New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 884516 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Oct 12
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

CHECK failure: !scope.AccessCheckFailed() in v8_dom_wrapper.cc

Project Member Reported by ClusterFuzz, Sep 16

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5119888178544640

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !scope.AccessCheckFailed() in v8_dom_wrapper.cc
  blink::V8DOMWrapper::CreateWrapper
  blink::ScriptWrappable::Wrap
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=589819:589820

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5119888178544640

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Sep 16

Components: Blink>Bindings
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Sep 16

Labels: Test-Predator-Auto-Owner
Owner: yukiy@google.com
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/20a443ce6dd653ce3259782667598f9b87211e5d (Reland: Split implementation of EventListener and EventHandler).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Cc: haraken@chromium.org peria@chromium.org yukishiino@chromium.org
Status: Started (was: Assigned)
Labels: -Pri-1 Pri-2
Project Member

Comment 5 by bugdroid1@chromium.org, Oct 12

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1d2509fc2ebc7c9848726c1b208483e1e1efc485

commit 1d2509fc2ebc7c9848726c1b208483e1e1efc485
Author: Yuki Yamada <yukiy@google.com>
Date: Fri Oct 12 09:45:43 2018

Added security check for cross origin

This CL adds a security check for cross origin with
BindingSecurity::ShouldAllowAccessToCreationContext().
|js_event|, a V8 wrapper object for event object, must be created in the
relevant realm of the event target, but it is possible that listener's
relevant context cannnot access the relevant realm of event target
(ex. when Document.origin is changed).
We have to check this before invoking event listener.

Bug:  872138 ,  884516 
Change-Id: Ic5d0c8e6cda4db57a2097ce230e75cc59905b350
Reviewed-on: https://chromium-review.googlesource.com/c/1270300
Commit-Queue: Yuki Yamada <yukiy@google.com>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Hitoshi Yoshida <peria@chromium.org>
Reviewed-by: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#599154}
[modify] https://crrev.com/1d2509fc2ebc7c9848726c1b208483e1e1efc485/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.cc

Status: Fixed (was: Started)
Project Member

Comment 7 by ClusterFuzz, Oct 13

ClusterFuzz has detected this issue as fixed in range 599153:599154.

Detailed report: https://clusterfuzz.com/testcase?key=5119888178544640

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !scope.AccessCheckFailed() in v8_dom_wrapper.cc
  blink::V8DOMWrapper::CreateWrapper
  blink::ScriptWrappable::Wrap
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=589819:589820
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=599153:599154

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5119888178544640

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Oct 13

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5119888178544640 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment