New issue
Advanced search Search tips

Issue 912421 link

Starred by 2 users
Status: Verified
Owner:
bokan@chromium.org
Closed: Dec 19
Cc:
rbyers@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::Internals::hitTestCount

Project Member Reported by ClusterFuzz, Dec 6 
Detailed report: https://clusterfuzz.com/testcase?key=4768182918971392

Fuzzer: ochang_domfuzzer
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000148
Crash State:
  blink::Internals::hitTestCount
  blink::V8Internals::HitTestCountMethodCallback
  v8::internal::FunctionCallbackArguments::Call
  
Sanitizer: memory (MSAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4768182918971392

Issue filed automatically.

See https://www.chromium.org/developers/testing/memorysanitizer#TOC-Reproducing-ClusterFuzz-Bugs for more information.

Comment 1 by kkaluri@chromium.org, Dec 13

Components: Blink>JavaScript

Comment 2 by hablich@chromium.org, Dec 17

Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
to CF sheriff

Comment 3 by clemensh@chromium.org, Dec 18

Cc: rbyers@chromium.org
Components: -Blink>JavaScript Blink
Owner: ----
Status: Untriaged (was: Assigned)
This fails on the blink side, in a method that looks like an internal testing API.

Updating component and adding rbyers@ who added this API in 6f2469c8c876f1aa3933a4c63c4ec48309d4720d.

Comment 4 by bokan@chromium.org, Dec 19

Components: -Blink Blink>Input
Labels: -Pri-1 Pri-3
Owner: bokan@chromium.org
Status: Assigned (was: Untriaged)
Not a real issue since this is code that doesn't ship. Hover, it's just a missing null-check - I'll put up a CL shortly.
Project Member

Comment 5 by bugdroid1@chromium.org, Dec 19 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1f8c82118ff5027aa70127df59497c5c4cb25835

commit 1f8c82118ff5027aa70127df59497c5c4cb25835
Author: David Bokan <bokan@chromium.org>
Date: Wed Dec 19 15:38:10 2018

Null-check internals.hitTestCount

Bug:  912421 
Change-Id: I9bba7f46ab7c46953ceb24be0137405744dff657
Reviewed-on: https://chromium-review.googlesource.com/c/1384136
Commit-Queue: David Bokan <bokan@chromium.org>
Commit-Queue: Dave Tapuska <dtapuska@chromium.org>
Reviewed-by: Dave Tapuska <dtapuska@chromium.org>
Cr-Commit-Position: refs/heads/master@{#617842}
[modify] https://crrev.com/1f8c82118ff5027aa70127df59497c5c4cb25835/third_party/blink/renderer/core/testing/internals.cc

Comment 6 by bokan@chromium.org, Dec 19

Status: Fixed (was: Assigned)
Project Member

Comment 7 by ClusterFuzz, Dec 20 

ClusterFuzz has detected this issue as fixed in range 617841:617842.

Detailed report: https://clusterfuzz.com/testcase?key=4768182918971392

Fuzzer: ochang_domfuzzer
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000148
Crash State:
  blink::Internals::hitTestCount
  blink::V8Internals::HitTestCountMethodCallback
  v8::internal::FunctionCallbackArguments::Call
  
Sanitizer: memory (MSAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=617841:617842

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4768182918971392

See https://www.chromium.org/developers/testing/memorysanitizer#TOC-Reproducing-ClusterFuzz-Bugs for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Dec 20

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 4768182918971392 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment