New issue
Advanced search Search tips

Issue 892755 link

Starred by 1 user
Status: Verified
Owner:
yukishiino@chromium.org
Closed: Nov 3
Cc:
yukishiino@chromium.org
peria@chromium.org
haraken@chromium.org
lfg@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::CallbackFunctionBase::CallbackFunctionBase

Project Member Reported by ClusterFuzz, Oct 5 
Detailed report: https://clusterfuzz.com/testcase?key=6023701659910144

Fuzzer: lcamtuf_cross_fuzz
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::CallbackFunctionBase::CallbackFunctionBase
  blink::JSEventHandler::JSEventHandler
  blink::V8EventListenerHelper::GetEventHandler
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=597053:597054

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6023701659910144

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Oct 5

Components: Blink>Bindings
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Oct 5

Labels: Test-Predator-Auto-Owner
Owner: yukiy@google.com
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/1b2f95835607dbb9c6021df8893fb18f4c7aee9e (Create new EventHandler and base class for EventListener/EventHandler).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by yukiy@google.com, Oct 9

Cc: haraken@chromium.org peria@chromium.org yukishiino@chromium.org

Comment 4 by yukiy@google.com, Oct 9

Owner: yukishiino@chromium.org
This is similar to a previous issue:
https://bugs.chromium.org/p/chromium/issues/detail?id=883643
This will also be addressed by yukishiino@.

Comment 5 by yukishiino@chromium.org, Oct 9

Status: Started (was: Assigned)
Project Member

Comment 6 by ClusterFuzz, Nov 3 

ClusterFuzz has detected this issue as fixed in range 604937:604938.

Detailed report: https://clusterfuzz.com/testcase?key=6023701659910144

Fuzzer: lcamtuf_cross_fuzz
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::CallbackFunctionBase::CallbackFunctionBase
  blink::JSEventHandler::JSEventHandler
  blink::V8EventListenerHelper::GetEventHandler
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=597053:597054
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=604937:604938

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6023701659910144

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Nov 3

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 6023701659910144 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 8 by bugdroid1@chromium.org, Nov 9 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2f2d97b775634dcb3f099162f926af93924d29ab

commit 2f2d97b775634dcb3f099162f926af93924d29ab
Author: Yuki Shiino <yukishiino@chromium.org>
Date: Fri Nov 09 13:46:44 2018

v8binding: Use explicitly-typed callback functions in custom elements

We're planning to not use cross origin ScriptStates everywhere,
especially in IDL callback function and callback interface.
Given that, we'd like to minimize use of ScriptState of callbacks,
which will be nullptr in case of cross origin, so that the call sites
of callbacks do not need to handle a SecurityError.

This patch is a preparation of https://crrev.com/c/1314023 and
removes the use of the ScriptState from custom elements.

Bug:  886588 ,  892755 
Change-Id: I52068920b659efe119496ec092448cdc107e0631
Reviewed-on: https://chromium-review.googlesource.com/c/1325585
Reviewed-by: Hitoshi Yoshida <peria@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#606819}
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/core/v8/BUILD.gn
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/core/v8/script_custom_element_definition.cc
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/core/v8/script_custom_element_definition.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/core/v8/script_custom_element_definition_builder.cc
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/core/v8/script_custom_element_definition_builder.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/scripts/v8_callback_function.py
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/scripts/v8_callback_interface.py
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/scripts/v8_types.py
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/tests/results/core/v8_any_callback_function_optional_any_arg.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/tests/results/core/v8_any_callback_function_variadic_any_args.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/tests/results/core/v8_long_callback_function.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/tests/results/core/v8_string_sequence_callback_function_long_sequence_arg.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/tests/results/core/v8_test_object.cc
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/tests/results/core/v8_treat_non_object_as_null_boolean_function.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/tests/results/core/v8_treat_non_object_as_null_void_function.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_dictionary_arg.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_enum_arg.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_interface_arg.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_test_interface_sequence_arg.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_typedef.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/bindings/tests/results/modules/v8_void_callback_function_modules.h
[modify] https://crrev.com/2f2d97b775634dcb3f099162f926af93924d29ab/third_party/blink/renderer/core/html/custom/custom_element_registry.idl
Project Member

Comment 9 by bugdroid1@chromium.org, Nov 20 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/756bea38c853ce40e3daba7f7fadf85b0920785f

commit 756bea38c853ce40e3daba7f7fadf85b0920785f
Author: Yuki Shiino <yukishiino@chromium.org>
Date: Tue Nov 20 10:52:50 2018

v8binding: Do not hold a cross origin ScriptState in IDL callback function

Make IDL callback function not hold a ScriptState of its
creation context when it's cross origin from the incumbent
realm.

Not holding a cross origin ScriptState, there is much
less risk to access a cross origin context.

IDL callback interface will follow the same approach in
a separate patch.

Bug:  892755 ,  886588 ,  904218 
Change-Id: Ie55b436fcc5f66f4ee053ef08ad98ea68fb3a2d6
Reviewed-on: https://chromium-review.googlesource.com/c/1314023
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Hitoshi Yoshida <peria@chromium.org>
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#609662}
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.h
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/core/v8/js_event_handler.h
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/core/v8/js_event_listener.h
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/templates/callback_function.cc.tmpl
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/templates/callback_interface.cc.tmpl
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/templates/callback_invoke.cc.tmpl
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/core/v8_any_callback_function_optional_any_arg.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/core/v8_any_callback_function_variadic_any_args.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/core/v8_long_callback_function.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/core/v8_string_sequence_callback_function_long_sequence_arg.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/core/v8_test_callback_interface.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/core/v8_test_legacy_callback_interface.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/core/v8_treat_non_object_as_null_boolean_function.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/core/v8_treat_non_object_as_null_void_function.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_dictionary_arg.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_enum_arg.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_interface_arg.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_test_interface_sequence_arg.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_typedef.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/bindings/tests/results/modules/v8_void_callback_function_modules.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/modules/nfc/nfc.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/platform/bindings/callback_function_base.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/platform/bindings/callback_function_base.h
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/platform/bindings/callback_interface_base.cc
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/platform/bindings/callback_interface_base.h
[modify] https://crrev.com/756bea38c853ce40e3daba7f7fadf85b0920785f/third_party/blink/renderer/platform/bindings/to_v8.h
Project Member

Comment 10 by bugdroid1@chromium.org, Nov 20 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172

commit 1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172
Author: Maxim Kolosovskiy <kolos@chromium.org>
Date: Tue Nov 20 13:08:47 2018

Revert "v8binding: Do not hold a cross origin ScriptState in IDL callback function"

This reverts commit 756bea38c853ce40e3daba7f7fadf85b0920785f.

Reason for revert: FindIt suspects that this is the culprit for a number of failures https://findit-for-me.appspot.com/waterfall/failure?url=https://build.chromium.org/p/chromium.webkit/builders/WebKit%20Linux%20Trusty%20ASAN/builds/18261

Original change's description:
> v8binding: Do not hold a cross origin ScriptState in IDL callback function
> 
> Make IDL callback function not hold a ScriptState of its
> creation context when it's cross origin from the incumbent
> realm.
> 
> Not holding a cross origin ScriptState, there is much
> less risk to access a cross origin context.
> 
> IDL callback interface will follow the same approach in
> a separate patch.
> 
> Bug:  892755 ,  886588 ,  904218 
> Change-Id: Ie55b436fcc5f66f4ee053ef08ad98ea68fb3a2d6
> Reviewed-on: https://chromium-review.googlesource.com/c/1314023
> Reviewed-by: Kentaro Hara <haraken@chromium.org>
> Reviewed-by: Hitoshi Yoshida <peria@chromium.org>
> Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#609662}

TBR=peria@chromium.org,yukishiino@chromium.org,haraken@chromium.org

Change-Id: Ic0e5a3006a43f8a95202ac1d890f365307068877
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  892755 ,  886588 ,  904218 
Reviewed-on: https://chromium-review.googlesource.com/c/1343093
Reviewed-by: Maxim Kolosovskiy <kolos@chromium.org>
Commit-Queue: Maxim Kolosovskiy <kolos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#609678}
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.h
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/core/v8/js_event_handler.h
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/core/v8/js_event_listener.h
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/templates/callback_function.cc.tmpl
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/templates/callback_interface.cc.tmpl
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/templates/callback_invoke.cc.tmpl
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/core/v8_any_callback_function_optional_any_arg.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/core/v8_any_callback_function_variadic_any_args.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/core/v8_long_callback_function.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/core/v8_string_sequence_callback_function_long_sequence_arg.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/core/v8_test_callback_interface.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/core/v8_test_legacy_callback_interface.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/core/v8_treat_non_object_as_null_boolean_function.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/core/v8_treat_non_object_as_null_void_function.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_dictionary_arg.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_enum_arg.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_interface_arg.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_test_interface_sequence_arg.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_typedef.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/bindings/tests/results/modules/v8_void_callback_function_modules.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/modules/nfc/nfc.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/platform/bindings/callback_function_base.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/platform/bindings/callback_function_base.h
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/platform/bindings/callback_interface_base.cc
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/platform/bindings/callback_interface_base.h
[modify] https://crrev.com/1c21bc5a4c200a0f6acf959baa6c4cd8f61a5172/third_party/blink/renderer/platform/bindings/to_v8.h
Project Member

Comment 11 by bugdroid1@chromium.org, Nov 26 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/20b501c316f87203b461a6769f3d113711ecaa1e

commit 20b501c316f87203b461a6769f3d113711ecaa1e
Author: Yuki Shiino <yukishiino@chromium.org>
Date: Mon Nov 26 11:59:40 2018

Reland "v8binding: Do not hold a cross origin ScriptState in IDL callback function"

This is a reland of 756bea38c853ce40e3daba7f7fadf85b0920785f

Original change's description:
> v8binding: Do not hold a cross origin ScriptState in IDL callback function
> 
> Make IDL callback function not hold a ScriptState of its
> creation context when it's cross origin from the incumbent
> realm.
> 
> Not holding a cross origin ScriptState, there is much
> less risk to access a cross origin context.
> 
> IDL callback interface will follow the same approach in
> a separate patch.
> 
> Bug:  892755 ,  886588 ,  904218 
> Change-Id: Ie55b436fcc5f66f4ee053ef08ad98ea68fb3a2d6
> Reviewed-on: https://chromium-review.googlesource.com/c/1314023
> Reviewed-by: Kentaro Hara <haraken@chromium.org>
> Reviewed-by: Hitoshi Yoshida <peria@chromium.org>
> Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#609662}

Bug:  892755 ,  886588 ,  904218 
Change-Id: I78ca7050e659cdb533ae09dab792bc699d2b48bf
Reviewed-on: https://chromium-review.googlesource.com/c/1343881
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Reviewed-by: Hitoshi Yoshida <peria@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#610820}
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.h
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/core/v8/js_event_handler.h
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/core/v8/js_event_listener.h
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/templates/callback_function.cc.tmpl
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/templates/callback_interface.cc.tmpl
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/templates/callback_invoke.cc.tmpl
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/core/v8_any_callback_function_optional_any_arg.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/core/v8_any_callback_function_variadic_any_args.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/core/v8_long_callback_function.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/core/v8_string_sequence_callback_function_long_sequence_arg.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/core/v8_test_callback_interface.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/core/v8_test_legacy_callback_interface.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/core/v8_treat_non_object_as_null_boolean_function.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/core/v8_treat_non_object_as_null_void_function.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_dictionary_arg.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_enum_arg.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_interface_arg.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_test_interface_sequence_arg.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_typedef.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/bindings/tests/results/modules/v8_void_callback_function_modules.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/modules/nfc/nfc.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/platform/bindings/callback_function_base.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/platform/bindings/callback_function_base.h
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/platform/bindings/callback_interface_base.cc
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/platform/bindings/callback_interface_base.h
[modify] https://crrev.com/20b501c316f87203b461a6769f3d113711ecaa1e/third_party/blink/renderer/platform/bindings/to_v8.h
Project Member

Comment 12 by bugdroid1@chromium.org, Nov 26 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/081fd44ad92323c8562b7f952f7eef8a61232505

commit 081fd44ad92323c8562b7f952f7eef8a61232505
Author: Mounir Lamouri <mlamouri@chromium.org>
Date: Mon Nov 26 20:13:25 2018

Revert "Reland "v8binding: Do not hold a cross origin ScriptState in IDL callback function""

This reverts commit 20b501c316f87203b461a6769f3d113711ecaa1e.

Reason for revert:
FindIt believe with 74% confidence that it's the cause of these failures: https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Linux%20ChromiumOS%20MSan%20Tests/9835

Original change's description:
> Reland "v8binding: Do not hold a cross origin ScriptState in IDL callback function"
> 
> This is a reland of 756bea38c853ce40e3daba7f7fadf85b0920785f
> 
> Original change's description:
> > v8binding: Do not hold a cross origin ScriptState in IDL callback function
> > 
> > Make IDL callback function not hold a ScriptState of its
> > creation context when it's cross origin from the incumbent
> > realm.
> > 
> > Not holding a cross origin ScriptState, there is much
> > less risk to access a cross origin context.
> > 
> > IDL callback interface will follow the same approach in
> > a separate patch.
> > 
> > Bug:  892755 ,  886588 ,  904218 
> > Change-Id: Ie55b436fcc5f66f4ee053ef08ad98ea68fb3a2d6
> > Reviewed-on: https://chromium-review.googlesource.com/c/1314023
> > Reviewed-by: Kentaro Hara <haraken@chromium.org>
> > Reviewed-by: Hitoshi Yoshida <peria@chromium.org>
> > Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#609662}
> 
> Bug:  892755 ,  886588 ,  904218 
> Change-Id: I78ca7050e659cdb533ae09dab792bc699d2b48bf
> Reviewed-on: https://chromium-review.googlesource.com/c/1343881
> Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
> Reviewed-by: Hitoshi Yoshida <peria@chromium.org>
> Reviewed-by: Kentaro Hara <haraken@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#610820}

TBR=peria@chromium.org,yukishiino@chromium.org,haraken@chromium.org

Change-Id: I21faed593e8bdaae31c86a11413b18d31ab38c45
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  892755 ,  886588 ,  904218 
Reviewed-on: https://chromium-review.googlesource.com/c/1351424
Reviewed-by: Mounir Lamouri <mlamouri@chromium.org>
Commit-Queue: Mounir Lamouri <mlamouri@chromium.org>
Cr-Commit-Position: refs/heads/master@{#610929}
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.h
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/core/v8/js_event_handler.h
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/core/v8/js_event_listener.h
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/templates/callback_function.cc.tmpl
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/templates/callback_interface.cc.tmpl
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/templates/callback_invoke.cc.tmpl
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/core/v8_any_callback_function_optional_any_arg.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/core/v8_any_callback_function_variadic_any_args.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/core/v8_long_callback_function.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/core/v8_string_sequence_callback_function_long_sequence_arg.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/core/v8_test_callback_interface.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/core/v8_test_legacy_callback_interface.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/core/v8_treat_non_object_as_null_boolean_function.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/core/v8_treat_non_object_as_null_void_function.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_dictionary_arg.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_enum_arg.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_interface_arg.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_test_interface_sequence_arg.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_typedef.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/bindings/tests/results/modules/v8_void_callback_function_modules.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/modules/nfc/nfc.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/platform/bindings/callback_function_base.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/platform/bindings/callback_function_base.h
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/platform/bindings/callback_interface_base.cc
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/platform/bindings/callback_interface_base.h
[modify] https://crrev.com/081fd44ad92323c8562b7f952f7eef8a61232505/third_party/blink/renderer/platform/bindings/to_v8.h
Project Member

Comment 13 by bugdroid1@chromium.org, Dec 10 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b7bfa99e8bbca8398931f9a75904007265b057ba

commit b7bfa99e8bbca8398931f9a75904007265b057ba
Author: Yuki Shiino <yukishiino@chromium.org>
Date: Mon Dec 10 11:03:13 2018

Reland "Reland "v8binding: Do not hold a cross origin ScriptState in IDL callback function""

This is a reland of 20b501c316f87203b461a6769f3d113711ecaa1e

The cause of the previous revert was fixed at:
https://chromium-review.googlesource.com/c/v8/v8/+/1356691
and there is no change between this patch and the previous one.

Original change's description:
> Reland "v8binding: Do not hold a cross origin ScriptState in IDL callback function"
>
> This is a reland of 756bea38c853ce40e3daba7f7fadf85b0920785f
>
> Original change's description:
> > v8binding: Do not hold a cross origin ScriptState in IDL callback function
> >
> > Make IDL callback function not hold a ScriptState of its
> > creation context when it's cross origin from the incumbent
> > realm.
> >
> > Not holding a cross origin ScriptState, there is much
> > less risk to access a cross origin context.
> >
> > IDL callback interface will follow the same approach in
> > a separate patch.
> >
> > Bug:  892755 ,  886588 ,  904218 
> > Change-Id: Ie55b436fcc5f66f4ee053ef08ad98ea68fb3a2d6
> > Reviewed-on: https://chromium-review.googlesource.com/c/1314023
> > Reviewed-by: Kentaro Hara <haraken@chromium.org>
> > Reviewed-by: Hitoshi Yoshida <peria@chromium.org>
> > Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#609662}
>
> Bug:  892755 ,  886588 ,  904218 
> Change-Id: I78ca7050e659cdb533ae09dab792bc699d2b48bf
> Reviewed-on: https://chromium-review.googlesource.com/c/1343881
> Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
> Reviewed-by: Hitoshi Yoshida <peria@chromium.org>
> Reviewed-by: Kentaro Hara <haraken@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#610820}

Bug:  892755 ,  886588 ,  904218 
Change-Id: I56d7ff74b1b37a6fd6c66f130da936bb6aff79d0
Reviewed-on: https://chromium-review.googlesource.com/c/1353037
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Reviewed-by: Hitoshi Yoshida <peria@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#615080}
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.h
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/core/v8/js_event_handler.h
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/core/v8/js_event_listener.h
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/templates/callback_function.cc.tmpl
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/templates/callback_interface.cc.tmpl
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/templates/callback_invoke.cc.tmpl
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/core/v8_any_callback_function_optional_any_arg.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/core/v8_any_callback_function_variadic_any_args.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/core/v8_long_callback_function.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/core/v8_string_sequence_callback_function_long_sequence_arg.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/core/v8_test_callback_interface.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/core/v8_test_legacy_callback_interface.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/core/v8_treat_non_object_as_null_boolean_function.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/core/v8_treat_non_object_as_null_void_function.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_dictionary_arg.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_enum_arg.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_interface_arg.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_test_interface_sequence_arg.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/core/v8_void_callback_function_typedef.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/bindings/tests/results/modules/v8_void_callback_function_modules.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/modules/nfc/nfc.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/platform/bindings/callback_function_base.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/platform/bindings/callback_function_base.h
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/platform/bindings/callback_interface_base.cc
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/platform/bindings/callback_interface_base.h
[modify] https://crrev.com/b7bfa99e8bbca8398931f9a75904007265b057ba/third_party/blink/renderer/platform/bindings/to_v8.h

Sign in to add a comment