[Webkit-unassigned] [Bug 90516] New: Fuzzer: UNKNOWN in WebCore::EventHandler::handleMousePressEventSingleClick

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 3 23:34:45 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=90516

           Summary: Fuzzer: UNKNOWN in
                    WebCore::EventHandler::handleMousePressEventSingleClic
                    k
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Event Handling
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: hayato at chromium.org
                CC: dglazkov at chromium.org, dominicc at chromium.org,
                    morrita at google.com, shinyak at chromium.org,
                    tasak at google.com


Upstreamed from http://code.google.com/p/chromium/issues/detail?id=113178

Found by Fuzzing:

Fuzzer: Webcomponents_fuzzer

Crash Type: UNKNOWN
Crash Address: 0x000000000000
Crash State:
  - crash stack -
  WebCore::EventHandler::handleMousePressEventSingleClick
  WebCore::EventHandler::handleMousePressEvent
  WebCore::EventHandler::handleMousePressEvent

Regressed: https://cluster-fuzz.appspot.com/revisions?range=108839:108881

Minimized Testcase (1.36 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97oKVR0TFC7wZob5DoaI4Tis3wVuDfriqOu2jZEnSXx16vc4FQeAVaQ89AH5VVrLUKxUetbHVy83c6trV0aZrkyrJ4qfggJT29Xc5PWbUE1HkrN86Qz9LsSgfsmPgA0vc2yx_n3T8eI-gKL63PmRIKABrThHgdEDKR1GefCVtt0HSf0ZMA




<!DOCTYPE html>
<script>if (window.layoutTestController) layoutTestController.waitUntilDone(); </script>
<style>
.c3:nth-last-of-type(even) { display: -webkit-inline-flexbox; padding-top: 100%; }
.c3:focus { display: none;</style>
<script>
var nodes = [];
function boom() {
try { nodes[15] = []; } catch (e) {}try { nodes[15][0] = document.createElement('iframe'); } catch(e) {}
try { nodes[92] = []; } catch (e) {}try { nodes[92][0] = document.createElement('li'); } catch(e) {}
try { nodes[93] = []; } catch (e) {}try { nodes[93][0] = document.createElement('iframe'); } catch(e) {}
try { document.documentElement.appendChild(nodes[15][0]); } catch(e) {}
try { document.documentElement.appendChild(nodes[92][0]); } catch(e) {}
try { document.documentElement.appendChild(nodes[93][0]); } catch(e) {}
setTimeout("try { nodes[15][0].setAttribute('class', 'c3'); } catch(e) {}", 134);
setTimeout('try { eventSender.mouseDown(); } catch (e) {}', 540);
setTimeout('try { eventSender.mouseUp(); } catch (e) {}', 545);
setTimeout('try { eventSender.mouseDown(); } catch (e) {}', 550);
setTimeout('try { eventSender.mouseUp(); } catch (e) {}', 555);
setTimeout('try { eventSender.mouseDown(); } catch (e) {}', 580);
setTimeout('try { eventSender.mouseMoveTo(4, 443); } catch (e) {}', 578);
setTimeout('try { eventSender.mouseMoveTo(729, 397); } catch (e) {}', 135);
}
window.onload = boom;
</script>

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list