Crash in blink::WebViewImpl::dragTargetDragOver (fuzzing gives impossible/invalid event sequence via test_runner::EventSender) |
|||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5615418828128256 Fuzzer: inferno_twister Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x0000002b Crash State: blink::WebViewImpl::dragTargetDragOver test_runner::EventSender::DoDragAfterMouseMove test_runner::EventSender::MouseMoveTo Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=397237:397239 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96JqEyj_bAlsZYCAvHi4aq2QuWiaj9Y1rpERajW-DTaVS-U8z4AaTyOQMaKhI9y9sUCLeRvmQ88Oo-gvfDDNNGroSzzz2AlQb1OGmJ8gQZhYMHFetBnF83pkUBh_BuZ11fAGFW0yyE7OfGRkR5WCnAvjR7Rhw Filer: ashejole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 9 2016
I can't repro using either ToT or the build referred to from the crash report. Example cmdline I attempted to repro with: $ python $CF_HOME/clusterfuzz/src/tools/on_demand/run_gestures_on_device_local.py --config ~/Downloads/config_5615418828128256.zip --build ~/Downloads/asan-win32-release-398351/ --verbose
,
Jun 9 2016
Wait, I might be very confused here - the above was run on a Linux machine *when the build says "win32"), so I think my repro steps are suspect...
,
Jun 9 2016
,
Jun 10 2016
This looks like another case of re-entrantly starting a drag inside another drag. That's not supported at all today, because it's an impossible sequence of events. We may have to make Blink robust against this eventually, because of Blimp, but for the moment, it's "WAI". For example, see https://codereview.chromium.org/839253002/
,
Jun 10 2016
Hmmm... I am not sure if based on #c5 we should 1) resolve this bug as WontFix VS 2) keep this bug opened so eventually somebody can make it work (for Blimp + for less false posisitves from input event fuzzing).
,
Jun 10 2016
I tried running it 2500 times on the linux build 398351 to reproduce https://cluster-fuzz.appspot.com/testcase?key=5615418828128256 but did not succeed. I can try it on a windows machine if people think that'll have better results.
,
Jun 10 2016
bjoyce@ - per #c5 it might not be a high priority for this bug, but figuring out how to run ClusterFuzz repros on Windows might be a worthy goal in itself. I am not sure exactly why the behavior might be different on Windows, but the comment from components/test_runner/web_view_test_client.cc makes the difference seem plausible: // When running a test, we need to fake a drag drop operation otherwise // Windows waits for real mouse events to know when the drag is over. web_test_proxy_base_->event_sender()->DoDragDrop(data, mask);
,
Jun 10 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5137885481402368 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x0000002b Crash State: blink::WebViewImpl::dragTargetDragOver test_runner::EventSender::DoDragAfterMouseMove test_runner::EventSender::MouseMoveTo Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=398799:398814 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96yVrW20Wd71qIrT3CnBHMbIACj96gj6sRsErcX9l4cv8oCJeRuLt7VYkVKlUoSXpbtLnAy7u17e05ZZANNyEt3Ae3hGmAnXhfMrrFll2JHn9QBrILJcaYG_Tauf8cHf5UhdjaCbloUtMvUTuh_FvYYeA9LUw Filer: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 10 2016
,
Jun 13 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5137885481402368 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x0000002b Crash State: blink::WebViewImpl::dragTargetDragOver test_runner::EventSender::DoDragAfterMouseMove test_runner::EventSender::MouseMoveTo Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=398799:398814 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96yVrW20Wd71qIrT3CnBHMbIACj96gj6sRsErcX9l4cv8oCJeRuLt7VYkVKlUoSXpbtLnAy7u17e05ZZANNyEt3Ae3hGmAnXhfMrrFll2JHn9QBrILJcaYG_Tauf8cHf5UhdjaCbloUtMvUTuh_FvYYeA9LUw See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6227949028376576 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x0000002b Crash State: blink::WebViewImpl::dragTargetDragOver test_runner::EventSender::DoDragAfterMouseMove test_runner::EventSender::MouseMoveTo Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=399471:399504 Minimized Testcase (1.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95O7F462OAMJ0C752ZIhkppM78sSHH4xXLiF3_dlq2kXXo3CS-Ufx0ISnLLF3V25AdG1iBYEvKg0T6LFWoccITJfAG1lB6tyxIE1FahyrfR6-GgC0slexQBjyTa_qyQLZ5nlmGfVCSQpBhmN2ObM0I-cZAWvA Filer: durga.behera See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 14 2016
Initiated a Redo-Fix, to see if its fixed.
,
Jun 18 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5626286555004928 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x0000002b Crash State: blink::WebViewImpl::dragTargetDragOver test_runner::EventSender::DoDragAfterMouseUp test_runner::EventSender::PointerUp Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=400252:400269 Minimized Testcase (1.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94-Ed5FmyklZoFua6FeNci16ooOb1EyCWHTqn5J48yoQC-QU2RcJk7L_Uh7cZqH1mguBJNb9nXQXsHEDamKQ4x0CMoLKOpFJOu2E4RBZyBR9o59zsQPJpQHqi87pkqM4MtOL9nCSY06q4tQEP-A4yk31HjKMw?testcase_id=5626286555004928 Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 1 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6227949028376576 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x0000002b Crash State: blink::WebViewImpl::dragTargetDragOver test_runner::EventSender::DoDragAfterMouseMove test_runner::EventSender::MouseMoveTo Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=399471:399504 Minimized Testcase (1.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95O7F462OAMJ0C752ZIhkppM78sSHH4xXLiF3_dlq2kXXo3CS-Ufx0ISnLLF3V25AdG1iBYEvKg0T6LFWoccITJfAG1lB6tyxIE1FahyrfR6-GgC0slexQBjyTa_qyQLZ5nlmGfVCSQpBhmN2ObM0I-cZAWvA?testcase_id=6227949028376576 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 6 2016
Moving this nonessential bug to the next milestone. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 8 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5803648064159744 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN WRITE Crash Address: 0x000000000038 Crash State: blink::WebViewImpl::dragTargetDragOver test_runner::EventSender::MouseMoveTo gin::internal::Dispatcher<void Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=268656:269696 Minimized Testcase (0.81 Kb): https://cluster-fuzz.appspot.com/download/AMIfv940fmjFM2hEDu7SLnRkYR-FsqlWh_ovDZiLqUk7fefkClNYs8zYV2NiDmJrdA89u5cDXxSkHQ65lA1srYEHToaSQ4Ai-yTNwGAc27qEbn1Sm9HpEMwJSeIHxw2rBiUnqXAXwS_V9BoDo_lr05uWUn2kIr7ZqQ?testcase_id=5803648064159744 Filer: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 9 2016
ClusterFuzz has detected this issue as fixed in range 402177:402198. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5803648064159744 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: UNKNOWN WRITE Crash Address: 0x000000000038 Crash State: blink::WebViewImpl::dragTargetDragOver test_runner::EventSender::MouseMoveTo gin::internal::Dispatcher<void Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=268656:269696 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=402177:402198 Minimized Testcase (0.81 Kb): https://cluster-fuzz.appspot.com/download/AMIfv940fmjFM2hEDu7SLnRkYR-FsqlWh_ovDZiLqUk7fefkClNYs8zYV2NiDmJrdA89u5cDXxSkHQ65lA1srYEHToaSQ4Ai-yTNwGAc27qEbn1Sm9HpEMwJSeIHxw2rBiUnqXAXwS_V9BoDo_lr05uWUn2kIr7ZqQ?testcase_id=5803648064159744 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 13 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5268052774223872 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_content_shell Platform Id: mac Crash Type: UNKNOWN WRITE Crash Address: 0x000000000038 Crash State: blink::WebViewImpl::dragTargetDragOver test_runner::EventSender::DoDragAfterMouseMove test_runner::EventSender::MouseMoveTo Minimized Testcase (1.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956o_XNvKABgGeguQo2piX_qEZdoyhoi8yiyMaBSxVL0eS7qiqu0aNDDh_m21iS9X92gSe6ctUgXX0STFD_NjLaFy--h3TIOyLqy36JjYPZ-F5XQNc8Xf9p5jd5sVWhxh_rdTpUNM9FTxTZ2sarkREFN86YeQ?testcase_id=5268052774223872 Filer: brajkumar See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 15 2016
ClusterFuzz has detected this issue as fixed in range 405500:405563. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5268052774223872 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_content_shell Platform Id: mac Crash Type: UNKNOWN WRITE Crash Address: 0x000000000038 Crash State: blink::WebViewImpl::dragTargetDragOver test_runner::EventSender::DoDragAfterMouseMove test_runner::EventSender::MouseMoveTo Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=405500:405563 Minimized Testcase (1.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956o_XNvKABgGeguQo2piX_qEZdoyhoi8yiyMaBSxVL0eS7qiqu0aNDDh_m21iS9X92gSe6ctUgXX0STFD_NjLaFy--h3TIOyLqy36JjYPZ-F5XQNc8Xf9p5jd5sVWhxh_rdTpUNM9FTxTZ2sarkREFN86YeQ?testcase_id=5268052774223872 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 26 2016
[Bulk edit] Setting tracking label Blimp-M54-Proj-Scope. This label is for scope tracking purposes only and should not be added / removed from any bugs, even if we add additional bugs to M-54 scope, or remove this bug from M-54 scope.
,
Aug 23 2016
,
Sep 21 2016
Marking 'Fixed' as per c#20. Thank you!
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 9 2016
|
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by ashej...@chromium.org
, Jun 8 2016Components: Tools>Test>FindIt>CorrectResult
Labels: findit-for-crash Te-Logged M-53
Owner: lukasza@chromium.org
Status: Assigned (was: Available)