Use-of-uninitialized-value in test_runner::TestRunnerForSpecificView::Reset |
|||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4878068388200448 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: test_runner::TestRunnerForSpecificView::Reset test_runner::TestInterfaces::ResetTestHelperControllers test_runner::TestInterfaces::ResetAll Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=389884:390115 Minimized Testcase (1.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9761CLQkD5z_8DsVNeFkskampPXfc2SQzBZIk9gWuUWVmxYGxBN0lurRiGKhNDXtZ-f_UOARHl8Aj_oq2lCoRFosemHy0FlH88v5LyEGxrlfVFyZMfsllfzBRwwvVQPoYI3meYEcs-ijr1s9zgRHRLqEc9vFw Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 11 2016
leviw@, do you mind to take a look? You've made some changes there not too far ago: Author: leviw Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/03d23a6e89f3f1ff65575ad088858e2b219daa3c Time: Sat Mar 26 01:19:53 2016 The CL last changed line 159 of file RefCounted.h, which is stack frame 1.
,
May 11 2016
,
May 11 2016
,
May 11 2016
Looks like this is likely test only. Reclassifying it for now, but please let me know if this is incorrect (and feel free to remove Restrict-View-EditIssue if definitely isn't security relevant).
,
Jun 3 2016
Confirmed. Test only failure. Marking as available as Levi is no longer on the project.
,
Jun 16 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4878068388200448 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: test_runner::TestRunnerForSpecificView::Reset test_runner::TestInterfaces::ResetTestHelperControllers test_runner::TestInterfaces::ResetAll Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=389884:390115 Minimized Testcase (1.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94h1NKcrOVo3l-vKnPj9zHwThIClmjgRw3gyK8zn2LhvE2tdtjcBbPvbBrXWddW6V7xA3EJZj0fI14zMr4u-Yh_13dH_6rPJFBDBe55MQ74c2zT9capxv2N_3rNISj6EGBvPaX7F_8__YTEVTzSZhwFWkutXQ See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 28 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5474521549373440 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: Heap-use-after-free READ 4 Crash Address: 0x296d9353 Crash State: test_runner::TestRunnerForSpecificView::Reset test_runner::TestInterfaces::ResetTestHelperControllers test_runner::TestInterfaces::ResetAll Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=402058:402059 Minimized Testcase (1.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95L8NSnYIChKa6LoYoPiGWBXnybrUwXWAsTS7vmZDgnl1bzSX3ENLDL8d7U5uyzJ4XkQCPO1s-JXB51OVNzltkRUWSGXV0T7XcPWew-hk5GoBHfBzqZzRLQF-_kTBWmE1_FtrtOo1VSvrXXFHEzJ7YkMFchfQ?testcase_id=5474521549373440 Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 1 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4970173276880896 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: test_runner::TestRunnerForSpecificView::Reset test_runner::TestInterfaces::ResetTestHelperControllers test_runner::TestInterfaces::ResetAll Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=389884:390115 Minimized Testcase (1.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv966FJZjRy6l4qig3icO31TkLjJwe_hus0fc5_e-aiCyGBBeKzPW-UJ9KFzhWqXdjHu3ic6_V9TY3p7hzOOB5ew4zlm4MnQqhWnGOYWNukNomPqdVmD5qqGOFkkWxpWpF9SVkE86KJd8vKxG8NsQJonGODh-qQ?testcase_id=4970173276880896 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 1 2016
Issue 643005 has been merged into this issue.
,
Sep 14 2016
ClusterFuzz has detected this issue as fixed in range 418377:418438. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4970173276880896 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: test_runner::TestRunnerForSpecificView::Reset test_runner::TestInterfaces::ResetTestHelperControllers test_runner::TestInterfaces::ResetAll Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=389884:390115 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=418377:418438 Minimized Testcase (1.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv966FJZjRy6l4qig3icO31TkLjJwe_hus0fc5_e-aiCyGBBeKzPW-UJ9KFzhWqXdjHu3ic6_V9TY3p7hzOOB5ew4zlm4MnQqhWnGOYWNukNomPqdVmD5qqGOFkkWxpWpF9SVkE86KJd8vKxG8NsQJonGODh-qQ?testcase_id=4970173276880896 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 8 2016
Considering the detailed report from Comment# 11, from Find it assigning it to the concern owner. The result is a list of CLs that change the crashed files. Author: bokan Project: chromium Changelist: https://chromium.googlesource.com/chromium/src//+/c63441cc9941c223e2f2d311085903c00da85938 Time: Wed Apr 27 15:49:12 2016 Files render_widget.cc, WebViewImpl.cpp, render_view_impl.cc are changed in this cl (and is part of stack frame #3, "content::RenderWidget::Close") Minimum distance from crash line to modified line: 28. (file: render_view_impl.cc, crashed on: 2633, modified: 2605). @bokan -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Dec 8 2016
Managed to repro locally. Test is indeed flaky but repros about 3/4 times.
This is a use-after-free bug, the RenderView is closed but the proxy still has a pointer to the WebView. Here's the stack traces of the use and free:
==1==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x12690a97 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x12690a97)
#1 0x12598718 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x12598718)
#2 0x12620155 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x12620155)
#3 0x65966b0 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x65966b0)
#4 0x65960cd (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x65960cd)
#5 0x65945f1 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x65945f1)
#6 0xaa6e9a0 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0xaa6e9a0)
#7 0x12df9976 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x12df9976)
#8 0xa7567c4 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0xa7567c4)
#9 0x6f818c8 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x6f818c8)
#10 0x68e78f0 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x68e78f0)
#11 0xb71cfff (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0xb71cfff)
#12 0xb715b3b (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0xb715b3b)
#13 0x68e78f0 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x68e78f0)
#14 0x66d20d4 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x66d20d4)
#15 0x66d3a9a (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x66d3a9a)
#16 0x66d5605 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x66d5605)
#17 0x66e2e6a (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x66e2e6a)
#18 0x66d11b9 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x66d11b9)
#19 0x676adec (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x676adec)
#20 0xab133d4 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0xab133d4)
#21 0x4a2b1ec (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x4a2b1ec)
#22 0x4a2dfcc (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x4a2dfcc)
#23 0x4a313e2 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x4a313e2)
#24 0x4a0ecb0 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x4a0ecb0)
#25 0x4ac470 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x4ac470)
#26 0x7f0f8fe25f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#27 0x440e08 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x440e08)
Uninitialized value was created by a heap deallocation
#0 0x461122 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x461122)
#1 0xbad4cb7 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0xbad4cb7)
#2 0xaadc3ce (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0xaadc3ce)
#3 0xaa9cd6b (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0xaa9cd6b)
#4 0x68e78f0 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x68e78f0)
#5 0xb71cfff (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0xb71cfff)
#6 0xb715b3b (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0xb715b3b)
#7 0x68e78f0 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x68e78f0)
#8 0x66d20d4 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x66d20d4)
#9 0x66d3a9a (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x66d3a9a)
#10 0x66d5605 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x66d5605)
#11 0x66e2e6a (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x66e2e6a)
#12 0x66d11b9 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x66d11b9)
#13 0x676adec (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x676adec)
#14 0xab133d4 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0xab133d4)
#15 0x4a2b1ec (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x4a2b1ec)
#16 0x4a2dfcc (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x4a2dfcc)
#17 0x4a313e2 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x4a313e2)
#18 0x4a0ecb0 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x4a0ecb0)
#19 0x4ac470 (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x4ac470)
SUMMARY: MemorySanitizer: use-of-uninitialized-value (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x12690a97)
,
Dec 8 2016
Just realized I accidentally pasted the unsymbolized traces above, not very useful :)
==1==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x12690a97 in Install ./out/ChromeReleaseMsan/../../components/test_runner/test_runner_for_specific_view.cc:87:3
#1 0x12598718 in ?? ./out/ChromeReleaseMsan/../../components/test_runner/web_view_test_proxy.cc:38:34
#2 0x12620155 in get ./out/ChromeReleaseMsan/../../base/memory/weak_ptr.h:225:45
#3 0x12620155 in operator bool ./out/ChromeReleaseMsan/../../base/memory/weak_ptr.h:242:0
#4 0x12620155 in ResetTestHelperControllers ./out/ChromeReleaseMsan/../../components/test_runner/test_interfaces.cc:66:0
#5 0x12620155 in ResetAll ./out/ChromeReleaseMsan/../../components/test_runner/test_interfaces.cc:75:0
#6 0x65966b0 in OnReset ./out/ChromeReleaseMsan/../../content/shell/renderer/layout_test/blink_test_runner.cc:999:3
#7 0x65960cd in Dispatch<content::BlinkTestRunner, content::BlinkTestRunner, void, void (content::BlinkTestRunner::*)()> ./out/ChromeReleaseMsan/../../ipc/ipc_message_templates.h:120:9
#8 0x65945f1 in OnMessageReceived ./out/ChromeReleaseMsan/../../content/shell/renderer/layout_test/blink_test_runner.cc:792:5
#9 0xaa6e9a0 in operator[] ./out/ChromeReleaseMsan/../../buildtools/third_party/libc++/trunk/include/vector:1498:18
#10 0xaa6e9a0 in GetCurrent ./out/ChromeReleaseMsan/../../base/observer_list.h:258:0
#11 0xaa6e9a0 in operator* ./out/ChromeReleaseMsan/../../base/observer_list.h:247:0
#12 0xaa6e9a0 in OnMessageReceived ./out/ChromeReleaseMsan/../../content/renderer/render_view_impl.cc:1194:0
#13 0x12df9976 in IsEmpty ./out/ChromeReleaseMsan/../../ui/gfx/geometry/box_f.cc:25:19
#14 0x12df9976 in Union ./out/ChromeReleaseMsan/../../ui/gfx/geometry/box_f.cc:51:0
#15 0xa7567c4 in set_dispatch_error ./out/ChromeReleaseMsan/../../ipc/ipc_message.h:125:21
#16 0xa7567c4 in OnMessageReceived ./out/ChromeReleaseMsan/../../content/child/child_thread_impl.cc:741:0
#17 0x6f818c8 in OnDispatchConnected ./out/ChromeReleaseMsan/../../ipc/ipc_channel_proxy.cc:362:16
#18 0x6f818c8 in OnDispatchMessage ./out/ChromeReleaseMsan/../../ipc/ipc_channel_proxy.cc:327:0
#19 0x68e78f0 in program_counter ./out/ChromeReleaseMsan/../../base/location.h:47:48
#20 0x68e78f0 in RunTask ./out/ChromeReleaseMsan/../../base/debug/task_annotator.cc:49:0
#21 0xb71cfff in ProcessTaskFromWorkQueue ./out/ChromeReleaseMsan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:336:27
#22 0xb715b3b in DoWork ./out/ChromeReleaseMsan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:234:40
#23 0x68e78f0 in program_counter ./out/ChromeReleaseMsan/../../base/location.h:47:48
#24 0x68e78f0 in RunTask ./out/ChromeReleaseMsan/../../base/debug/task_annotator.cc:49:0
#25 0x66d20d4 in operator!= ./out/ChromeReleaseMsan/../../base/observer_list.h:220:11
#26 0x66d20d4 in RunTask ./out/ChromeReleaseMsan/../../base/message_loop/message_loop.cc:411:0
#27 0x66d3a9a in DeferOrRunPendingTask ./out/ChromeReleaseMsan/../../base/message_loop/message_loop.cc:421:20
#28 0x66d5605 in push_back ./out/ChromeReleaseMsan/../../buildtools/third_party/libc++/trunk/include/vector:1610:9
#29 0x66d5605 in push ./out/ChromeReleaseMsan/../../buildtools/third_party/libc++/trunk/include/queue:659:0
#30 0x66d5605 in AddToDelayedWorkQueue ./out/ChromeReleaseMsan/../../base/message_loop/message_loop.cc:436:0
#31 0x66d5605 in DoWork ./out/ChromeReleaseMsan/../../base/message_loop/message_loop.cc:510:0
#32 0x66e2e6a in Run ./out/ChromeReleaseMsan/../../base/message_loop/message_pump_default.cc:52:9
#33 0x66d11b9 in RunHandler ./out/ChromeReleaseMsan/../../base/message_loop/message_loop.cc:377:3
#34 0x676adec in BeforeRun ./out/ChromeReleaseMsan/../../base/run_loop.cc:79:7
#35 0x676adec in Run ./out/ChromeReleaseMsan/../../base/run_loop.cc:28:0
#36 0xab133d4 in reset ./out/ChromeReleaseMsan/../../buildtools/third_party/libc++/trunk/include/memory:2733:24
#37 0xab133d4 in ~unique_ptr ./out/ChromeReleaseMsan/../../buildtools/third_party/libc++/trunk/include/memory:2703:0
#38 0xab133d4 in RendererMain ./out/ChromeReleaseMsan/../../content/renderer/renderer_main.cc:188:0
#39 0x4a2b1ec in RunZygote ./out/ChromeReleaseMsan/../../content/app/content_main_runner.cc:344:14
#40 0x4a2dfcc in RunNamedProcessTypeMain ./out/ChromeReleaseMsan/../../content/app/content_main_runner.cc:424:12
#41 0x4a313e2 in Run ./out/ChromeReleaseMsan/../../content/app/content_main_runner.cc:786:12
#42 0x4a0ecb0 in ContentMain ./out/ChromeReleaseMsan/../../content/app/content_main.cc:20:28
#43 0x4ac470 in main ./out/ChromeReleaseMsan/../../content/shell/app/shell_main.cc:48:10
#44 0x7f0f8fe25f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287:0
#45 0x440e08 in _start ??:?
Uninitialized value was created by a heap deallocation
#0 0x461122 in __interceptor_free ??:?
#1 0xbad4cb7 in deleteAllBucketsAndDeallocate ./out/ChromeReleaseMsan/../../third_party/WebKit/Source/wtf/HashTable.h:1603:3
#2 0xbad4cb7 in rehash ./out/ChromeReleaseMsan/../../third_party/WebKit/Source/wtf/HashTable.h:1779:0
#3 0xbad4cb7 in shrink ./out/ChromeReleaseMsan/../../third_party/WebKit/Source/wtf/HashTable.h:834:0
#4 0xbad4cb7 in remove ./out/ChromeReleaseMsan/../../third_party/WebKit/Source/wtf/HashTable.h:1482:0
#5 0xbad4cb7 in remove ./out/ChromeReleaseMsan/../../third_party/WebKit/Source/wtf/HashTable.h:1512:0
#6 0xbad4cb7 in remove ./out/ChromeReleaseMsan/../../third_party/WebKit/Source/wtf/HashSet.h:275:0
#7 0xbad4cb7 in remove ./out/ChromeReleaseMsan/../../third_party/WebKit/Source/wtf/HashSet.h:280:0
#8 0xbad4cb7 in close ./out/ChromeReleaseMsan/../../third_party/WebKit/Source/web/WebViewImpl.cpp:1741:0
#9 0xaadc3ce in WillCloseLayerTreeView ./out/ChromeReleaseMsan/../../content/renderer/render_widget.cc:1264:34
#10 0xaadc3ce in Close ./out/ChromeReleaseMsan/../../content/renderer/render_widget.cc:1428:0
#11 0xaa9cd6b in Close ./out/ChromeReleaseMsan/../../content/renderer/render_view_impl.cc:2367:0
#12 0x68e78f0 in program_counter ./out/ChromeReleaseMsan/../../base/location.h:47:48
#13 0x68e78f0 in RunTask ./out/ChromeReleaseMsan/../../base/debug/task_annotator.cc:49:0
#14 0xb71cfff in ProcessTaskFromWorkQueue ./out/ChromeReleaseMsan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:336:27
#15 0xb715b3b in DoWork ./out/ChromeReleaseMsan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:234:40
#16 0x68e78f0 in program_counter ./out/ChromeReleaseMsan/../../base/location.h:47:48
#17 0x68e78f0 in RunTask ./out/ChromeReleaseMsan/../../base/debug/task_annotator.cc:49:0
#18 0x66d20d4 in operator!= ./out/ChromeReleaseMsan/../../base/observer_list.h:220:11
#19 0x66d20d4 in RunTask ./out/ChromeReleaseMsan/../../base/message_loop/message_loop.cc:411:0
#20 0x66d3a9a in DeferOrRunPendingTask ./out/ChromeReleaseMsan/../../base/message_loop/message_loop.cc:421:20
#21 0x66d5605 in push_back ./out/ChromeReleaseMsan/../../buildtools/third_party/libc++/trunk/include/vector:1610:9
#22 0x66d5605 in push ./out/ChromeReleaseMsan/../../buildtools/third_party/libc++/trunk/include/queue:659:0
#23 0x66d5605 in AddToDelayedWorkQueue ./out/ChromeReleaseMsan/../../base/message_loop/message_loop.cc:436:0
#24 0x66d5605 in DoWork ./out/ChromeReleaseMsan/../../base/message_loop/message_loop.cc:510:0
#25 0x66e2e6a in Run ./out/ChromeReleaseMsan/../../base/message_loop/message_pump_default.cc:52:9
#26 0x66d11b9 in RunHandler ./out/ChromeReleaseMsan/../../base/message_loop/message_loop.cc:377:3
#27 0x676adec in BeforeRun ./out/ChromeReleaseMsan/../../base/run_loop.cc:79:7
#28 0x676adec in Run ./out/ChromeReleaseMsan/../../base/run_loop.cc:28:0
#29 0xab133d4 in reset ./out/ChromeReleaseMsan/../../buildtools/third_party/libc++/trunk/include/memory:2733:24
#30 0xab133d4 in ~unique_ptr ./out/ChromeReleaseMsan/../../buildtools/third_party/libc++/trunk/include/memory:2703:0
#31 0xab133d4 in RendererMain ./out/ChromeReleaseMsan/../../content/renderer/renderer_main.cc:188:0
#32 0x4a2b1ec in RunZygote ./out/ChromeReleaseMsan/../../content/app/content_main_runner.cc:344:14
#33 0x4a2dfcc in RunNamedProcessTypeMain ./out/ChromeReleaseMsan/../../content/app/content_main_runner.cc:424:12
#34 0x4a313e2 in Run ./out/ChromeReleaseMsan/../../content/app/content_main_runner.cc:786:12
#35 0x4a0ecb0 in ContentMain ./out/ChromeReleaseMsan/../../content/app/content_main.cc:20:28
#36 0x4ac470 in main ./out/ChromeReleaseMsan/../../content/shell/app/shell_main.cc:48:10
SUMMARY: MemorySanitizer: use-of-uninitialized-value (/usr/local/google/ssd/chrome/src/out/ChromeReleaseMsan/content_shell+0x12690a97)
,
Mar 3 2017
ClusterFuzz has detected this issue as fixed in range 454456:454459. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4878068388200448 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: test_runner::TestRunnerForSpecificView::Reset test_runner::TestInterfaces::ResetTestHelperControllers test_runner::TestInterfaces::ResetAll Sanitizer: memory (MSAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=389884:390115 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=454456:454459 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94h1NKcrOVo3l-vKnPj9zHwThIClmjgRw3gyK8zn2LhvE2tdtjcBbPvbBrXWddW6V7xA3EJZj0fI14zMr4u-Yh_13dH_6rPJFBDBe55MQ74c2zT9capxv2N_3rNISj6EGBvPaX7F_8__YTEVTzSZhwFWkutXQ?testcase_id=4878068388200448 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 3 2017
ClusterFuzz testcase 4970173276880896 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by mmoroz@chromium.org
, May 11 2016Labels: Pri-2
May be a use-after-free: Uninitialized value was created by a heap deallocation #0 0x45bb02 in __interceptor_free #1 0x7253ec1 in deref third_party/WebKit/Source/wtf/RefCounted.h:159:13 <...> Setting High severity because of that.