New issue
Advanced search Search tips

Issue 597077 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Mar 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Crash in content::CanvasCaptureHandler::VideoCapturerSource::StopCapture

Project Member Reported by ClusterFuzz, Mar 22 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6041821179805696

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000018
Crash State:
  content::CanvasCaptureHandler::VideoCapturerSource::StopCapture
  content::MediaStreamVideoSource::DoStopSource
  content::MediaStreamSource::StopSource
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=381525:381877

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96iExmKJGR2MjBaELUxn1lQNAn8SVZJ9Z08JSW463EH5IEDKwocDQdlZfBtkfmguDZwl6hKAW2mgQGQs4Pd7TZq4RWbN32SfCXVkMlNWK5Lx9mnYPqGkmSBB1Fr1SCtzoKx1gkWmjkCx5LYVF7Rig1sjucJfBNeQ5q3m3D2v4VeIz78rXQ


Filer: ligimole

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: chcunningham@chromium.org
Labels: M-51 Te-Logged
Owner: dalecur...@chromium.org
Status: Assigned (was: Available)
No latest changes in source files , hnec looping to content / renderer / media / OWNERS for further updates.
Cc: mcasas@chromium.org
Owner: emir...@chromium.org
Cc: m...@chromium.org
Status: Started (was: Assigned)
Project Member

Comment 5 by bugdroid1@chromium.org, Mar 23 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7dc969b13dd7747c575ee60d8e2e498da60d3ea8

commit 7dc969b13dd7747c575ee60d8e2e498da60d3ea8
Author: emircan <emircan@chromium.org>
Date: Wed Mar 23 23:12:47 2016

Handle early destruction of CanvasCaptureHandler

Fuzz testing showed that CanvasCaptureHandler can be destructed
earlier than CanvasCaptureHandler::VideoCapturerSource. Both instances
are owned by Blink side objects, and destruction sequence might be
different(oilpan).

CanvasCaptureHandler invalidates weakptrs in dtor() on main_render_thread.
We can check if weakptr is valid in StopCapture() that also runs
on main_render_thread.

BUG= 597077 
TEST=Added unittest "DestructHandler" to reproduce the fuzz case.

Review URL: https://codereview.chromium.org/1829563002

Cr-Commit-Position: refs/heads/master@{#382966}

[modify] https://crrev.com/7dc969b13dd7747c575ee60d8e2e498da60d3ea8/content/renderer/media/canvas_capture_handler.cc
[modify] https://crrev.com/7dc969b13dd7747c575ee60d8e2e498da60d3ea8/content/renderer/media/canvas_capture_handler.h
[modify] https://crrev.com/7dc969b13dd7747c575ee60d8e2e498da60d3ea8/content/renderer/media/canvas_capture_handler_unittest.cc

Project Member

Comment 6 by ClusterFuzz, Mar 25 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6041821179805696

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000018
Crash State:
  content::CanvasCaptureHandler::VideoCapturerSource::StopCapture
  content::MediaStreamVideoSource::DoStopSource
  content::MediaStreamSource::StopSource
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=381525:381877

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96iExmKJGR2MjBaELUxn1lQNAn8SVZJ9Z08JSW463EH5IEDKwocDQdlZfBtkfmguDZwl6hKAW2mgQGQs4Pd7TZq4RWbN32SfCXVkMlNWK5Lx9mnYPqGkmSBB1Fr1SCtzoKx1gkWmjkCx5LYVF7Rig1sjucJfBNeQ5q3m3D2v4VeIz78rXQ


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Status: Fixed (was: Started)
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment