Null-dereference READ in blink::SliderThumbElement::SetPositionFromValue |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5118019019472896 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: blink::SliderThumbElement::SetPositionFromValue blink::RangeInputType::UpdateView blink::RangeInputType::SanitizeValueInResponseToMinOrMaxAttributeChange Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=554016:554019 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5118019019472896 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 23
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/9aa33c1d8d269d44490d2114736eb57eded120ab ([Squad] Propagate thumb appearance during style recalc.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Nov 30
This crashes because the C++ has an assumption about which elements exist in the UA shadow for the input type=range. Normally, the browser has full control over the UA shadow, but this fuzzer case is triggered when running with --expose-internals-for-testing and nuking the UA shadow internals from javascript. Ideally, we should not expose the UA shadow through internals.shadowRoot and rewrite all tests using it as unit tests. This is probably not the only UA element we use without null checking. tkent@ I don't know if this is a WontFix, but I think adding null checks everywhere for UA shadow code is not the right solution.
,
Dec 3
|
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Nov 23Labels: Test-Predator-Auto-Components