New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 618303 link

Starred by 1 user
Status: Fixed
Owner: ----
Closed: Sep 2016
Cc:
bjoyce@chromium.org
rbyers@chromium.org
w...@chromium.org
tzik@chromium.org
lukasza@chromium.org
ashej...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug



Sign in to add a comment

Crash in blink::WebViewImpl::dragTargetDragOver (fuzzing gives impossible/invalid event sequence via test_runner::EventSender)

Project Member Reported by ClusterFuzz, Jun 8 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5615418828128256

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000002b
Crash State:
  blink::WebViewImpl::dragTargetDragOver
  test_runner::EventSender::DoDragAfterMouseMove
  test_runner::EventSender::MouseMoveTo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=397237:397239

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96JqEyj_bAlsZYCAvHi4aq2QuWiaj9Y1rpERajW-DTaVS-U8z4AaTyOQMaKhI9y9sUCLeRvmQ88Oo-gvfDDNNGroSzzz2AlQb1OGmJ8gQZhYMHFetBnF83pkUBh_BuZ11fAGFW0yyE7OfGRkR5WCnAvjR7Rhw


Filer: ashejole

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ashej...@chromium.org, Jun 8 2016

Cc: ashej...@chromium.org
Components: Tools>Test>FindIt>CorrectResult
Labels: findit-for-crash Te-Logged M-53
Owner: lukasza@chromium.org
Status: Assigned (was: Available)
Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: lukasza
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/335bb76db170d76ba46fa003a8838255a5d46187
Time: Fri Apr 22 16:44:03 2016
The CL last changed line 2677 of file event_sender.cc, which is stack frame 3.

Author: nzolghadr
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4314603787d422f185b057b6b0a460fcf837a440
Time: Mon Apr 11 15:33:38 2016
The CL last changed line 2145 of file event_sender.cc, which is stack frame 4.

Author: tfarina@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/3db130eb9f60904eaa96abeae645a54fab33b9d0
Time: Thu Mar 27 08:14:48 2014
The CL last changed line 940 of file event_sender.cc, which is stack frame 5.

Author: tzik
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4435e804b6344b27942c68fd3c5b195daebacddb
Time: Wed May 11 23:05:05 2016
The CL last changed line 187 of file bind_internal.h, which is stack frame 6.

Suspected Project: chromium


-----------------------------

From the above suspected CL, @lukasza - Hey, would you mind checking the above issue and see if it's related to your change ?

Appreciate your help.

Thank you!

Comment 2 by lukasza@chromium.org, Jun 9 2016 

I can't repro using either ToT or the build referred to from the crash report.  Example cmdline I attempted to repro with:

$ python $CF_HOME/clusterfuzz/src/tools/on_demand/run_gestures_on_device_local.py --config ~/Downloads/config_5615418828128256.zip --build ~/Downloads/asan-win32-release-398351/ --verbose

Comment 3 by lukasza@chromium.org, Jun 9 2016 

Wait, I might be very confused here - the above was run on a Linux machine *when the build says "win32"), so I think my repro steps are suspect...

Comment 4 by lukasza@chromium.org, Jun 9 2016

Cc: bjoyce@chromium.org

Comment 5 by dcheng@chromium.org, Jun 10 2016

Cc: w...@chromium.org rbyers@chromium.org
This looks like another case of re-entrantly starting a drag inside another drag. That's not supported at all today, because it's an impossible sequence of events. We may have to make Blink robust against this eventually, because of Blimp, but for the moment, it's "WAI".

For example, see https://codereview.chromium.org/839253002/

Comment 6 by lukasza@chromium.org, Jun 10 2016

Cc: lukasza@chromium.org
Components: Mobile>Blimp>Client
Labels: -Pri-1 Pri-3
Owner: ----
Status: Available (was: Assigned)
Summary: Crash in blink::WebViewImpl::dragTargetDragOver (fuzzing gives impossible/invalid event sequence via test_runner::EventSender) (was: Crash in blink::WebViewImpl::dragTargetDragOver)
Hmmm... I am not sure if based on #c5 we should 1) resolve this bug as WontFix VS 2) keep this bug opened so eventually somebody can make it work (for Blimp + for less false posisitves from input event fuzzing).

Comment 7 by bjoyce@chromium.org, Jun 10 2016 

I tried running it 2500 times on the linux build 398351 to reproduce https://cluster-fuzz.appspot.com/testcase?key=5615418828128256 but did not succeed. I can try it on a windows machine if people think that'll have better results.

Comment 8 by lukasza@chromium.org, Jun 10 2016 

bjoyce@ - per #c5 it might not be a high priority for this bug, but figuring out how to run ClusterFuzz repros on Windows might be a worthy goal in itself.  I am not sure exactly why the behavior might be different on Windows, but the comment from components/test_runner/web_view_test_client.cc makes the difference seem plausible:

  // When running a test, we need to fake a drag drop operation otherwise
  // Windows waits for real mouse events to know when the drag is over.
  web_test_proxy_base_->event_sender()->DoDragDrop(data, mask);
Project Member

Comment 9 by ClusterFuzz, Jun 10 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5137885481402368

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000002b
Crash State:
  blink::WebViewImpl::dragTargetDragOver
  test_runner::EventSender::DoDragAfterMouseMove
  test_runner::EventSender::MouseMoveTo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=398799:398814

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96yVrW20Wd71qIrT3CnBHMbIACj96gj6sRsErcX9l4cv8oCJeRuLt7VYkVKlUoSXpbtLnAy7u17e05ZZANNyEt3Ae3hGmAnXhfMrrFll2JHn9QBrILJcaYG_Tauf8cHf5UhdjaCbloUtMvUTuh_FvYYeA9LUw


Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 10 by mummare...@chromium.org, Jun 10 2016

Cc: tzik@chromium.org
Project Member

Comment 11 by ClusterFuzz, Jun 13 2016 

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5137885481402368

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000002b
Crash State:
  blink::WebViewImpl::dragTargetDragOver
  test_runner::EventSender::DoDragAfterMouseMove
  test_runner::EventSender::MouseMoveTo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=398799:398814

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96yVrW20Wd71qIrT3CnBHMbIACj96gj6sRsErcX9l4cv8oCJeRuLt7VYkVKlUoSXpbtLnAy7u17e05ZZANNyEt3Ae3hGmAnXhfMrrFll2JHn9QBrILJcaYG_Tauf8cHf5UhdjaCbloUtMvUTuh_FvYYeA9LUw


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by ClusterFuzz, Jun 14 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6227949028376576

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000002b
Crash State:
  blink::WebViewImpl::dragTargetDragOver
  test_runner::EventSender::DoDragAfterMouseMove
  test_runner::EventSender::MouseMoveTo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=399471:399504

Minimized Testcase (1.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95O7F462OAMJ0C752ZIhkppM78sSHH4xXLiF3_dlq2kXXo3CS-Ufx0ISnLLF3V25AdG1iBYEvKg0T6LFWoccITJfAG1lB6tyxIE1FahyrfR6-GgC0slexQBjyTa_qyQLZ5nlmGfVCSQpBhmN2ObM0I-cZAWvA

Filer: durga.behera

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 13 by durga.behera@chromium.org, Jun 14 2016 

Initiated a Redo-Fix, to see if its fixed.
Project Member

Comment 14 by ClusterFuzz, Jun 18 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5626286555004928

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000002b
Crash State:
  blink::WebViewImpl::dragTargetDragOver
  test_runner::EventSender::DoDragAfterMouseUp
  test_runner::EventSender::PointerUp
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=400252:400269

Minimized Testcase (1.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94-Ed5FmyklZoFua6FeNci16ooOb1EyCWHTqn5J48yoQC-QU2RcJk7L_Uh7cZqH1mguBJNb9nXQXsHEDamKQ4x0CMoLKOpFJOu2E4RBZyBR9o59zsQPJpQHqi87pkqM4MtOL9nCSY06q4tQEP-A4yk31HjKMw?testcase_id=5626286555004928

Filer: inferno

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 15 by ClusterFuzz, Jul 1 2016 

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6227949028376576

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000002b
Crash State:
  blink::WebViewImpl::dragTargetDragOver
  test_runner::EventSender::DoDragAfterMouseMove
  test_runner::EventSender::MouseMoveTo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=399471:399504

Minimized Testcase (1.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95O7F462OAMJ0C752ZIhkppM78sSHH4xXLiF3_dlq2kXXo3CS-Ufx0ISnLLF3V25AdG1iBYEvKg0T6LFWoccITJfAG1lB6tyxIE1FahyrfR6-GgC0slexQBjyTa_qyQLZ5nlmGfVCSQpBhmN2ObM0I-cZAWvA?testcase_id=6227949028376576

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 16 by sheriffbot@chromium.org, Jul 6 2016

Labels: -M-53 M-54 MovedFrom-53
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 17 by ClusterFuzz, Jul 8 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5803648064159744

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000038
Crash State:
  blink::WebViewImpl::dragTargetDragOver
  test_runner::EventSender::MouseMoveTo
  gin::internal::Dispatcher<void
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=268656:269696

Minimized Testcase (0.81 Kb): https://cluster-fuzz.appspot.com/download/AMIfv940fmjFM2hEDu7SLnRkYR-FsqlWh_ovDZiLqUk7fefkClNYs8zYV2NiDmJrdA89u5cDXxSkHQ65lA1srYEHToaSQ4Ai-yTNwGAc27qEbn1Sm9HpEMwJSeIHxw2rBiUnqXAXwS_V9BoDo_lr05uWUn2kIr7ZqQ?testcase_id=5803648064159744

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 18 by ClusterFuzz, Jul 9 2016 

ClusterFuzz has detected this issue as fixed in range 402177:402198.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5803648064159744

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000038
Crash State:
  blink::WebViewImpl::dragTargetDragOver
  test_runner::EventSender::MouseMoveTo
  gin::internal::Dispatcher<void
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=268656:269696
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=402177:402198

Minimized Testcase (0.81 Kb): https://cluster-fuzz.appspot.com/download/AMIfv940fmjFM2hEDu7SLnRkYR-FsqlWh_ovDZiLqUk7fefkClNYs8zYV2NiDmJrdA89u5cDXxSkHQ65lA1srYEHToaSQ4Ai-yTNwGAc27qEbn1Sm9HpEMwJSeIHxw2rBiUnqXAXwS_V9BoDo_lr05uWUn2kIr7ZqQ?testcase_id=5803648064159744

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 19 by ClusterFuzz, Jul 13 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5268052774223872

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000038
Crash State:
  blink::WebViewImpl::dragTargetDragOver
  test_runner::EventSender::DoDragAfterMouseMove
  test_runner::EventSender::MouseMoveTo
  

Minimized Testcase (1.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956o_XNvKABgGeguQo2piX_qEZdoyhoi8yiyMaBSxVL0eS7qiqu0aNDDh_m21iS9X92gSe6ctUgXX0STFD_NjLaFy--h3TIOyLqy36JjYPZ-F5XQNc8Xf9p5jd5sVWhxh_rdTpUNM9FTxTZ2sarkREFN86YeQ?testcase_id=5268052774223872

Filer: brajkumar

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 20 by ClusterFuzz, Jul 15 2016 

ClusterFuzz has detected this issue as fixed in range 405500:405563.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5268052774223872

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000038
Crash State:
  blink::WebViewImpl::dragTargetDragOver
  test_runner::EventSender::DoDragAfterMouseMove
  test_runner::EventSender::MouseMoveTo
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=405500:405563

Minimized Testcase (1.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv956o_XNvKABgGeguQo2piX_qEZdoyhoi8yiyMaBSxVL0eS7qiqu0aNDDh_m21iS9X92gSe6ctUgXX0STFD_NjLaFy--h3TIOyLqy36JjYPZ-F5XQNc8Xf9p5jd5sVWhxh_rdTpUNM9FTxTZ2sarkREFN86YeQ?testcase_id=5268052774223872

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 21 by amineer@chromium.org, Jul 26 2016

Labels: Blimp-M54-Proj-Scope
[Bulk edit]

Setting tracking label Blimp-M54-Proj-Scope.  This label is for scope tracking purposes only and should not be added / removed from any bugs, even if we add additional bugs to M-54 scope, or remove this bug from M-54 scope.

Comment 22 by dtrainor@chromium.org, Aug 23 2016

Labels: -M-54 M-55

Comment 23 by manoranj...@chromium.org, Sep 21 2016

Status: Fixed (was: Available)
Marking 'Fixed' as per c#20.

Thank you!
Project Member

Comment 24 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 25 by amineer@chromium.org, Dec 9 2016

Labels: Archive-Blimp

Sign in to add a comment