Issue metadata
Sign in to add a comment
|
Null-dereference READ in blink::Element::LayoutObjectIsNeeded |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4712432963158016 Fuzzer: inferno_twister Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000038 Crash State: blink::Element::LayoutObjectIsNeeded blink::LayoutTreeBuilderForElement::ShouldCreateLayoutObject blink::Element::AttachLayoutTree Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=581319:581322 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4712432963158016 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 10
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/66094461eb2abfc3519124c70eb3e2797fff960f (Don't re-attach ::first-letter during style recalc.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Aug 13
,
Aug 15
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a511c25561c7cf6453abb28746f7999caf9e9b8e commit a511c25561c7cf6453abb28746f7999caf9e9b8e Author: Rune Lillesveen <futhark@chromium.org> Date: Wed Aug 15 09:01:21 2018 Make sure we recalc for re-attach for v0 distributed nodes. Similarly to what we do for slot elements. When moving from a separate re-attach where computing style as part of AttachLayoutTree to RecalcStyle for re-attach we need to detect that we recalc style for distributed nodes for re-attach to SetNonAttachedStyle(). Since we can't really propagate the kReattach up from inside the shadow tree recalc to the shadow host when recalculating light tree children, we recalculate the distributed nodes from the insertion point when we are in a kReattach change. Bug: 873129 , 873279 Change-Id: I2364c5f1dce3a79e725d3cb94750f1cfb3e98221 Reviewed-on: https://chromium-review.googlesource.com/1172424 Commit-Queue: Rune Lillesveen <futhark@chromium.org> Reviewed-by: Anders Ruud <andruud@chromium.org> Cr-Commit-Position: refs/heads/master@{#583200} [add] https://crrev.com/a511c25561c7cf6453abb28746f7999caf9e9b8e/third_party/WebKit/LayoutTests/shadow-dom/v0/reattach-content-parent-crash.html [modify] https://crrev.com/a511c25561c7cf6453abb28746f7999caf9e9b8e/third_party/blink/renderer/core/dom/element.cc [modify] https://crrev.com/a511c25561c7cf6453abb28746f7999caf9e9b8e/third_party/blink/renderer/core/dom/v0_insertion_point.cc [modify] https://crrev.com/a511c25561c7cf6453abb28746f7999caf9e9b8e/third_party/blink/renderer/core/dom/v0_insertion_point.h [modify] https://crrev.com/a511c25561c7cf6453abb28746f7999caf9e9b8e/third_party/blink/renderer/core/html/html_slot_element.cc
,
Aug 16
ClusterFuzz has detected this issue as fixed in range 583199:583200. Detailed report: https://clusterfuzz.com/testcase?key=4712432963158016 Fuzzer: inferno_twister Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000038 Crash State: blink::Element::LayoutObjectIsNeeded blink::LayoutTreeBuilderForElement::ShouldCreateLayoutObject blink::Element::AttachLayoutTree Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=581319:581322 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=583199:583200 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4712432963158016 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Aug 10Labels: Test-Predator-Auto-Components