Null-dereference READ in blink::JSBasedEventListener::handleEvent |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5641307144585216 Fuzzer: inferno_twister Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::JSBasedEventListener::handleEvent blink::EventTarget::FireEventListeners blink::EventTarget::FireEventListeners Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=597043:597056 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5641307144585216 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 7
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/1b2f95835607dbb9c6021df8893fb18f4c7aee9e (Create new EventHandler and base class for EventListener/EventHandler). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Oct 9
,
Oct 10
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f594c634639b4524dab11fee8dac11f34bf88671 commit f594c634639b4524dab11fee8dac11f34bf88671 Author: Yuki Yamada <yukiy@google.com> Date: Wed Oct 10 06:47:13 2018 Add an early return for null target On dispatching an event, current implementation of blink::Event::target() can return null while standard says that target should not be null. This CL's modification is just temporary bug fix, so this issue should be addressed in other CLs. Bug: 893449 , 892970 Change-Id: I4aaa94f14e12e9100ad901ce1b7bc23230792495 Reviewed-on: https://chromium-review.googlesource.com/c/1270596 Reviewed-by: Hitoshi Yoshida <peria@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Reviewed-by: Hayato Ito <hayato@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Commit-Queue: Yuki Yamada <yukiy@google.com> Cr-Commit-Position: refs/heads/master@{#598232} [modify] https://crrev.com/f594c634639b4524dab11fee8dac11f34bf88671/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.cc
,
Oct 11
ClusterFuzz has detected this issue as fixed in range 598227:598237. Detailed report: https://clusterfuzz.com/testcase?key=5641307144585216 Fuzzer: inferno_twister Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::JSBasedEventListener::handleEvent blink::EventTarget::FireEventListeners blink::EventTarget::FireEventListeners Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=597043:597056 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=598227:598237 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5641307144585216 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 11
ClusterFuzz testcase 5641307144585216 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 5
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/183dcec54bb0e630814f54638a0d862da7315029 commit 183dcec54bb0e630814f54638a0d862da7315029 Author: Hayato Ito <hayato@chromium.org> Date: Mon Nov 05 04:14:52 2018 Don't dispatch an event in DispatchEventToAOMEventListeners if event's target is null This is a kind of follow-up CL of https://crrev.com/c/1270596. It would be better to fix the root cause, instead of early return in JSBasedEventListener::handleEvent. Accessibility folks might want to look further to decide what we should do if event's target can't be set there. Bug: 892970 Change-Id: Ic2a14242c611133df68cfc3ec6e24cb9d20bf214 Reviewed-on: https://chromium-review.googlesource.com/c/1272937 Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org> Reviewed-by: Kent Tamura <tkent@chromium.org> Commit-Queue: Hayato Ito <hayato@chromium.org> Cr-Commit-Position: refs/heads/master@{#605244} [modify] https://crrev.com/183dcec54bb0e630814f54638a0d862da7315029/third_party/blink/renderer/bindings/core/v8/js_based_event_listener.cc [modify] https://crrev.com/183dcec54bb0e630814f54638a0d862da7315029/third_party/blink/renderer/modules/accessibility/ax_object.cc
,
Nov 9
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2ed9605b4c99774d8865dbd190e13c9fe5c2d03a commit 2ed9605b4c99774d8865dbd190e13c9fe5c2d03a Author: Hayato Ito <hayato@chromium.org> Date: Fri Nov 09 17:31:43 2018 Fix a bug in https://crrev.com/c/1272937, where event.target can be still null Fix a bug in the previous CL, https://crrev.com/c/1272937, where event.target can be null when GetElement() returns nullptr. Bug: 892970 , 893449 , 902287 Change-Id: I7a08227d39117c2dc90fe720f0d6ffd62d9b2ea6 Reviewed-on: https://chromium-review.googlesource.com/c/1322177 Commit-Queue: Dominic Mazzoni <dmazzoni@chromium.org> Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org> Cr-Commit-Position: refs/heads/master@{#606884} [modify] https://crrev.com/2ed9605b4c99774d8865dbd190e13c9fe5c2d03a/third_party/blink/renderer/modules/accessibility/ax_object.cc |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Oct 7Labels: Test-Predator-Auto-Components