Crash in blink::LocalFrame::detach |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6417054248206336 Fuzzer: inferno_twister_custom_bundle Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::LocalFrame::detach blink::Page::willBeDestroyed blink::SVGImage::~SVGImage Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393144:393183 Minimized Testcase (0.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97AH2HDxKmFcdrm9l72DY6FrzQ_O99a_F5rjZQPNNE7RDQ9DlJuE1Iq0Sz10MvLLozBUatkoOW5kqPzBsdTPPYEyFYNCKkZ4pqD98DuC30UwaDna6BEbuNDsgQ_4oy_TKgiAxIozuFvyC0S3XIAH2UKP11O4A Additional requirements: Requires Gestures Filer: rnimmagadda See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 15 2016
My CL has no production code change. This looks to be in dcheng's area, or sigbjornf's.
,
May 16 2016
I wouldn't be too surprised if this is during Blink shutdown and with LSan, re-assign if it is.. :)
,
May 16 2016
ClusterFuzz has detected this issue as fixed in range 393799:393810. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6417054248206336 Fuzzer: inferno_twister_custom_bundle Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::LocalFrame::detach blink::Page::willBeDestroyed blink::SVGImage::~SVGImage Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393144:393183 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393799:393810 Minimized Testcase (0.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97AH2HDxKmFcdrm9l72DY6FrzQ_O99a_F5rjZQPNNE7RDQ9DlJuE1Iq0Sz10MvLLozBUatkoOW5kqPzBsdTPPYEyFYNCKkZ4pqD98DuC30UwaDna6BEbuNDsgQ_4oy_TKgiAxIozuFvyC0S3XIAH2UKP11O4A Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 16 2016
Looks like this was resolved by https://chromium.googlesource.com/chromium/src/+/a2917a54ac168cd4ccb8bf453a44cadd38ec0c6b. Assigning to sigbjornf to confirm.
,
May 17 2016
Yes, floating garbage (the SVGImage) that wasn't swept & finalized before initiating the extra heap scrubbing that LSan requires (=> all static locals/persistents are cleared, including the one that SubframeLoadingDisabler uses, which the testcase here would otherwise trip up on when touching after it having been cleared.)
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by rnimmagadda@chromium.org
, May 13 2016Components: Blink>SVG
Labels: -Pri-1 findit-wrong Te-Logged M-52 Pri-2
Owner: tkent@chromium.org
Status: Assigned (was: Available)