Issue metadata
Sign in to add a comment
|
Crash in aura::Window::GetRootWindow - ValidationBubble trying to show when WebContents not attached |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5419103900925952 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000080 Crash State: aura::Window::GetRootWindow aura::client::ParentWindowWithContext views::NativeWidgetAura::InitNativeWidget Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=396897:396922 Minimized Testcase (19.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96vrznVlIkA-BK152iVJy7amyP7-k6ITVDjPhUgxDnEN0_g1ij-fmudh_TXdaIZecPgoUq9VGox6YXG0sgizGvG33q4qDXolE9RnSjkTdPigHhHT5nIVL-F-cHcmJUKzZ9qfxeuQQMB4axPOdbKP9sze4s6vfr58hj4xecJaeXQBL95PF0 Filer: ajha See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 3 2016
ajha, how sure are we this is new? None of the cls seem relevant to me. I can't tell, is the crash linux or chromeos. Thanks!
,
Jun 3 2016
My suspicion is this is timing related, and the aura::Window associated with the RWHVA is no longer in a RootWindow.
,
Jun 8 2016
ClusterFuzz has detected this issue as fixed in range 398017:398351. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5419103900925952 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000080 Crash State: aura::Window::GetRootWindow aura::client::ParentWindowWithContext views::NativeWidgetAura::InitNativeWidget Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=396897:396922 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=398017:398351 Minimized Testcase (19.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96vrznVlIkA-BK152iVJy7amyP7-k6ITVDjPhUgxDnEN0_g1ij-fmudh_TXdaIZecPgoUq9VGox6YXG0sgizGvG33q4qDXolE9RnSjkTdPigHhHT5nIVL-F-cHcmJUKzZ9qfxeuQQMB4axPOdbKP9sze4s6vfr58hj4xecJaeXQBL95PF0 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 8 2016
I suspect this isn't really fixed. But closing out given fuzzer says fixed.
,
Jun 14 2016
Re-Opening this as Clusterfuzz has detested this failure and impacting to the Head. Clusterfuzz updates are in below comment.
,
Jun 14 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6385497907920896 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000080 Crash State: aura::Window::GetRootWindow aura::client::ParentWindowWithContext views::NativeWidgetAura::InitNativeWidget Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703 Minimized Testcase (19.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96nmUmWsFTFyrW7j1qDYaHtBYIA4xuGvUq9P8YQFD__d9YKvyzWBQ8o7h9xA2Xg5l-v25S926JCbWPYF9YcmC7wi737QDHKmudqbPgL3WY6GnYdEItGZc63D5ZGDzweHV9Yai3zkBBVvzjVCMWKWnCQjB-hXIfw-AuPffvpjhFLzUzjmKU Filer: durga.behera See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 14 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5799131625029632 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000048 Crash State: aura::Window::GetRootWindow aura::Window::GetRootWindow aura::client::ParentWindowWithContext Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=397536:397683 Minimized Testcase (103.15 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95xdSQ7WVCE9H_oqiTT-w5nB_IZprfEU1wludmYWJEUCGsj0UhbZ8g6bxvOWPxRHc8Q0apmsQwU_AROgop1TS9bV1o_V28V81KCrnaiqc99GgLIrCchlE7rcLtFzWtpGMnT4uZYP8Fgxb_LCOTRryKdabHvEX_aPWa9SoCKNXjzFZoJa98 Filer: durga.behera See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 14 2016
ClusterFuzz has detected this issue as fixed in range 398017:398351. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6385497907920896 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000080 Crash State: aura::Window::GetRootWindow aura::client::ParentWindowWithContext views::NativeWidgetAura::InitNativeWidget Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=398017:398351 Minimized Testcase (19.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96nmUmWsFTFyrW7j1qDYaHtBYIA4xuGvUq9P8YQFD__d9YKvyzWBQ8o7h9xA2Xg5l-v25S926JCbWPYF9YcmC7wi737QDHKmudqbPgL3WY6GnYdEItGZc63D5ZGDzweHV9Yai3zkBBVvzjVCMWKWnCQjB-hXIfw-AuPffvpjhFLzUzjmKU See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 15 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6064156893773824 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000080 Crash State: aura::Window::GetRootWindow aura::client::ParentWindowWithContext views::NativeWidgetAura::InitNativeWidget Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703 Minimized Testcase (19.61 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95VCE5cEUcwn3g8KecBYdhPZbtqAf-XGmg-DFI2dbWNXIfuEPIqQDVgsyFmrrPVUN4zJlAh7Izxq7uQKdiZ-nh-AyXxYRGPKLZkZX43-TCUeG1pVS7xlLmVwb4PSEgVS27y5nqe-brjtnMKnwRJ94MQe6r5X5f7OOm3T2YvCISLxGrcN78 Filer: durga.behera See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 15 2016
As per the above comments # 4 and # 9 this is fixed on June 7, but Clusterfuzz still detecting this failure(comment # 8 and # 10). sky@ : Could you please take a look into this and update further.
,
Jun 16 2016
ClusterFuzz has detected this issue as fixed in range 398017:398351. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6064156893773824 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000080 Crash State: aura::Window::GetRootWindow aura::client::ParentWindowWithContext views::NativeWidgetAura::InitNativeWidget Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=398017:398351 Minimized Testcase (19.61 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95VCE5cEUcwn3g8KecBYdhPZbtqAf-XGmg-DFI2dbWNXIfuEPIqQDVgsyFmrrPVUN4zJlAh7Izxq7uQKdiZ-nh-AyXxYRGPKLZkZX43-TCUeG1pVS7xlLmVwb4PSEgVS27y5nqe-brjtnMKnwRJ94MQe6r5X5f7OOm3T2YvCISLxGrcN78 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 24 2016
ClusterFuzz has detected this issue as fixed in range 401085:401117. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5799131625029632 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000048 Crash State: aura::Window::GetRootWindow aura::Window::GetRootWindow aura::client::ParentWindowWithContext Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=397536:397683 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=401085:401117 Minimized Testcase (103.15 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95xdSQ7WVCE9H_oqiTT-w5nB_IZprfEU1wludmYWJEUCGsj0UhbZ8g6bxvOWPxRHc8Q0apmsQwU_AROgop1TS9bV1o_V28V81KCrnaiqc99GgLIrCchlE7rcLtFzWtpGMnT4uZYP8Fgxb_LCOTRryKdabHvEX_aPWa9SoCKNXjzFZoJa98?testcase_id=5799131625029632 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 24 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 24 2016
I don't think this is fixed. The crash is happening because we're setting the parent of a bubble to an aura::Window that is not attached to the root. NativeWidgetAura doesn't deal with this (more specifically aura::client::ParentWindowWithContext). It seems like the validation bubble should not be displayed if the webcontents isn't attached to a valid root.
,
Jun 24 2016
Issue 619881 has been merged into this issue.
,
Jun 27 2016
Scott, can you repro this on the above test cases? I can't (on stable or on tot). I don't know how or why the validation bubble is being triggered given the test case. It does seem likely that a validation message attached to a blocked-popup webcontents could be the culprit, but where exactly to early-abort is not clear to me (in BubbleDialogDelegate? In Browser::ShowValidationMessage? etc.) without being able to investigate the crash.
,
Jun 27 2016
I was not unable to repro either. My guess is Browser::ShowValidationMessage is the right place for the early out.
,
Jun 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ba9261ea5d0e1f9a8a29657d8f8fb369d9e9143d commit ba9261ea5d0e1f9a8a29657d8f8fb369d9e9143d Author: estade <estade@chromium.org> Date: Tue Jun 28 00:47:11 2016 Don't attempt to show validation bubble for unparented web contents. This fix is speculative because I can't actually repro the bug. BUG= 616990 Review-Url: https://codereview.chromium.org/2104513004 Cr-Commit-Position: refs/heads/master@{#402349} [modify] https://crrev.com/ba9261ea5d0e1f9a8a29657d8f8fb369d9e9143d/chrome/browser/ui/browser.cc
,
Jun 28 2016
maybe fixed? Not sure how to verify.
,
Jun 29 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5743524545036288 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000080 Crash State: aura::Window::GetRootWindow aura::client::ParentWindowWithContext views::NativeWidgetAura::InitNativeWidget Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703 Minimized Testcase (19.58 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95YEWPGYyRx4tihJlKVP5imOLCwVUankXfeXOePUrDnxijlyFw9Lbk9mV3TLq4DPpQLDCsJW766xT9dJSDKrisnXlii5-yTKtmFu9lU_L34esifC-I7dz0LcJA-Ebx3UkITxKU1P-VeQb8gs1ut9ldDWw4anDmSfYM6LTrl5X5h3LT8oms?testcase_id=5743524545036288 Filer: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 30 2016
ClusterFuzz has detected this issue as fixed in range 398017:398351. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5743524545036288 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000080 Crash State: aura::Window::GetRootWindow aura::client::ParentWindowWithContext views::NativeWidgetAura::InitNativeWidget Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=398017:398351 Minimized Testcase (19.58 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95YEWPGYyRx4tihJlKVP5imOLCwVUankXfeXOePUrDnxijlyFw9Lbk9mV3TLq4DPpQLDCsJW766xT9dJSDKrisnXlii5-yTKtmFu9lU_L34esifC-I7dz0LcJA-Ebx3UkITxKU1P-VeQb8gs1ut9ldDWw4anDmSfYM6LTrl5X5h3LT8oms?testcase_id=5743524545036288 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 2 2016
since this is p3, removing milestone
,
Sep 14 2016
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ajha@chromium.org
, Jun 3 2016Labels: -Type-Bug Te-Logged M-53 Type-Bug-Regression
Owner: sky@chromium.org
Status: Assigned (was: Available)