Null-dereference READ in blink::QualifiedNameHash::GetHash |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5915766298509312 Fuzzer: inferno_twister_c Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000004 Crash State: blink::QualifiedNameHash::GetHash std::__1::pair<WTF::KeyValuePair<std::__1::pair<blink::WeakMember<blink::SVGElem blink::SMILTimeContainer::Schedule Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=580081:580100 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5915766298509312 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 3
I couldn't repro this. The clusterfuzz test case is too large and difficult to minimize... :( It looks it might be an issue of WTF::HashTable (or maybe GC, as we've had recently?). Re-routing Blink>Internals>WTF for triage.
,
Aug 3
Please don't file a bug to WTF without an evidence. I'm almost certainly sure that this is not WTF's fault. We already receive and triage many bugs that should not have been filed to WTF -- please don't add extra burden on us. If you just want an advice, don't change the component and just cc me. Changing components like this looks like uncivil behavior to me. At least, there's no reason to remove Blink>DOM from the components (you could have just added Blink>Internals>WTF). Also, there's no evidence that this is Oilpan related. Bouncing.
,
Aug 3
@yutak, I agree. Thanks for the comment. Let make this bug stay at Blink>SVG and Blink>DOM.
,
Aug 3
I remember we had several crashes in blink:QualifiedName. e.g. I could find https://bugs.chromium.org/p/chromium/issues/detail?id=707737 Let me make this P2 at this point.
,
Aug 3
,
Aug 3
,
Aug 7
ClusterFuzz has detected this issue as fixed in range 580836:580856. Detailed report: https://clusterfuzz.com/testcase?key=5915766298509312 Fuzzer: inferno_twister_c Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000004 Crash State: blink::QualifiedNameHash::GetHash std::__1::pair<WTF::KeyValuePair<std::__1::pair<blink::WeakMember<blink::SVGElem blink::SMILTimeContainer::Schedule Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=580081:580100 Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=580836:580856 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5915766298509312 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 7
ClusterFuzz testcase 5915766298509312 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Aug 2Labels: Test-Predator-Auto-Components