Crash in content::CanvasCaptureHandler::VideoCapturerSource::StopCapture |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6041821179805696 Fuzzer: inferno_twister Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000018 Crash State: content::CanvasCaptureHandler::VideoCapturerSource::StopCapture content::MediaStreamVideoSource::DoStopSource content::MediaStreamSource::StopSource Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=381525:381877 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96iExmKJGR2MjBaELUxn1lQNAn8SVZJ9Z08JSW463EH5IEDKwocDQdlZfBtkfmguDZwl6hKAW2mgQGQs4Pd7TZq4RWbN32SfCXVkMlNWK5Lx9mnYPqGkmSBB1Fr1SCtzoKx1gkWmjkCx5LYVF7Rig1sjucJfBNeQ5q3m3D2v4VeIz78rXQ Filer: ligimole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 22 2016
,
Mar 22 2016
,
Mar 22 2016
,
Mar 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7dc969b13dd7747c575ee60d8e2e498da60d3ea8 commit 7dc969b13dd7747c575ee60d8e2e498da60d3ea8 Author: emircan <emircan@chromium.org> Date: Wed Mar 23 23:12:47 2016 Handle early destruction of CanvasCaptureHandler Fuzz testing showed that CanvasCaptureHandler can be destructed earlier than CanvasCaptureHandler::VideoCapturerSource. Both instances are owned by Blink side objects, and destruction sequence might be different(oilpan). CanvasCaptureHandler invalidates weakptrs in dtor() on main_render_thread. We can check if weakptr is valid in StopCapture() that also runs on main_render_thread. BUG= 597077 TEST=Added unittest "DestructHandler" to reproduce the fuzz case. Review URL: https://codereview.chromium.org/1829563002 Cr-Commit-Position: refs/heads/master@{#382966} [modify] https://crrev.com/7dc969b13dd7747c575ee60d8e2e498da60d3ea8/content/renderer/media/canvas_capture_handler.cc [modify] https://crrev.com/7dc969b13dd7747c575ee60d8e2e498da60d3ea8/content/renderer/media/canvas_capture_handler.h [modify] https://crrev.com/7dc969b13dd7747c575ee60d8e2e498da60d3ea8/content/renderer/media/canvas_capture_handler_unittest.cc
,
Mar 25 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6041821179805696 Fuzzer: inferno_twister Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000018 Crash State: content::CanvasCaptureHandler::VideoCapturerSource::StopCapture content::MediaStreamVideoSource::DoStopSource content::MediaStreamSource::StopSource Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=381525:381877 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96iExmKJGR2MjBaELUxn1lQNAn8SVZJ9Z08JSW463EH5IEDKwocDQdlZfBtkfmguDZwl6hKAW2mgQGQs4Pd7TZq4RWbN32SfCXVkMlNWK5Lx9mnYPqGkmSBB1Fr1SCtzoKx1gkWmjkCx5LYVF7Rig1sjucJfBNeQ5q3m3D2v4VeIz78rXQ See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 25 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ligim...@chromium.org
, Mar 22 2016Labels: M-51 Te-Logged
Owner: dalecur...@chromium.org
Status: Assigned (was: Available)