Issue metadata
Sign in to add a comment
|
Use-after-poison in blink::MediaStreamSource::setReadyState |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4672960127827968 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Use-after-poison READ 8 Crash Address: 0x7eefcd9ec2d0 Crash State: blink::MediaStreamSource::setReadyState content::MediaStreamVideoSource::SetReadyState content::MediaStreamVideoSource::DoStopSource Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=386017:386043 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95rUVXqH3qa6Yy5ewYbZTMA55gwj7_FHYHRr2wygclMo77UAaeurwT2FGarKQdXZKqYXyRRcEOY9UOz60gEjulPhRfNAtX0lovJFa3ZLa6V7uJ1NxcY63sPmI7pLj3LIR525h0E-n7XM7paMMmRvnSFBElbYZTmv4s4A-dsSuJ6VO43e5Q Additional requirements: Requires Gestures Additional requirements: Requires HTTP Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 11 2016
,
Apr 11 2016
,
Apr 11 2016
,
Apr 11 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4672960127827968 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Use-after-poison READ 8 Crash Address: 0x7eefcd9ec2d0 Crash State: blink::MediaStreamSource::setReadyState content::MediaStreamVideoSource::SetReadyState content::MediaStreamVideoSource::DoStopSource Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=386017:386043 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95rUVXqH3qa6Yy5ewYbZTMA55gwj7_FHYHRr2wygclMo77UAaeurwT2FGarKQdXZKqYXyRRcEOY9UOz60gEjulPhRfNAtX0lovJFa3ZLa6V7uJ1NxcY63sPmI7pLj3LIR525h0E-n7XM7paMMmRvnSFBElbYZTmv4s4A-dsSuJ6VO43e5Q Additional requirements: Requires Gestures Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 11 2016
Stack trace:
#0 0x7f7e6e540ce7 in get third_party/WebKit/Source/platform/heap/Handle.h:823:29
#1 0x7f7e6e540ce7 in operator==<blink::MediaStreamSource::Observer, blink::MediaStreamSource::Observer> third_party/WebKit/Source/platform/heap/Handle.h:998
#2 0x7f7e6e540ce7 in isEmptyValue<blink::WeakMember<blink::MediaStreamSource::Observer> > third_party/WebKit/Source/wtf/HashTraits.h:258
#3 0x7f7e6e540ce7 in isHashTraitsEmptyValue<WTF::HashTraits<blink::WeakMember<blink::MediaStreamSource::Observer> >, blink::WeakMember<blink::MediaStreamSource::Observer> > third_party/WebKit/Source/wtf/HashTraits.h:262
#4 0x7f7e6e540ce7 in isEmptyBucket third_party/WebKit/Source/wtf/HashTable.h:319
#5 0x7f7e6e540ce7 in isEmptyOrDeletedBucket third_party/WebKit/Source/wtf/HashTable.h:321
#6 0x7f7e6e540ce7 in isEmptyOrDeletedBucket third_party/WebKit/Source/wtf/HashTable.h:487
#7 0x7f7e6e540ce7 in skipEmptyBuckets third_party/WebKit/Source/wtf/HashTable.h:124
#8 0x7f7e6e540ce7 in operator++ third_party/WebKit/Source/wtf/HashTable.h:176
#9 0x7f7e6e540ce7 in operator++ third_party/WebKit/Source/wtf/HashTable.h:1437
#10 0x7f7e6e540ce7 in blink::MediaStreamSource::setReadyState(blink::MediaStreamSource::ReadyState) third_party/WebKit/Source/platform/mediastream/MediaStreamSource.cpp:56
#11 0x7f7e7bd945e2 in content::MediaStreamVideoSource::SetReadyState(blink::WebMediaStreamSource::ReadyState) content/renderer/media/media_stream_video_source.cc:565:5
#12 0x7f7e7bd91144 in content::MediaStreamVideoSource::DoStopSource() content/renderer/media/media_stream_video_source.cc:424:3
#13 0x7f7e7bd821e1 in content::MediaStreamSource::StopSource() content/renderer/media/media_stream_source.cc:19:3
#14 0x7f7e7be0a021 in StopLocalSource content/renderer/media/user_media_client_impl.cc:1038:3
#15 0x7f7e7be0a021 in content::UserMediaClientImpl::FrameWillClose() content/renderer/media/user_media_client_impl.cc:1000
#16 0x7f7e7bb1f3ee in content::RenderFrameImpl::willClose(blink::WebFrame*) content/renderer/render_frame_impl.cc:2721:3
#17 0x7f7e70ece847 in blink::FrameLoaderClientImpl::dispatchWillClose() third_party/WebKit/Source/web/FrameLoaderClientImpl.cpp:484:9
#18 0x7f7e74b1c604 in blink::FrameLoader::prepareForCommit() third_party/WebKit/Source/core/loader/FrameLoader.cpp:1065:9
#19 0x7f7e74b1d287 in blink::FrameLoader::commitProvisionalLoad() third_party/WebKit/Source/core/loader/FrameLoader.cpp:1108:10
#20 0x7f7e74aa3fb3 in commitIfReady third_party/WebKit/Source/core/loader/DocumentLoader.cpp:238:9
#21 0x7f7e74aa3fb3 in blink::DocumentLoader::processData(char const*, unsigned long) third_party/WebKit/Source/core/loader/DocumentLoader.cpp:520
#22 0x7f7e74aa3b6c in blink::DocumentLoader::dataReceived(blink::Resource*, char const*, unsigned long) third_party/WebKit/Source/core/loader/DocumentLoader.cpp:498:5
#23 0x7f7e744e125c in blink::RawResource::appendData(char const*, unsigned long) third_party/WebKit/Source/core/fetch/RawResource.cpp:99:9
#24 0x7f7e74554dd4 in blink::ResourceLoader::didReceiveData(blink::WebURLLoader*, char const*, int, int) third_party/WebKit/Source/core/fetch/ResourceLoader.cpp:323:5
#25 0x7f7e833e721b in content::WebURLLoaderImpl::Context::OnReceivedData(std::__1::unique_ptr<content::RequestPeer::ReceivedData, std::__1::default_delete<content::RequestPeer::ReceivedData> >) content/child/web_url_loader_impl.cc:718:5
#26 0x7f7e833e8ba3 in content::WebURLLoaderImpl::RequestPeerImpl::OnReceivedData(std::__1::unique_ptr<content::RequestPeer::ReceivedData, std::__1::default_delete<content::RequestPeer::ReceivedData> >) content/child/web_url_loader_impl.cc:887:3
#27 0x7f7e833585c3 in content::ResourceDispatcher::OnReceivedData(int, int, int, int) content/child/resource_dispatcher.cc:283:5
#28 0x7f7e833634fd in DispatchToMethodImpl<content::ResourceDispatcher *, void (content::ResourceDispatcher::*)(int, int, int, int), int, int, int, int, 0, 1, 2, 3> base/tuple.h:166:3
#29 0x7f7e833634fd in DispatchToMethod<content::ResourceDispatcher *, void (content::ResourceDispatcher::*)(int, int, int, int), int, int, int, int> base/tuple.h:173
#30 0x7f7e833634fd in DispatchToMethod<content::ResourceDispatcher, void (content::ResourceDispatcher::*)(int, int, int, int), void, std::__1::tuple<int, int, int, int> > ipc/ipc_message_templates.h:26
#31 0x7f7e833634fd in bool IPC::MessageT<ResourceMsg_DataReceived_Meta, std::__1::tuple<int, int, int, int>, void>::Dispatch<content::ResourceDispatcher, content::ResourceDispatcher, void, void (content::ResourceDispatcher::*)(int, int, int, int)>(IPC::Message const*, content::ResourceDispatcher*, content::ResourceDispatcher*, void*, void (content::ResourceDispatcher::*)(int, int, int, int)) ipc/ipc_message_templates.h:121
#32 0x7f7e833507c6 in content::ResourceDispatcher::DispatchMessage(IPC::Message const&) content/child/resource_dispatcher.cc:510:5
#33 0x7f7e8334e930 in content::ResourceDispatcher::OnMessageReceived(IPC::Message const&) content/child/resource_dispatcher.cc:124:3
#34 0x7f7e8336aa35 in DispatchMessage content/child/resource_scheduling_filter.cc:99:3
Hmm. It looks like that MediaStreamSource is accessed via MediaStreamSource::ExtraData after the MediaStreamSource was destroyed. However, it should not happen because MediaStreamSource::ExtraData is destroyed in the eager finalization of the MediaStreamSource...
,
Apr 12 2016
Looks similar to bug 602277
,
Apr 12 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5358491622965248 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Use-after-poison READ 8 Crash Address: 0x7e98f5ee9048 Crash State: blink::MediaStreamSource::setReadyState content::MediaStreamVideoSource::SetReadyState content::MediaStreamVideoSource::DoStopSource Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=144946:145047 Minimized Testcase (2.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97bpPejYOcC5V9lGNCSGvhLRUnxJz6H-qpCgagcmc0kz_tQABwRg_iF_QlCGfihYmxsq9udcSN0iGaXTmt7MFRNS24FIm5lKKiiwqw5p_7u3fJ79cGbWGiUydGj9xm2NKwzb0AxwbcOASnZI13CSM5ZZrnpEQ Additional requirements: Requires HTTP Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 12 2016
(Could I be Cc:ed on 602277, please?) Is there a regression range? https://codereview.chromium.org/1876703002/ could have changed the finalizer ordering.
,
Apr 12 2016
CC'ed you on 602277. For initial report (https://cluster-fuzz.appspot.com/testcase?key=4672960127827968) regression range is: Chromium: 386017:386043
,
Apr 12 2016
Great, thanks - #9's r386344 is well outside.
,
Apr 12 2016
haraken@: MediaStreamTrack used to be eagerly finalized (an EventTarget), but isn't any longer. Could it be the Observer here being touched?
,
Apr 12 2016
Eh no, the weak refs that MediaStreamSource keeps to its observers should prevent such potential accidents in any case. Hmm.
,
Apr 12 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5358491622965248 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Use-after-poison READ 8 Crash Address: 0x7e98f5ee9048 Crash State: blink::MediaStreamSource::setReadyState content::MediaStreamVideoSource::SetReadyState content::MediaStreamVideoSource::DoStopSource Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=144946:145047 Minimized Testcase (2.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97bpPejYOcC5V9lGNCSGvhLRUnxJz6H-qpCgagcmc0kz_tQABwRg_iF_QlCGfihYmxsq9udcSN0iGaXTmt7MFRNS24FIm5lKKiiwqw5p_7u3fJ79cGbWGiUydGj9xm2NKwzb0AxwbcOASnZI13CSM5ZZrnpEQ Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 12 2016
Worth checking status without https://codereview.chromium.org/1815033003/ ?
,
Apr 13 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5884171540496384 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Use-after-poison READ 8 Crash Address: 0x7eea13e89020 Crash State: blink::MediaStreamSource::setReadyState content::MediaStreamVideoSource::SetReadyState content::MediaStreamVideoSource::DoStopSource Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286 Minimized Testcase (2.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ag_F6-sV0lyPOjCCzBU2eqtlW0cpQP5cABULAOBEonZls13gs4FJRSiXfngd12J2aNkocAbBSsETgpClZVbC1ig3rlTJG2Vv6ciuS61gHcMlH8Q9D-JQbXt64Cbw3p_vJTWkKwAyVg18C69FQTz9aNzfZZQ Additional requirements: Requires HTTP Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 13 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5884171540496384 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Use-after-poison READ 8 Crash Address: 0x7eea13e89020 Crash State: blink::MediaStreamSource::setReadyState content::MediaStreamVideoSource::SetReadyState content::MediaStreamVideoSource::DoStopSource Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286 Minimized Testcase (2.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ag_F6-sV0lyPOjCCzBU2eqtlW0cpQP5cABULAOBEonZls13gs4FJRSiXfngd12J2aNkocAbBSsETgpClZVbC1ig3rlTJG2Vv6ciuS61gHcMlH8Q9D-JQbXt64Cbw3p_vJTWkKwAyVg18C69FQTz9aNzfZZQ Additional requirements: Requires HTTP Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 13 2016
https://codereview.chromium.org/1885053002/ addresses. Not so sure a layout test can be distilled for this condition, but haven't got the time to investigate that right now.
,
Apr 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bc3ebdc42cd0b29fd770213d02a99a81b84dc69c commit bc3ebdc42cd0b29fd770213d02a99a81b84dc69c Author: sigbjornf <sigbjornf@opera.com> Date: Thu Apr 14 05:34:31 2016 Safely iterate over MediaStreamSource observers. When changing the ready state of this object, the resultant dispatching of events by its observers may extend the observer set. Take a snapshot of the observers, so as to be able safely iterate over it across additions. R= BUG= 602273 Review URL: https://codereview.chromium.org/1885053002 Cr-Commit-Position: refs/heads/master@{#387243} [add] https://crrev.com/bc3ebdc42cd0b29fd770213d02a99a81b84dc69c/third_party/WebKit/LayoutTests/fast/mediastream/MediaStreamTrack-observer-iterate-no-crash-expected.txt [add] https://crrev.com/bc3ebdc42cd0b29fd770213d02a99a81b84dc69c/third_party/WebKit/LayoutTests/fast/mediastream/MediaStreamTrack-observer-iterate-no-crash.html [modify] https://crrev.com/bc3ebdc42cd0b29fd770213d02a99a81b84dc69c/third_party/WebKit/Source/platform/mediastream/MediaStreamSource.cpp
,
Apr 14 2016
An older bug impacting current releases; probably worth requesting backports once baked in.
,
Apr 14 2016
,
Apr 14 2016
,
Apr 14 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5884171540496384 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Use-after-poison READ 8 Crash Address: 0x7eea13e89020 Crash State: blink::MediaStreamSource::setReadyState content::MediaStreamVideoSource::SetReadyState content::MediaStreamVideoSource::DoStopSource Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286 Minimized Testcase (2.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ag_F6-sV0lyPOjCCzBU2eqtlW0cpQP5cABULAOBEonZls13gs4FJRSiXfngd12J2aNkocAbBSsETgpClZVbC1ig3rlTJG2Vv6ciuS61gHcMlH8Q9D-JQbXt64Cbw3p_vJTWkKwAyVg18C69FQTz9aNzfZZQ Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 15 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. - Your friendly ClusterFuzz
,
Apr 18 2016
,
Apr 18 2016
Your change meets the bar and is auto-approved for M51 (branch: 2704)
,
Apr 18 2016
Please merge your change to M51 branch 2704 ASAP (before 5:00 PM PST, today) so we can take it in for M51 last Dev release tomorrow.
,
Apr 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cc916de6955699b06e38ed659805c1fc3904126c commit cc916de6955699b06e38ed659805c1fc3904126c Author: Sigbjorn Finne <sigbjornf@opera.com> Date: Mon Apr 18 18:48:25 2016 Safely iterate over MediaStreamSource observers. When changing the ready state of this object, the resultant dispatching of events by its observers may extend the observer set. Take a snapshot of the observers, so as to be able safely iterate over it across additions. R= BUG= 602273 Review URL: https://codereview.chromium.org/1885053002 Cr-Commit-Position: refs/heads/master@{#387243} (cherry picked from commit bc3ebdc42cd0b29fd770213d02a99a81b84dc69c) Review URL: https://codereview.chromium.org/1899853003 . Cr-Commit-Position: refs/branch-heads/2704@{#101} Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251} [add] https://crrev.com/cc916de6955699b06e38ed659805c1fc3904126c/third_party/WebKit/LayoutTests/fast/mediastream/MediaStreamTrack-observer-iterate-no-crash-expected.txt [add] https://crrev.com/cc916de6955699b06e38ed659805c1fc3904126c/third_party/WebKit/LayoutTests/fast/mediastream/MediaStreamTrack-observer-iterate-no-crash.html [modify] https://crrev.com/cc916de6955699b06e38ed659805c1fc3904126c/third_party/WebKit/Source/platform/mediastream/MediaStreamSource.cpp
,
May 24 2016
,
May 24 2016
Renamed component Blink>MediaStreamRecording to Blink>MediaStream>Recording. Moving issues to the new component.
,
Jul 22 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Jan 18 2017
,
Jan 18 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Apr 11 2016