursiveInternal(blink::DocumentLifecycle::LifecycleState, blink::CompositingReasonsStats&) third_party/blink/renderer/core/paint/compositing/paint_layer_compositor.cc:238:16
#13 0x5598ffbc2cfe in blink::PaintLayerCompositor::UpdateIfNeededRecursive(blink::DocumentLifecycle::LifecycleState) third_party/blink/renderer/core/paint/compositing/paint_layer_compositor.cc:176:3
#14 0x5598ff5832a3 in blink::LocalFrameView::UpdateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) third_party/blink/renderer/core/frame/local_frame_view.cc:2457:36
#15 0x5598ffb71012 in blink::PageAnimator::UpdateAllLifecyclePhases(blink::LocalFrame&) third_party/blink/renderer/core/page/page_animator.cc:107:9
#16 0x5598ff4beae7 in blink::WebViewImpl::UpdateLifecycle
,,,
Labels: -Pri-1 Pri-3
I'm going to change first-letter-part selection impl by moving
SelectionStatus bit from LayoutObject to Node.
This would be fixed as a result.
Components: -Blink>DOM Blink>Editing
Labels: Test-Predator-Wrong-Components
Summary: Null-dereference READ in blink::Node::IsPseudoElement for ::first-letter style (was: Null-dereference READ in blink::Node::IsPseudoElement)
Cc: yoichio@chromium.org
 Issue 868081  has been merged into this issue.
Project Member

Comment 8 by ClusterFuzz, Aug 22

ClusterFuzz has detected this issue as fixed in range 584826:584870.

Detailed report: https://clusterfuzz.com/testcase?key=5988876615942144

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::Node::IsPseudoElement
  blink::FlatTreeTraversalNg::TraverseParent
  blink::FlatTreeTraversalNg::Parent
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=577111:577118
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=584826:584870

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5988876615942144

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Aug 22

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5988876615942144 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by ClusterFuzz, Aug 29

Labels: Needs-Feedback
ClusterFuzz testcase 6026894215217152 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Sign in to add a comment