Null-dereference READ in blink::GeometryMapperTransformCache::UpdateScreenTransform |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5561891576086528 Fuzzer: miaubiz_svg_fuzzer Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000108 Crash State: blink::GeometryMapperTransformCache::UpdateScreenTransform blink::GeometryMapperTransformCache::UpdateScreenTransform blink::GeometryMapper::SourceToDestinationProjectionInternal Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5561891576086528 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 5
Guessing at who should own this.
,
Oct 5
Kudo to clusterfuzz for being so efficient to find a problem of https://chromium-review.googlesource.com/c/chromium/src/+/1259663 landed yesterday.
,
Oct 5
My CL actually exposed an old issue of under-invalidation of GeometryMapper transform cache. The crash happens when the cache is accessed on a changed tree but the cache was not invalidated when the tree changed.
,
Oct 5
This is actually a new form of bug 814815. An SVG resource is forward referenced from another element and the SVG resource is painted during PrePaint during which the transform cache is updated, then when the resource itself is traversed in PrePaint and the transform tree is modified, the transform cache is not invalidated. Need to work around this before bug 814815 is fixed.
,
Oct 8
ClusterFuzz has detected this issue as fixed in range 597468:597469. Detailed report: https://clusterfuzz.com/testcase?key=5561891576086528 Fuzzer: miaubiz_svg_fuzzer Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000108 Crash State: blink::GeometryMapperTransformCache::UpdateScreenTransform blink::GeometryMapperTransformCache::UpdateScreenTransform blink::GeometryMapper::SourceToDestinationProjectionInternal Sanitizer: address (ASAN) Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=597468:597469 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5561891576086528 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 8
ClusterFuzz testcase 5561891576086528 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 8
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9cdbb8acce4b90a37cf9f022bda2be2e6d9215a5 commit 9cdbb8acce4b90a37cf9f022bda2be2e6d9215a5 Author: Xianzhu Wang <wangxianzhu@chromium.org> Date: Mon Oct 08 21:58:51 2018 [PE] Check and fix under-invalidation of GeometryMapper cache We invalidate GeometryMapper cache at the beginning of PrePaint, and expect that once the cache of a node is created, the node and its ancestors will never change. However, because of crbug.com/814815, when an SVG element is forward referenced, the cache of nodes from the SVG element's transform/clip node to the root will be updated when painting SVG filter or image for the element that forward references the SVG element. When PrePaint walks to the SVG element in the DOM tree order, the transform/clip ancestor chain may have changed and the cache previously updated may be out-dated. This CL detects the situation, print a warning and invalidate the cache when a transform or clip node changes when its cache has been updated. After crbug.com/814815 is fixed, the condition can be changed to a DCHECK. The CL also checks for visual viewport needing paint property update to invalidate the cache at the beginning of PrePaint. Bug: 814815, 892616 Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel Change-Id: Ia51b03891a9a0448107d0ce7d33f7540e0ef2e32 Reviewed-on: https://chromium-review.googlesource.com/c/1266597 Reviewed-by: Chris Harrelson <chrishtr@chromium.org> Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org> Cr-Commit-Position: refs/heads/master@{#597695} [modify] https://crrev.com/9cdbb8acce4b90a37cf9f022bda2be2e6d9215a5/third_party/blink/renderer/core/paint/paint_property_tree_update_tests.cc [modify] https://crrev.com/9cdbb8acce4b90a37cf9f022bda2be2e6d9215a5/third_party/blink/renderer/platform/graphics/paint/clip_paint_property_node.cc [modify] https://crrev.com/9cdbb8acce4b90a37cf9f022bda2be2e6d9215a5/third_party/blink/renderer/platform/graphics/paint/clip_paint_property_node.h [modify] https://crrev.com/9cdbb8acce4b90a37cf9f022bda2be2e6d9215a5/third_party/blink/renderer/platform/graphics/paint/effect_paint_property_node.h [modify] https://crrev.com/9cdbb8acce4b90a37cf9f022bda2be2e6d9215a5/third_party/blink/renderer/platform/graphics/paint/geometry_mapper_clip_cache.cc [modify] https://crrev.com/9cdbb8acce4b90a37cf9f022bda2be2e6d9215a5/third_party/blink/renderer/platform/graphics/paint/geometry_mapper_clip_cache.h [modify] https://crrev.com/9cdbb8acce4b90a37cf9f022bda2be2e6d9215a5/third_party/blink/renderer/platform/graphics/paint/geometry_mapper_transform_cache.cc [modify] https://crrev.com/9cdbb8acce4b90a37cf9f022bda2be2e6d9215a5/third_party/blink/renderer/platform/graphics/paint/geometry_mapper_transform_cache.h [modify] https://crrev.com/9cdbb8acce4b90a37cf9f022bda2be2e6d9215a5/third_party/blink/renderer/platform/graphics/paint/paint_property_node.h [modify] https://crrev.com/9cdbb8acce4b90a37cf9f022bda2be2e6d9215a5/third_party/blink/renderer/platform/graphics/paint/scroll_paint_property_node.h [modify] https://crrev.com/9cdbb8acce4b90a37cf9f022bda2be2e6d9215a5/third_party/blink/renderer/platform/graphics/paint/transform_paint_property_node.h |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Oct 5Labels: Test-Predator-Auto-Components