Issue metadata
Sign in to add a comment
|
Crash in content::MHTMLGenerationManager::OnFileClosed |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4584840929738752 Fuzzer: meacer_extension_apis Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000100 Crash State: content::MHTMLGenerationManager::OnFileClosed void base::internal::ReplyAdapter<long, long> base::PostTaskAndReplyRelay::RunReplyAndSelfDestruct Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=367545:367650 Minimized Testcase (7.64 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Qj2RkpLu3W2BIJs2oO_XBi3CDQPXY4RYfvtTpWz8QNGkg_eMdyhFyFqdR-c0KTazA2FRtvCm9S2FyJdl_6lclX4IMp1Dk9QmKHfovULI8BoneVe_p9Rhp05w4Xf198JD1j7_wnnVf1_DWfUyPCZ1tTK5nLQ Filer: ranjitkan See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 17 2016
I could repro with the build+config originally used by ClusterFuzz (although it took 3 attempts): $ python ./src/tools/on_demand/run_gestures_on_device_local.py --config ~/Downloads/config_4584840929738752.zip --build ~/Downloads/asan-linux-release-393646/
,
Jun 28 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4584840929738752 Fuzzer: meacer_extension_apis Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000100 Crash State: content::MHTMLGenerationManager::OnFileClosed void base::internal::ReplyAdapter<long, long> base::PostTaskAndReplyRelay::RunReplyAndSelfDestruct Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95zkm0QFyY4gxQX9EZSldzNKnnBEvqz8yGNr6WwMfJgCR2IK4GOxwTCRvWucS2RCwDoe-L1TCFn2Ti_-USluA-aF3YeNBuBdiZKi7Tz7QuAat5xX_9tlyqZxbxGbQt_N5k2143V0462KxsB-_eXf7d8tbRAQg?testcase_id=4584840929738752 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 19 2016
+dewittj@ - this ClusterFuzz bug might be reproing issue 629183.
,
Jul 19 2016
Issue 629183 has been merged into this issue.
,
Jul 19 2016
,
Jul 19 2016
If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Jul 19 2016
The following sequence of events can be trigerred by the ClusterFuzz repro from https://crbug.com/612098#c2 : 1. MHTMLGenerationManager::JobFinished is called when MHTMLGenerationManager::OnSerializeAsMHTMLResponse finds out all frames have been processed. It calls Job::CloseFile to post a task to close to MHTML file (on the IO thread) and reply back to report completion (on the UI thread). 2. Shortly after, the renderer goes away and triggers MHTMLGenerationManager::RenderProcessExited which (by design) calls MHTMLGenerationManager::JobFinished. The problem is that right now CL JobFinished is not idempotent (and will again call Job::CloseFile). 3. MHTMLGenerationManager::OnFileClosed is called in response to #1 above. 4. MHTMLGenerationManager::OnFileClosed is called in response to #2 above. This will crash - FindJob would not find a job, would hit NOTREACHED assert and we would later dereference nullptr).
,
Jul 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a668d7811c2c19662cbeec9e10a3e283292445e5 commit a668d7811c2c19662cbeec9e10a3e283292445e5 Author: lukasza <lukasza@chromium.org> Date: Fri Jul 22 20:21:47 2016 Avoid crashing if MHTMLGenerationManager::JobFinished is called twice. This CL makes sure that MHTMLGenerationManager::JobFinished is idempotent and doesn't do anything when called for a second time. This avoids the crash from the linked bug. BUG= 612098 Review-Url: https://codereview.chromium.org/2163073002 Cr-Commit-Position: refs/heads/master@{#407244} [modify] https://crrev.com/a668d7811c2c19662cbeec9e10a3e283292445e5/content/browser/download/docs/save-page-as.md [modify] https://crrev.com/a668d7811c2c19662cbeec9e10a3e283292445e5/content/browser/download/mhtml_generation_browsertest.cc [modify] https://crrev.com/a668d7811c2c19662cbeec9e10a3e283292445e5/content/browser/download/mhtml_generation_manager.cc [modify] https://crrev.com/a668d7811c2c19662cbeec9e10a3e283292445e5/content/browser/download/mhtml_generation_manager.h
,
Jul 25 2016
commit a668d7811c2c19662cbeec9e10a3e283292445e5 was: initially in 54.0.2805.0
,
Jul 25 2016
,
Jul 25 2016
Your change meets the bar and is auto-approved for M53 (branch: 2785)
,
Jul 25 2016
Please merge your change to M53 branch 2785 before 5:00 PM PDT today (Monday) so we can pick up for last M53 Dev release tomorrow. Thank you.
,
Jul 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7b183ec013bd7217340be9f821307b360a76e79d commit 7b183ec013bd7217340be9f821307b360a76e79d Author: Lukasz Anforowicz <lukasza@chromium.org> Date: Mon Jul 25 19:25:57 2016 Avoid crashing if MHTMLGenerationManager::JobFinished is called twice. This CL makes sure that MHTMLGenerationManager::JobFinished is idempotent and doesn't do anything when called for a second time. This avoids the crash from the linked bug. BUG= 612098 Review-Url: https://codereview.chromium.org/2163073002 Cr-Commit-Position: refs/heads/master@{#407244} (cherry picked from commit a668d7811c2c19662cbeec9e10a3e283292445e5) Review URL: https://codereview.chromium.org/2182673003 . Cr-Commit-Position: refs/branch-heads/2785@{#338} Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382} [modify] https://crrev.com/7b183ec013bd7217340be9f821307b360a76e79d/content/browser/download/docs/save-page-as.md [modify] https://crrev.com/7b183ec013bd7217340be9f821307b360a76e79d/content/browser/download/mhtml_generation_browsertest.cc [modify] https://crrev.com/7b183ec013bd7217340be9f821307b360a76e79d/content/browser/download/mhtml_generation_manager.cc [modify] https://crrev.com/7b183ec013bd7217340be9f821307b360a76e79d/content/browser/download/mhtml_generation_manager.h
,
Jul 26 2016
,
Jul 27 2016
ClusterFuzz has detected this issue as fixed in range 407004:407711. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4584840929738752 Fuzzer: meacer_extension_apis Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000100 Crash State: content::MHTMLGenerationManager::OnFileClosed void base::internal::ReplyAdapter<long, long> base::PostTaskAndReplyRelay::RunReplyAndSelfDestruct Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=407004:407711 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95zkm0QFyY4gxQX9EZSldzNKnnBEvqz8yGNr6WwMfJgCR2IK4GOxwTCRvWucS2RCwDoe-L1TCFn2Ti_-USluA-aF3YeNBuBdiZKi7Tz7QuAat5xX_9tlyqZxbxGbQt_N5k2143V0462KxsB-_eXf7d8tbRAQg?testcase_id=4584840929738752 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ranjitkan@chromium.org
, May 16 2016Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 -Type-Bug findit-for-crash Te-Logged Pri-2 Type-Bug-Regression
Owner: lukasza@chromium.org
Status: Assigned (was: Available)