Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2323103002:
Add fuzzer for AXTree and fix a couple of bugs it found. (Closed)
|
Created:
4 years, 3 months ago by dmazzoni Modified:
4 years, 3 months ago CC:
aboxhall+watch_chromium.org, chromium-reviews, dmazzoni+watch_chromium.org, dtseng+watch_chromium.org, je_julie, nektar+watch_chromium.org, yuzo+watch_chromium.org Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionAdd fuzzer for AXTree and fix a couple of bugs it found.
BUG=none
Committed: https://crrev.com/cd760f121c0701c0f7609a3437735751cf4ac416
Cr-Commit-Position: refs/heads/master@{#418308}
Patch Set 1 #
Total comments: 4
Patch Set 2 : Rebase, address feedback #Patch Set 3 : Fix additional leak #
Messages
Total messages: 29 (14 generated)
The CQ bit was checked by dmazzoni@chromium.org to run a CQ dry run
dmazzoni@chromium.org changed reviewers: + aboxhall@chromium.org, inferno@chromium.org
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: ios-simulator on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/ios-simulator/bui...) mac_chromium_compile_dbg_ng on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_comp...)
lgtm Rad!
aarya@google.com changed reviewers: + aarya@google.com, mmoroz@chromium.org, ochang@chromium.org - inferno@chromium.org
I am OOO. Oliver, can you please review this.
LGTM with minor nits Btw, you've found two Use-after-free locally, right? This is awesome!!! https://codereview.chromium.org/2323103002/diff/1/ui/accessibility/ax_tree_fu... File ui/accessibility/ax_tree_fuzzer.cc (right): https://codereview.chromium.org/2323103002/diff/1/ui/accessibility/ax_tree_fu... ui/accessibility/ax_tree_fuzzer.cc:1: // Copyright (c) 2016 The Chromium Authors. All rights reserved. No "(c)" in copyright: https://chromium.googlesource.com/chromium/src/+/master/styleguide/c++/c++.md... https://codereview.chromium.org/2323103002/diff/1/ui/accessibility/ax_tree_fu... ui/accessibility/ax_tree_fuzzer.cc:33: int child_count = data[i++]; Wouldn't it be better to use size_t or other unsigned type here and for j in the next loop?
lgtm
Yep, this caught two UAFs locally very quickly! This was super easy to use, I'm looking for other opportunities to fuzz... https://codereview.chromium.org/2323103002/diff/1/ui/accessibility/ax_tree_fu... File ui/accessibility/ax_tree_fuzzer.cc (right): https://codereview.chromium.org/2323103002/diff/1/ui/accessibility/ax_tree_fu... ui/accessibility/ax_tree_fuzzer.cc:1: // Copyright (c) 2016 The Chromium Authors. All rights reserved. On 2016/09/12 at 08:17:54, mmoroz wrote: > No "(c)" in copyright: https://chromium.googlesource.com/chromium/src/+/master/styleguide/c++/c++.md... Done https://codereview.chromium.org/2323103002/diff/1/ui/accessibility/ax_tree_fu... ui/accessibility/ax_tree_fuzzer.cc:33: int child_count = data[i++]; On 2016/09/12 at 08:17:54, mmoroz wrote: > Wouldn't it be better to use size_t or other unsigned type here and for j in the next loop? You're right, good idea.
The CQ bit was checked by dmazzoni@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from mmoroz@chromium.org, aboxhall@chromium.org, ochang@chromium.org Link to the patchset: https://codereview.chromium.org/2323103002/#ps20001 (title: "Rebase, address feedback")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: linux_chromium_asan_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
The CQ bit was checked by mmoroz@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
On 2016/09/12 16:45:42, dmazzoni wrote: > Yep, this caught two UAFs locally very quickly! > > This was super easy to use, I'm looking for other opportunities to fuzz... > That's great! Looking forward to having more fuzzers & bugs from you :)
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: linux_chromium_asan_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
The CQ bit was checked by dmazzoni@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from mmoroz@chromium.org, aboxhall@chromium.org, ochang@chromium.org Link to the patchset: https://codereview.chromium.org/2323103002/#ps40001 (title: "Fix additional leak")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Message was sent while issue was closed.
Committed patchset #3 (id:40001)
Message was sent while issue was closed.
Description was changed from ========== Add fuzzer for AXTree and fix a couple of bugs it found. BUG=none ========== to ========== Add fuzzer for AXTree and fix a couple of bugs it found. BUG=none Committed: https://crrev.com/cd760f121c0701c0f7609a3437735751cf4ac416 Cr-Commit-Position: refs/heads/master@{#418308} ==========
Message was sent while issue was closed.
Patchset 3 (id:??) landed as https://crrev.com/cd760f121c0701c0f7609a3437735751cf4ac416 Cr-Commit-Position: refs/heads/master@{#418308}
Message was sent while issue was closed.
A revert of this CL (patchset #3 id:40001) has been created in https://codereview.chromium.org/2346473002/ by aberent@chromium.org. The reason for reverting is: Caused Address Sanitizer problem with BrowserAccessibilityManagerTest.TestFatalError BUG=646777. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
