New issue
Advanced search Search tips

Issue 919331 link

Starred by 1 user

Issue metadata

Status: Assigned
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in chrome

Project Member Reported by ClusterFuzz, Jan 5

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5180855445880832

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000270
Crash State:
  chrome
  blink::Document::View
  blink::Document::UpdateStyleAndLayoutIgnorePendingStylesheets
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=570924:570982

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5180855445880832

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
 
Cc: kkaluri@chromium.org
Labels: M-72 Test-Predator-Wrong
Owner: a...@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.

Using Code Search for the file, "chrome_client.cc" suspecting the below Cl might have caused this issue

Suspect CL: https://chromium.googlesource.com/chromium/src/+/ba496ac30606b596aecf5608a1973e300f8e798b

avi@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!
Components: Internals>Printing
Owner: rbpotter@chromium.org
This is due to a print immediately upon commit:

     #1 0x55b1795ef977 in blink::Document::View() const third_party/blink/renderer/core/dom/document.cc:1802:10
     #2 0x55b1795f2634 in blink::Document::UpdateStyleAndLayoutIgnorePendingStylesheets(blink::Document::RunPostLayoutTasks) third_party/blink/renderer/core/dom/document.cc:2536:32
    #3 0x55b179c3c6ae in blink::FrameSelection::ComputeVisibleSelectionInDOMTreeDeprecated() const third_party/blink/renderer/core/editing/frame_selection.cc:153:17
    #4 0x55b179e1bf87 in blink::WebLocalFrameImpl::HasSelection() const third_party/blink/renderer/core/frame/web_local_frame_impl.cc:1212:31
    #5 0x55b17b4fcf7c in printing::PrintRenderFrameHelper::RequestPrintPreview(printing::PrintRenderFrameHelper::PrintPreviewRequestType) components/printing/renderer/print_render_frame_helper.cc:2148:53
    #6 0x55b17a9ee401 in content::RenderFrameImpl::ScriptedPrint(bool) content/renderer/render_frame_impl.cc:2033:14
     #7 0x55b17a3a8bbb in blink::ChromeClient::Print(blink::LocalFrame*) third_party/blink/renderer/core/page/chrome_client.cc:266:3
    #8 0x55b179d90d89 in blink::LocalDOMWindow::print(blink::ScriptState*) third_party/blink/renderer/core/frame/local_dom_window.cc:713:27
    #9 0x55b17a35a27f in blink::FrameLoader::DidFinishNavigation() third_party/blink/renderer/core/loader/frame_loader.cc:468:26

rbpotter has been poking around printing lately. Probably not hers, but she has a better idea of what to do here.
Duplicate of bug 825277?

Sign in to add a comment