Null-dereference READ in chrome |
||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5003297174585344 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000008 Crash State: chrome blink::EffectPaintPropertyNode const& blink::LowestCommonAncestor<blink::EffectP blink::ConversionContext::SwitchToEffect Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=581002:581008 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5003297174585344 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 8
Predator and CL could not provide any possible suspects. Using the code search for the file, “paint_property_node.h” assigning to concern owner from GIT blame. Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/70fc0b018c9517558b7aa2be00edf2debb449123 wangxianzhu@ -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes. Thank You.
,
Aug 9
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d88c3e0cfeba277b6ae7f2c7e9021745993daee8 commit d88c3e0cfeba277b6ae7f2c7e9021745993daee8 Author: Xianzhu Wang <wangxianzhu@chromium.org> Date: Thu Aug 09 00:17:03 2018 [PE] Update paint properties when mask changes Previously the test case cased crash in FindPropertiesNeedingUpdate (with DCHECK) or PaintChunksToCcLayer (without DCHECK). Bug: 871744 Change-Id: Id8487ed09da62966687a3f52d92d38e9aaf1120c Reviewed-on: https://chromium-review.googlesource.com/1168030 Reviewed-by: Philip Rogers <pdr@chromium.org> Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> Cr-Commit-Position: refs/heads/master@{#581732} [add] https://crrev.com/d88c3e0cfeba277b6ae7f2c7e9021745993daee8/third_party/WebKit/LayoutTests/paint/masks/mask-change-crash.html [modify] https://crrev.com/d88c3e0cfeba277b6ae7f2c7e9021745993daee8/third_party/blink/renderer/core/css/ComputedStyleDiffFunctions.json5 [modify] https://crrev.com/d88c3e0cfeba277b6ae7f2c7e9021745993daee8/third_party/blink/renderer/core/layout/layout_object.cc [modify] https://crrev.com/d88c3e0cfeba277b6ae7f2c7e9021745993daee8/third_party/blink/renderer/core/style/computed_style.cc [modify] https://crrev.com/d88c3e0cfeba277b6ae7f2c7e9021745993daee8/third_party/blink/renderer/core/style/style_difference.h
,
Aug 9
ClusterFuzz has detected this issue as fixed in range 581724:581733. Detailed report: https://clusterfuzz.com/testcase?key=5003297174585344 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_cfi_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000008 Crash State: chrome blink::EffectPaintPropertyNode const& blink::LowestCommonAncestor<blink::EffectP blink::ConversionContext::SwitchToEffect Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=581002:581008 Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=581724:581733 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5003297174585344 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 9
ClusterFuzz testcase 5003297174585344 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||
►
Sign in to add a comment |
||
Comment 1 by kkaluri@chromium.org
, Aug 8Components: Blink>Paint
Labels: M-70 Test-Predator-Wrong
Owner: wangxianzhu@chromium.org
Status: Assigned (was: Untriaged)