Author: mcasas
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/5b6b8cb7dce823cd25c9ff0aa695559b4bc3a432
Time: Tue May 03 03:13:39 2016
File ImageCapture.cpp is changed in this cl (and is part of stack frame #3, "blink::ImageCapture::onServiceConnectionError")
Minimum distance from crash line to modified line: 27. (file: ImageCapture.cpp, crashed on: 194, modified: 167).

Suspected Project: chromium

Lowering prio since this code is all behind the 
chrome://flags/#enable-experimental-web-platform-features
flag, so is probably used by just a handful of developers.

Any update on this bug as it is marked as M52 stable blocker?

Like I said in #6, this code is behind a flag 
chrome://flags/#enable-experimental-web-platform-features

sheriffbot@ put the stable blocker label in #9,
 removing.

Argh! releaseblock-stable again!
How can I prevent sheriffbot@ 
from adding it again?

In this case, by updating security impact to None, which indicates that it's not a bug in a component that's enabled by default. ReleaseBlock-NA would also work.

From the stack it looks like the mojo::InterfacePtr that blink::ImageCapture is holding has become invalid. That would be possible if the ImageCapture has been freed but since we used WeakPersistentThisPointer the WTF::Function shouldn't have been called in this case.

    #0 0x10aee13a8 in swap<media::mojom::blink::ImageCaptureProxy *> third_party/llvm-build/Release+Asserts/include/c++/v1/type_traits:4423:9
    #1 0x10aee13a8 in Swap mojo/public/cpp/bindings/lib/interface_ptr_state.h:92
    #2 0x10aee13a8 in mojo::InterfacePtr<media::mojom::blink::ImageCapture>::reset() mojo/public/cpp/bindings/interface_ptr.h:121
    #3 0x10aee0a35 in blink::ImageCapture::onServiceConnectionError() third_party/WebKit/Source/modules/imagecapture/ImageCapture.cpp:197:15
    #4 0x10aee79e4 in operator()<> third_party/WebKit/Source/wtf/Functional.h:188:16
    #5 0x10aee79e4 in callInternal<0> third_party/WebKit/Source/wtf/Functional.h:350
    #6 0x10aee79e4 in WTF::PartBoundFunctionImpl<(WTF::FunctionThreadAffinity)1, std::__1::tuple<blink::WeakPersistentThisPointer<blink::ImageCapture>&&>, WTF::FunctionWrapper<void (blink::ImageCapture::*)()> >::operator()() third_party/WebKit/Source/wtf/Functional.h:341
    #7 0x1087d1218 in Run mojo/public/cpp/bindings/callback.h:82:24
    #8 0x1087d1218 in mojo::internal::Router::OnConnectionError() mojo/public/cpp/bindings/lib/router.cc:312
    #9 0x1087b03d4 in Run mojo/public/cpp/bindings/callback.h:82:24
    #10 0x1087b03d4 in mojo::internal::Connector::HandleError(bool, bool) mojo/public/cpp/bindings/lib/connector.cc:342
    #11 0x1087b1327 in OnHandleReadyInternal mojo/public/cpp/bindings/lib/connector.cc:226:5
    #12 0x1087b1327 in mojo::internal::Connector::OnWatcherHandleReady(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:209
    #13 0x1087e2485 in Run base/callback.h:397:12
    #14 0x1087e2485 in OnHandleReady mojo/public/cpp/system/watcher.cc:122
    #15 0x1087e2485 in mojo::Watcher::MessageLoopObserver::WillDestroyCurrentMessageLoop() mojo/public/cpp/system/watcher.cc:32
    #16 0x10537a084 in base::MessageLoop::~MessageLoop() base/message_loop/message_loop.cc:173:3
    #17 0x10537b66d in ~MessageLoop base/message_loop/message_loop.cc:138:29
    #18 0x10537b66d in base::MessageLoop::~MessageLoop() base/message_loop/message_loop.cc:138
    #19 0x110169717 in operator() third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2540:13
    #20 0x110169717 in reset third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2746
    #21 0x110169717 in content::RenderThreadImpl::Shutdown() content/renderer/render_thread_impl.cc:965
    #22 0x10f78c9b6 in content::ChildProcess::~ChildProcess() content/child/child_process.cc:72:19
    #23 0x1102032e4 in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:210:3
    #24 0x1051228dc in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:787:12
    #25 0x10512042d in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:28
    #26 0x105040ed2 in ContentMain
    #27 0x1042e2c13 in start
    #16 0x1a  (<unknown module>)

So I just got bug 622298. It sounds like this might be hitting the same thing, whatever that is.

Hmm nevermind. It's probably not the same thing.

ClusterFuzz has detected this issue as fixed in range 403412:403423.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4771448996757504

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x7eb0df02dd70
Crash State:
  mojo::InterfacePtr<media::mojom::blink::ImageCapture>::reset
  blink::ImageCapture::onServiceConnectionError
  mojo::internal::Router::OnConnectionError
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=391023:391189
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=403412:403423

Minimized Testcase (0.14 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97_iSoRm467yPxwB1gLlynLv9QIKsDhyNPXOpmZhaF6nrN_vGRjEIrE36mZWnBcs3agw0Jyry0CDy06EctxY5BDQ8mHsSbG4-uNnPvctZAhUBhccEu95-l-Gv9b45ie3j94QT2yf-t0wkcxLSejixDCrxJr2w?testcase_id=4771448996757504
<canvas id='canvas0'>
<script>
  var stream = canvas0.captureStream();
  var capturer = new ImageCapture(stream.getVideoTracks()[0]);
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 629002  has been merged into this issue.

 Bug 619376  is the same crash, but it doesn't look fixed at the moment.

Could you please take a look?

#23: I'm not sure what you mean, you said 
" Bug 619376  is the same crash"... as this one? But this one is 619376 :-)

Anyway marking this issue as Fixed as per #19, please reopen if needed.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot