Issue metadata
Sign in to add a comment
|
Crash in blink::PtrStorageImpl<blink::Prerender, |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4660279727620096 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000004 Crash State: blink::PtrStorageImpl<blink::Prerender, blink::WebPrerender::reset std::__1::__tree<std::__1::__value_type<int, blink::WebPrerender>, std::__1::__m Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=385989:386017 Minimized Testcase (0.02 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv951aab40X7yHCVJHqzGTxsxKDeVBQ212UHhCN9jQOoluhdWumexuJSIrwH5tgzkqTG5iro4CTczONrZpjZ0v4COUn9GMWlMRScy3spnhaG1QL1BMxfGR6gGFSMGWiLWKIYD3PDjU__O6zEiufJbttMuR-cUxg <link rel="next"> Additional requirements: Requires Gestures Filer: tkonchada See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 11 2016
Reinventing issue 414402. i.e., an old crash condition with a new blame CL.
,
Apr 11 2016
The new crash stack makes the problem clearer though, attempting to access (during at-exit handling) the Oilpan heap after it has already shut down. I think we need to forcefully abandon the prerender object upon disposing; let me try.
,
Apr 11 2016
,
Apr 19 2016
ClusterFuzz has detected this issue as fixed in range 387601:387928. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4660279727620096 Fuzzer: inferno_layout_test_unmodified Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000004 Crash State: blink::PtrStorageImpl<blink::Prerender, blink::WebPrerender::reset std::__1::__tree<std::__1::__value_type<int, blink::WebPrerender>, std::__1::__m Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=385989:386017 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=387601:387928 Minimized Testcase (0.02 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv951aab40X7yHCVJHqzGTxsxKDeVBQ212UHhCN9jQOoluhdWumexuJSIrwH5tgzkqTG5iro4CTczONrZpjZ0v4COUn9GMWlMRScy3spnhaG1QL1BMxfGR6gGFSMGWiLWKIYD3PDjU__O6zEiufJbttMuR-cUxg <link rel="next"> Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by tkonch...@chromium.org
, Apr 11 2016Labels: findit-for-crash Te-Logged M-51
Owner: haraken@chromium.org
Status: Assigned (was: Available)