New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 597665 link

Starred by 1 user
Status: WontFix
Owner:
infe...@chromium.org
Closed: Jun 2016
Cc:
jam@chromium.org
creis@chromium.org
mbarbe...@chromium.org
och...@chromium.org
nasko@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

AddressSanitizer: use-after-poison [@scheduler::WebThreadBase::TaskObserverAdapter::DidProcessTask

Reported by nordi...@gmail.com, Mar 24 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

Steps to reproduce the problem:
I do not have a testcase at hand to reliably reproduce this but it happens  on a regular basis while fuzzing WebGL.

What is the expected behavior?

What went wrong?
Crash

Did this work before? N/A 

Chrome version: 51.0.2690.0  Channel: dev
OS Version: OS X 10.11.3
Flash Version: Shockwave Flash 21.0 r0
crashlog.txt
17.5 KB View Download

Comment 1 by wfh@chromium.org, Mar 24 2016 

thanks for report.

looks like some kind of thread race going on here with the task scheduler on mac. I don't think we'll be able to make much progress on this without a reliable repro. It also doesn't appear to be hitting the WebGL code?

Can you provide any more details on how to reproduce this, perhaps we can run your fuzzer on our infrastructure?

Does this also happen on other platforms other than Mac?

Comment 2 by nordi...@gmail.com, Mar 24 2016 

I can send Abhishek the fuzzer but it has no support for ClusterFuzz but may be you can run it with rr. I have not tested it other platforms.

Comment 3 by wfh@chromium.org, Mar 24 2016

Cc: och...@chromium.org mbarbe...@chromium.org jam@chromium.org creis@chromium.org nasko@chromium.org
Owner: infe...@chromium.org
Status: Assigned (was: Unconfirmed)
I can only think some kind of race in content::RenderProcessHostImpl::Init when maybe lots of RenderProcessHosts are being created/destroyed as part of your fuzzing.

inferno - is there any way we can run this fuzzer here and try to repro?

Comment 4 by nordi...@gmail.com, Mar 24 2016 

I just have send the fuzzer to Abhishek.

Comment 5 by wfh@chromium.org, Mar 25 2016

Components: Internals>Core
if this is a thread race in the message pump, then it's internals->core. Please reassign component if any more details are found from the fuzzer.
Project Member

Comment 6 by ClusterFuzz, Mar 28 2016

Labels: Missing_Severity-1 Missing_Impact-1

Comment 7 by wfh@chromium.org, Mar 28 2016

Labels: -Missing_Severity-1 -Missing_Impact-1 Security_Severity-Low Security_Impact-Head
until we know what the impact of these thread races, I'm keeping this at Low.

Comment 8 by och...@chromium.org, Jun 10 2016

Status: WontFix (was: Assigned)
Since there hasn't been any response from the reporter, I'm WontFixing this.

Comment 9 by nordi...@gmail.com, Jun 11 2016 

There hasn't been any response from you guys, I even did sent the fuzzer for reproducing.
Project Member

Comment 10 by sheriffbot@chromium.org, Sep 17 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 11 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 12 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 13 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Sign in to add a comment