Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revert "Revert "Fix retargeting of result in elementFromPoint and elementsFromPoint"" #9133

Merged
merged 1 commit into from Jan 25, 2018

Conversation

Projects
None yet
4 participants
@chromium-wpt-export-bot
Copy link
Collaborator

chromium-wpt-export-bot commented Jan 23, 2018

crrev.com/c/808446 is reverted because of failure in ASAN Buildbot
Revert CL Link: crrev.com/c/880264
Failure link: https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Linux%20Trusty%20ASAN/builds/8618

The failure is accessing *target_ancestor_iterator when it is out of bounds.
Link: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/dom/TreeScope.cpp?q=Treescope.cpp&sq=package:chromium&rcl=dd944882a245a5117b50cb417138d92f32d931d6&l=393
as there were no bound checks for target_ancestor_iterator. It wasn't caught
by layout tests because it's still returning the correct results, because
it doesn't crash when getting *target_ancestor_iterator when it's out of bound.
It just stops the while-loop and returned at
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/dom/TreeScope.cpp?q=Treescope.cpp&sq=package:chromium&rcl=dd944882a245a5117b50cb417138d92f32d931d6&l=398
Also, since the ASAN buildbot is not done before the CL is merged, this wasn't
caught by trybots prior to committing.

The fix is just adding a bound check for target_ancestor_riterator here:
https://chromium-review.googlesource.com/c/chromium/src/+/880741/2..3/third_party/WebKit/Source/core/dom/TreeScope.cpp
I have confirmed by using ASAN locally that it is fixed now.
Before the fix, running the failing tests with ASAN build fails.

Bug: 759947,805039
Change-Id: I9934af8131f285045e0eb80923f190b6d88cef7d
Reviewed-on: https://chromium-review.googlesource.com/880741
Commit-Queue: Rakina Zata Amni rakina@chromium.org
Reviewed-by: Hayato Ito hayato@chromium.org
Reviewed-by: Takayoshi Kochi kochi@chromium.org
Reviewed-by: Dmitry Gozman dgozman@chromium.org
Cr-Commit-Position: refs/heads/master@{#531839}


This change is Reviewable

@wpt-pr-bot
Copy link
Collaborator

wpt-pr-bot left a comment

Already reviewed downstream.

@w3c-bots

This comment has been minimized.

Copy link

w3c-bots commented Jan 23, 2018

Build PASSED

Started: 2018-01-25 07:43:02
Finished: 2018-01-25 07:47:32

View more information about this build on:

@chromium-wpt-export-bot chromium-wpt-export-bot force-pushed the chromium-export-cl-880741 branch 2 times, most recently from 1c91fd7 to 2c245e4 Jan 24, 2018

Revert "Revert "Fix retargeting of result in elementFromPoint and ele…
…mentsFromPoint""

crrev.com/c/808446 is reverted because of failure in ASAN Buildbot
Revert CL Link: crrev.com/c/880264
Failure link: https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Linux%20Trusty%20ASAN/builds/8618

The failure is accessing *target_ancestor_iterator when it is out of bounds.
Link: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/dom/TreeScope.cpp?q=Treescope.cpp&sq=package:chromium&rcl=dd944882a245a5117b50cb417138d92f32d931d6&l=393
as there were no bound checks for target_ancestor_iterator. It wasn't caught
by layout tests because it's still returning the correct results, because
it doesn't crash when getting *target_ancestor_iterator when it's out of bound.
It just stops the while-loop and returned at
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/dom/TreeScope.cpp?q=Treescope.cpp&sq=package:chromium&rcl=dd944882a245a5117b50cb417138d92f32d931d6&l=398
Also, since the ASAN buildbot is not done before the CL is merged, this wasn't
caught by trybots prior to committing.

The fix is just adding a bound check for target_ancestor_riterator here:
https://chromium-review.googlesource.com/c/chromium/src/+/880741/2..3/third_party/WebKit/Source/core/dom/TreeScope.cpp
I have confirmed by using ASAN locally that it is fixed now.
Before the fix, running the failing tests with ASAN build fails.

Bug: 759947,805039
Change-Id: I9934af8131f285045e0eb80923f190b6d88cef7d
Reviewed-on: https://chromium-review.googlesource.com/880741
Commit-Queue: Rakina Zata Amni <rakina@chromium.org>
Reviewed-by: Hayato Ito <hayato@chromium.org>
Reviewed-by: Takayoshi Kochi <kochi@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#531839}

@chromium-wpt-export-bot chromium-wpt-export-bot force-pushed the chromium-export-cl-880741 branch from 2c245e4 to 0ad0319 Jan 25, 2018

@chromium-wpt-export-bot chromium-wpt-export-bot merged commit 58d769a into master Jan 25, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@chromium-wpt-export-bot chromium-wpt-export-bot deleted the chromium-export-cl-880741 branch Jan 25, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.