New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

ASan reports a use-after-free in IndexedDBBrowserTest.Bug109187Test

Project Member Reported by glider@chromium.org, Aug 13 2012

Issue description

See http://build.chromium.org/p/chromium.memory/builders/Chromium%20OS%20ASAN%20Tests%20%281%29/builds/899/steps/content_browsertests/logs/stdio :

[ RUN      ] IndexedDBBrowserTest.Bug109187Test
[4941:4941:0813/033052:1860087873:WARNING:zygote_host_impl_linux.cc(146)] Running without the SUID sandbox! See http://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment for more information on developing with the sandbox on.
Xlib:  extension "GLX" missing on display ":9.0".
[4941:4941:0813/033052:1860108477:ERROR:gl_surface_glx.cc(57)] glxQueryVersion failed
[4941:4941:0813/033052:1860108546:ERROR:gl_surface_linux.cc(58)] GLSurfaceGLX::InitializeOneOff failed.
[4941:4941:0813/033052:1860108577:ERROR:compositor.cc(79)] Could not load the GL bindings
[4941:4941:0813/033052:1860145741:ERROR:proxy_service.cc(1413)] ProxyConfigService for ChromeOS should be created in profile_io_data.cc::CreateProxyConfigService and this should be used only for examples.
[4941:4951:0813/033052:1860146877:WARNING:proxy_service.cc(966)] PAC support disabled because there is no system implementation
Xlib:  extension "RANDR" missing on display ":9.0".
Xlib:  extension "RANDR" missing on display ":9.0".
=================================================================
==4941== ERROR: AddressSanitizer heap-use-after-free on address 0x7f9d1375fb00 at pc 0x2f22494 bp 0x7f9d0d9e90f0 sp 0x7f9d0d9e90e8
READ of size 8 at 0x7f9d1375fb00 thread T8
    #0 0x2f22493 in quota::ClientUsageTracker::GatherUsageTaskBase::GetUsageForOrigins(std::set<GURL, std::less<GURL>, std::allocator<GURL> > const&, quota::StorageType) ???:0
    #1 0x59b3236 in fileapi::(anonymous namespace)::DidGetOrigins(base::Callback<void ()(std::set<GURL, std::less<GURL>, std::allocator<GURL> > const&, quota::StorageType)> const&, std::set<GURL, std::less<GURL>, std::allocator<GURL> >*, quota::StorageType) ../../webkit/fileapi/file_system_quota_client.cc:0
    #2 0xb875e9 in base::(anonymous namespace)::PostTaskAndReplyRelay::RunReplyAndSelfDestruct() ../../base/threading/post_task_and_reply_impl.cc:0
    #3 0xb2017c in MessageLoop::RunTask(base::PendingTask const&) ???:0
    #4 0xb2071f in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) ???:0
    #5 0xb2152a in MessageLoop::DoWork() ???:0
    #6 0xade402 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ???:0
    #7 0xb1eec5 in MessageLoop::RunInternal() ???:0
    #8 0xb5f8f1 in base::RunLoop::Run() ???:0
    #9 0xb1d2f6 in MessageLoop::Run() ???:0
    #10 0x1500227 in content::BrowserThreadImpl::IOThreadRun(MessageLoop*) ???:0
    #11 0x150051e in content::BrowserThreadImpl::Run(MessageLoop*) ???:0
    #12 0xb8890c in base::Thread::ThreadMain() ???:0
    #13 0xb869c7 in base::(anonymous namespace)::ThreadFunc(void*) ../../base/threading/platform_thread_posix.cc:0
    #14 0x6ebdc1b in __asan::AsanThread::ThreadStart() ??:0
0x7f9d1375fb00 is located 128 bytes inside of 352-byte region [0x7f9d1375fa80,0x7f9d1375fbe0)
freed by thread T8 here:
    #0 0x6ec3c20 in operator delete(void*) ??:0
    #1 0x2f1250d in quota::UsageTracker::~UsageTracker() ???:0
    #2 0x2f1241d in quota::UsageTracker::~UsageTracker() ???:0
    #3 0x2ef477f in quota::QuotaManager::~QuotaManager() ???:0
    #4 0x2ef422d in quota::QuotaManager::~QuotaManager() ???:0
    #5 0xb2017c in MessageLoop::RunTask(base::PendingTask const&) ???:0
    #6 0xb2071f in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) ???:0
    #7 0xb2152a in MessageLoop::DoWork() ???:0
    #8 0xade402 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ???:0
    #9 0xb1eec5 in MessageLoop::RunInternal() ???:0
    #10 0xb5f8f1 in base::RunLoop::Run() ???:0
    #11 0xb1d2f6 in MessageLoop::Run() ???:0
    #12 0x1500227 in content::BrowserThreadImpl::IOThreadRun(MessageLoop*) ???:0
    #13 0x150051e in content::BrowserThreadImpl::Run(MessageLoop*) ???:0
    #14 0xb8890c in base::Thread::ThreadMain() ???:0
    #15 0xb869c7 in base::(anonymous namespace)::ThreadFunc(void*) ../../base/threading/platform_thread_posix.cc:0
    #16 0x6ebdc1b in __asan::AsanThread::ThreadStart() ??:0
previously allocated by thread T8 here:
    #0 0x6ec3aa0 in operator new(unsigned long) ??:0
    #1 0x2f12258 in quota::UsageTracker::UsageTracker(std::list<quota::QuotaClient*, std::allocator<quota::QuotaClient*> > const&, quota::StorageType, quota::SpecialStoragePolicy*) ???:0
    #2 0x2ef155e in quota::QuotaManager::LazyInitialize() ???:0
    #3 0x2ef4cae in quota::QuotaManager::NotifyStorageAccessedInternal(quota::QuotaClient::ID, GURL const&, quota::StorageType, base::Time) ???:0
    #4 0x2efb555 in quota::QuotaManagerProxy::NotifyStorageAccessed(quota::QuotaClient::ID, GURL const&, quota::StorageType) ???:0
    #5 0xb2017c in MessageLoop::RunTask(base::PendingTask const&) ???:0
    #6 0xb2071f in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) ???:0
    #7 0xb2152a in MessageLoop::DoWork() ???:0
    #8 0xade402 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ???:0
    #9 0xb1eec5 in MessageLoop::RunInternal() ???:0
    #10 0xb5f8f1 in base::RunLoop::Run() ???:0
    #11 0xb1d2f6 in MessageLoop::Run() ???:0
    #12 0x1500227 in content::BrowserThreadImpl::IOThreadRun(MessageLoop*) ???:0
    #13 0x150051e in content::BrowserThreadImpl::Run(MessageLoop*) ???:0
    #14 0xb8890c in base::Thread::ThreadMain() ???:0
    #15 0xb869c7 in base::(anonymous namespace)::ThreadFunc(void*) ../../base/threading/platform_thread_posix.cc:0
    #16 0x6ebdc1b in __asan::AsanThread::ThreadStart() ??:0
Thread T8 created by T0 here:
    #0 0x6eb74e4 in __interceptor_pthread_create ??:0
    #1 0xb865db in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, unsigned long*, base::ThreadPriority) ../../base/threading/platform_thread_posix.cc:0
    #2 0xb864bc in base::PlatformThread::Create(unsigned long, base::PlatformThread::Delegate*, unsigned long*) ???:0
    #3 0xb88144 in base::Thread::StartWithOptions(base::Thread::Options const&) ???:0
    #4 0x173027d in content::BrowserMainLoop::CreateThreads() ???:0
    #5 0x14fe036 in (anonymous namespace)::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) ../../content/browser/browser_main_runner.cc:0
    #6 0x14fd7da in BrowserMain(content::MainFunctionParams const&) ???:0
    #7 0x95dfb3 in BrowserTestBase::SetUp() ???:0
    #8 0x6b5140 in content::ContentBrowserTest::SetUp() ???:0
    #9 0x14c41b0 in testing::Test::Run() ???:0
    #10 0x14c6294 in testing::TestInfo::Run() ???:0
    #11 0x14c76db in testing::TestCase::Run() ???:0
    #12 0x14d4155 in testing::internal::UnitTestImpl::RunAllTests() ???:0
    #13 0x14d36bb in testing::UnitTest::Run() ???:0
    #14 0xad7235 in base::TestSuite::Run() ???:0
    #15 0x6b89a3 in content::ContentTestLauncherDelegate::RunTestSuite(int, char**) ???:0
    #16 0x9730b1 in test_launcher::LaunchTests(test_launcher::TestLauncherDelegate*, int, char**) ???:0
    #17 0x6b8635 in main ???:0
    #18 0x7f9d1626fc4d in __libc_start_main /build/buildd/eglibc-2.11.1/csu/libc-start.c:258
==4941== ABORTING
Stats: 22M malloced (16M for red zones) by 27274 calls
Stats: 0M realloced by 420 calls
Stats: 20M freed by 18884 calls
Stats: 0M really freed by 0 calls
Stats: 72M (18445 full pages) mmaped in 18 calls
  mmaps   by size class: 8:32766; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:512; 15:128; 16:128; 17:32; 19:8; 21:4; 22:2;
  mallocs by size class: 8:22156; 9:2607; 10:1097; 11:696; 12:229; 13:36; 14:309; 15:26; 16:102; 17:9; 19:2; 21:3; 22:2;
  frees   by size class: 8:14731; 9:1999; 10:934; 11:602; 12:170; 13:23; 14:301; 15:18; 16:99; 19:2; 21:3; 22:2;
  rfrees  by size class:
Stats: malloc large: 16 small slow: 221
Shadow byte and word:
  0x1ff3a26ebf60: fd
  0x1ff3a26ebf60: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ff3a26ebf40: fa fa fa fa fa fa fa fa
  0x1ff3a26ebf48: fa fa fa fa fa fa fa fa
  0x1ff3a26ebf50: fd fd fd fd fd fd fd fd
  0x1ff3a26ebf58: fd fd fd fd fd fd fd fd
=>0x1ff3a26ebf60: fd fd fd fd fd fd fd fd
  0x1ff3a26ebf68: fd fd fd fd fd fd fd fd
  0x1ff3a26ebf70: fd fd fd fd fd fd fd fd
  0x1ff3a26ebf78: fd fd fd fd fd fd fd fd
  0x1ff3a26ebf80: fa fa fa fa fa fa fa fa
 

Comment 1 by kinuko@chromium.org, Aug 13 2012

Owner: kinuko@chromium.org
Status: Assigned
I think I found the cause.  I *think* this is indirectly caused by r150290.
The ASAN result looks flaky (we cannot repro the ASAN crash locally) but let me run several try jobs with the plausible fix.

Comment 2 by kinuko@chromium.org, Aug 14 2012

Cc: nhiroki@chromium.org dgro...@chromium.org alecflett@chromium.org
 Issue 142443  has been merged into this issue.

Comment 3 by jsb...@chromium.org, Aug 14 2012

 Issue 142443  has been merged into this issue.
Project Member

Comment 4 by bugdroid1@chromium.org, Aug 14 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=151429

------------------------------------------------------------------------
r151429 | kinuko@chromium.org | 2012-08-14T06:10:56.667922Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/quota/usage_tracker.cc?r1=151429&r2=151428&pathrev=151429
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/quota/usage_tracker.h?r1=151429&r2=151428&pathrev=151429

Quota UsageTracker ASAN fix

BUG= 142310 

Review URL: https://chromiumcodereview.appspot.com/10827298
------------------------------------------------------------------------
Looks like this is happening again.
http://build.chromium.org/p/chromium.memory/builders/Chromium%20OS%20ASAN%20Tests%20%281%29/builds/1129/steps/content_browsertests/logs/Bug109187Test

IndexedDBBrowserTest.Bug109187Test: 
[6005:6005:0820/125017:2004485454:WARNING:zygote_host_impl_linux.cc(146)] Running without the SUID sandbox! See http://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment for more information on developing with the sandbox on.
Xlib:  extension "GLX" missing on display ":9.0".
[6005:6005:0820/125017:2004505160:ERROR:gl_surface_glx.cc(57)] glxQueryVersion failed
[6005:6005:0820/125017:2004505226:ERROR:gl_surface_linux.cc(58)] GLSurfaceGLX::InitializeOneOff failed.
[6005:6005:0820/125017:2004505256:ERROR:compositor.cc(80)] Could not load the GL bindings
[6005:6005:0820/125017:2004542085:ERROR:proxy_service.cc(1414)] ProxyConfigService for ChromeOS should be created in profile_io_data.cc::CreateProxyConfigService and this should be used only for examples.
[6005:6015:0820/125017:2004543557:WARNING:proxy_service.cc(967)] PAC support disabled because there is no system implementation
Xlib:  extension "RANDR" missing on display ":9.0".
Xlib:  extension "RANDR" missing on display ":9.0".
=================================================================
==6005== ERROR: AddressSanitizer heap-use-after-free on address 0x7f0d94324e80 at pc 0x2f91d02 bp 0x7f0d8e5ac820 sp 0x7f0d8e5ac818
READ of size 8 at 0x7f0d94324e80 thread T8
    #0 0x2f91d01 in base::DeleteHelper<quota::QuotaTask>::DoDelete(void const*) ???:0
    #1 0xb2ce09 in MessageLoop::RunTask(base::PendingTask const&) ???:0
    #2 0xb2d39f in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) ???:0
    #3 0xb2e195 in MessageLoop::DoWork() ???:0
    #4 0xaecd22 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ???:0
    #5 0xb2bb5c in MessageLoop::RunInternal() ???:0
    #6 0xb6c051 in base::RunLoop::Run() ???:0
    #7 0xb29fe6 in MessageLoop::Run() ???:0
    #8 0x1571b97 in content::BrowserThreadImpl::IOThreadRun(MessageLoop*) ???:0
    #9 0x1571e7e in content::BrowserThreadImpl::Run(MessageLoop*) ???:0
    #10 0xb94ccc in base::Thread::ThreadMain() ???:0
    #11 0xb92dc7 in base::(anonymous namespace)::ThreadFunc(void*) ../../base/threading/platform_thread_posix.cc:0
    #12 0x6f5e42b in __asan::AsanThread::ThreadStart() ??:0
0x7f0d94324e80 is located 0 bytes inside of 224-byte region [0x7f0d94324e80,0x7f0d94324f60)
freed by thread T8 here:
    #0 0x6f641a0 in operator delete(void*) ??:0
    #1 0xb2ce09 in MessageLoop::RunTask(base::PendingTask const&) ???:0
    #2 0xb2d39f in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) ???:0
    #3 0xb2e195 in MessageLoop::DoWork() ???:0
    #4 0xaecd22 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ???:0
    #5 0xb2bb5c in MessageLoop::RunInternal() ???:0
    #6 0xb6c051 in base::RunLoop::Run() ???:0
    #7 0xb29fe6 in MessageLoop::Run() ???:0
    #8 0x1571b97 in content::BrowserThreadImpl::IOThreadRun(MessageLoop*) ???:0
    #9 0x1571e7e in content::BrowserThreadImpl::Run(MessageLoop*) ???:0
    #10 0xb94ccc in base::Thread::ThreadMain() ???:0
    #11 0xb92dc7 in base::(anonymous namespace)::ThreadFunc(void*) ../../base/threading/platform_thread_posix.cc:0
    #12 0x6f5e42b in __asan::AsanThread::ThreadStart() ??:0
previously allocated by thread T8 here:
    #0 0x6f64020 in operator new(unsigned long) ??:0
    #1 0x2f98c3f in quota::ClientUsageTracker::GetGlobalUsage(base::Callback<void ()(quota::StorageType, long, long)> const&) ???:0
    #2 0x2f98605 in quota::UsageTracker::GetGlobalUsage(base::Callback<void ()(quota::StorageType, long, long)> const&) ???:0
    #3 0x2f8ddfb in quota::QuotaManager::UsageAndQuotaDispatcherTaskForTemporary::RunBody() ???:0
    #4 0x2f8a63b in quota::QuotaManager::UsageAndQuotaDispatcherTask::Run() ???:0
    #5 0x2f8fcc8 in quota::QuotaTask::Start() ???:0
    #6 0x2f8076d in quota::QuotaManager::DidRunInitializeTask() ???:0
    #7 0x2f90002 in quota::QuotaTask::CallCompleted() ???:0
    #8 0xb2ce09 in MessageLoop::RunTask(base::PendingTask const&) ???:0
    #9 0xb2d39f in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) ???:0
    #10 0xb2e195 in MessageLoop::DoWork() ???:0
    #11 0xaecd22 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ???:0
    #12 0xb2bb5c in MessageLoop::RunInternal() ???:0
    #13 0xb6c051 in base::RunLoop::Run() ???:0
    #14 0xb29fe6 in MessageLoop::Run() ???:0
    #15 0x1571b97 in content::BrowserThreadImpl::IOThreadRun(MessageLoop*) ???:0
    #16 0x1571e7e in content::BrowserThreadImpl::Run(MessageLoop*) ???:0
    #17 0xb94ccc in base::Thread::ThreadMain() ???:0
    #18 0xb92dc7 in base::(anonymous namespace)::ThreadFunc(void*) ../../base/threading/platform_thread_posix.cc:0
    #19 0x6f5e42b in __asan::AsanThread::ThreadStart() ??:0
Thread T8 created by T0 here:
    #0 0x6f57714 in __interceptor_pthread_create ??:0
    #1 0xb929db in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, unsigned long*, base::ThreadPriority) ../../base/threading/platform_thread_posix.cc:0
    #2 0xb928bc in base::PlatformThread::Create(unsigned long, base::PlatformThread::Delegate*, unsigned long*) ???:0
    #3 0xb94508 in base::Thread::StartWithOptions(base::Thread::Options const&) ???:0
    #4 0x17a0caa in content::BrowserMainLoop::CreateThreads() ???:0
    #5 0x156f9b5 in (anonymous namespace)::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) ../../content/browser/browser_main_runner.cc:0
    #6 0x156f17a in BrowserMain(content::MainFunctionParams const&) ???:0
    #7 0x969228 in content::BrowserTestBase::SetUp() ???:0
    #8 0x6bd505 in content::ContentBrowserTest::SetUp() ???:0
    #9 0x1536005 in testing::Test::Run() ???:0
    #10 0x153808f in testing::TestInfo::Run() ???:0
    #11 0x15394c7 in testing::TestCase::Run() ???:0
    #12 0x1545ebe in testing::internal::UnitTestImpl::RunAllTests() ???:0
    #13 0x1545483 in testing::UnitTest::Run() ???:0
    #14 0xae5c10 in base::TestSuite::Run() ???:0
    #15 0x6c0d03 in content::ContentTestLauncherDelegate::RunTestSuite(int, char**) ???:0
    #16 0x976c9c in test_launcher::LaunchTests(test_launcher::TestLauncherDelegate*, int, char**) ???:0
    #17 0x6c0995 in main ???:0
    #18 0x7f0d9704ac4d in __libc_start_main /build/buildd/eglibc-2.11.1/csu/libc-start.c:258
Shadow byte and word:
  0x1fe1b28649d0: fd
  0x1fe1b28649d0: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1fe1b28649b0: fa fa fa fa fa fa fa fa
  0x1fe1b28649b8: fa fa fa fa fa fa fa fa
  0x1fe1b28649c0: fa fa fa fa fa fa fa fa
  0x1fe1b28649c8: fa fa fa fa fa fa fa fa
=>0x1fe1b28649d0: fd fd fd fd fd fd fd fd
  0x1fe1b28649d8: fd fd fd fd fd fd fd fd
  0x1fe1b28649e0: fd fd fd fd fd fd fd fd
  0x1fe1b28649e8: fd fd fd fd fd fd fd fd
  0x1fe1b28649f0: fa fa fa fa fa fa fa fa
Stats: 22M malloced (15M for red zones) by 27135 calls
Stats: 0M realloced by 420 calls
Stats: 20M freed by 18791 calls
Stats: 0M really freed by 0 calls
Stats: 68M (17420 full pages) mmaped in 17 calls
  mmaps   by size class: 8:32766; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:256; 15:128; 16:128; 17:32; 19:8; 21:4; 22:2;
  mallocs by size class: 8:22062; 9:2586; 10:1086; 11:687; 12:229; 13:112; 14:233; 15:26; 16:98; 17:9; 19:2; 21:3; 22:2;
  frees   by size class: 8:14678; 9:1974; 10:932; 11:593; 12:170; 13:99; 14:225; 15:18; 16:95; 19:2; 21:3; 22:2;
  rfrees  by size class:
Stats: malloc large: 16 small slow: 214
==6005== ABORTING

Comment 6 by kinuko@chromium.org, Aug 21 2012

Ok thanks I think I know what's happening.
Project Member

Comment 7 by bugdroid1@chromium.org, Aug 21 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=152532

------------------------------------------------------------------------
r152532 | kinuko@chromium.org | 2012-08-21T08:52:11.971427Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/quota/quota_task.cc?r1=152532&r2=152531&pathrev=152532
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/quota/quota_task.h?r1=152532&r2=152531&pathrev=152532

Quota double-delete fix

BUG= 142310 


Review URL: https://chromiumcodereview.appspot.com/10832407
------------------------------------------------------------------------
Can this Double free case be triggered over the web, or is this just test only ? We need to make sure we track it with proper security flags if needed.

Comment 9 by kinuko@chromium.org, Aug 21 2012

In a strict sense yes, this could happen during browser process shutdown sequence.
Labels: -Type-Bug Type-Security Restrict-View-SecurityNotify SecSeverity-Medium OS-All Mstone-22 Merge-Approved
Status: FixUnreleased
Project Member

Comment 11 by bugdroid1@chromium.org, Sep 5 2012

Labels: -Merge-Approved merge-merged-1229
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=154998

------------------------------------------------------------------------
r154998 | cevans@chromium.org | 2012-09-05T19:54:24.020373Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/1229/src/webkit/quota/quota_task.cc?r1=154998&r2=154997&pathrev=154998
   M http://src.chromium.org/viewvc/chrome/branches/1229/src/webkit/quota/quota_task.h?r1=154998&r2=154997&pathrev=154998

Merge 152532 - Quota double-delete fix

BUG= 142310 


Review URL: https://chromiumcodereview.appspot.com/10832407

TBR=kinuko@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10913093
------------------------------------------------------------------------
Project Member

Comment 12 by bugdroid1@chromium.org, Oct 14 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Status: Fixed
Project Member

Comment 14 by bugdroid1@chromium.org, Jan 18 2013

Labels: Restrict-View-EditIssue
Restrict-View-EditIssue is preferred since it allows anyone who can edit an issue (committers and contributors) to view the bug.
Project Member

Comment 15 by bugdroid1@chromium.org, Jan 18 2013

Restrict-View-EditIssue is preferred since it allows anyone who can edit an issue (committers and contributors) to view the bug.
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-WebKit -Stability-AddressSanitizer -SecSeverity-Medium -Mstone-22 Cr-Content Security-Severity-Medium M-22 Performance-Memory-AddressSanitizer Type-Bug-Security
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 14 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member

Comment 20 by bugdroid1@chromium.org, Apr 1 2013

Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member

Comment 21 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content Cr-Blink
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment