Issue metadata
Sign in to add a comment
|
Issue 106742: net::URLRequestFtpJob::StartTransaction() - crash
Reported by
slaw...@gmail.com,
Dec 7 2011
|
||||||||||||||||||||||||
Issue descriptionCrashes on windows dev 17.0.963.0 (113143) and canary 17.0.963.1 (113335). It looks like null ptr but used security template for safety - it crashes in browser process. Repro: ----- crash1.html ----- <audio src="ftp://foo.bar/"> ----------------------- (1284.14b8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02d776c0 ebx=0483c8c0 ecx=00000000 edx=00000002 esi=047f9c60 edi=047f9c60 eip=579ddee7 esp=0304efd4 ebp=0304eff0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 chrome_57120000!net::URLRequestFtpJob::StartTransaction+0x1b: 579ddee7 8b01 mov eax,dword ptr [ecx] ds:0023:00000000=???????? ExceptionAddress: 579ddee7 (chrome_57120000!net::URLRequestFtpJob::StartTransaction+0x0000001b) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000000 Attempt to read from address 00000000 ChildEBP RetAddr 0304eff0 5795a8f3 chrome_57120000!net::URLRequestFtpJob::StartTransaction+0x1b 0304f008 5795a69b chrome_57120000!net::URLRequest::StartJob+0xe4 0304f020 57788365 chrome_57120000!net::URLRequest::Start+0x79 0304f070 5774ab48 chrome_57120000!ResourceQueue::AddRequest+0xa4 0304f0a0 5774ab27 chrome_57120000!ResourceDispatcherHost::InsertIntoResourceQueue+0x1a 0304f0f0 57748a46 chrome_57120000!ResourceDispatcherHost::BeginRequestInternal+0x1ec 0304f2e0 577482dc chrome_57120000!ResourceDispatcherHost::BeginRequest+0x74c 0304f2f4 5774e9fd chrome_57120000!ResourceDispatcherHost::OnRequestResource+0x19 0304f4c8 57747ff9 chrome_57120000!ResourceHostMsg_RequestResource::Dispatch<ResourceDispatcherHost,ResourceDispatcherHost,int,ResourceHostMsg_Request const &>+0x53 0304f500 57795f51 chrome_57120000!ResourceDispatcherHost::OnMessageReceived+0x147 0304f510 577471b0 chrome_57120000!ResourceMessageFilter::OnMessageReceived+0x13 0304f534 577470dc chrome_57120000!BrowserMessageFilter::DispatchMessageW+0x20 0304f570 57904886 chrome_57120000!BrowserMessageFilter::OnMessageReceived+0x33 0304f580 579048b1 chrome_57120000!IPC::ChannelProxy::Context::TryFilters+0x26 0304f58c 5712f30e chrome_57120000!IPC::ChannelProxy::Context::OnMessageReceived+0xe 0304f6fc 5712f5c8 chrome_57120000!IPC::Channel::ChannelImpl::ProcessIncomingMessages+0x15b 0304f71c 571e08e9 chrome_57120000!IPC::Channel::ChannelImpl::OnIOCompleted+0x5a 0304f750 571e07e1 chrome_57120000!base::MessagePumpForIO::WaitForIOCompletion+0x9f 0304f76c 571e02ae chrome_57120000!base::MessagePumpForIO::DoRunLoop+0x17 0304f788 571e016f chrome_57120000!base::MessagePumpWin::RunWithDispatcher+0x38 0304f794 571c721b chrome_57120000!base::MessagePumpWin::Run+0xe 0304f7a0 571c71a0 chrome_57120000!MessageLoop::RunInternal+0x31 [...] Dec 8 2011,
@skylined: we've typically rated a simple, reliable crash of the browser process as SecSeverity-Low. Also, don't forget the SecImpacts labels :) In this case, a trunk-only regression qualifies as SecImpacts-None Dec 8 2011,And Mstone needs to be set to 17 or 18, depending on whether the regression was introduced before or after the M17 branch point. Can you take care of it? Dec 8 2011,Will do - I didn't get around to doing that yesterday, so I assigned it to me for follow-up today. Dec 8 2011,
Affected: 17+ (dev, canary trunk) Not affected: 15 (stable) & 16 (beta) Dec 13 2011,
Bulk edit for pending m17 beta release. Dec 19 2011,
Moving bugs marked as Available but not blockers from M17 to M18. Please move back if you think this is a blocker, and add the ReleaseBlock-Stable label. If you're able. Jan 6 2012,skylined have you made any progress on this one? Jan 9 2012,
No, I have no clue what's causing this. ClusterFuzzz can't reproduce. This chaneg may have something to do with it, joi@ can you have a look? http://codereview.chromium.org/8769013 Jan 9 2012,Nope, I made some assumptions base on svn blame for chrome_url_request_context.cc and the stack at the time of the crash. I'm not familiar with the code - would you know how might help me find out what the problem is here? Jan 9 2012,This seems like it would be in the net/ code so would look for possibly-related changes around the time the crash got introduced, and perhaps ask one of the net/ folks like wtc@ or eroman@ to take a quick peek. Jan 9 2012,
Thanks joi, eroman@: can you help me fix this? Feb 7 2012,@skylined: if you're not actively debugging and pushing this forward, could you find a new owner? Feb 7 2012,Sure, I'll try to get ClusterFuzz to help me pin down the change that introduced this: https://cluster-fuzz.appspot.com/testcase?key=19176760 Feb 7 2012,
Feb 22 2012,@skylined: this seems to have gone two weeks without update. How is the fix progressing? Feb 23 2012,
ClusterFuzz can't reproduce. @wtc/eroman: can you help me fix this or find an owner? @scarybeasts: Not. Feb 23 2012,I can't reproduce it too. Tested on dev 19.0.1041.0 (121843) and canary 19.0.1049.1 (123065). Feb 23 2012,@slaweck: it's possible this was some transient regression that got taken care of shortly after it was introduced. If you're satisfied that recent builds seem ok, and we can close this out. Feb 23 2012,Last time I saw it in dev 18.0.1025.7 (120697). Yes, I think You can close this out. Feb 23 2012,
Heisenbug! Bah. Feb 23 2012,
This bug has already been fixed! See issue 112983 Oct 13 2012, Project Member
This issue has been closed for some time. No one will pay attention to new comments. If you are seeing this bug or have new data, please click New Issue to start a new bug. Mar 10 2013, Project Member
Mar 13 2013, Project Member
Mar 14 2013, Project Member
Mar 21 2013, Project Member
Mar 21 2013, Project Member
Feb 6 2014, Project Member
Bulk update: removing view restriction from closed bugs. Oct 1 2016, Project MemberThis bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot Oct 2 2016, Project MemberThis bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot Oct 2 2016,
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
Comment 1 by skylined@chromium.org, Dec 7 2011
Owner: skylined@chromium.org
Status: Assigned