Issue metadata
Sign in to add a comment
|
Crash in mojo::InterfacePtr<media::mojom::blink::ImageCapture>::reset |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4771448996757504 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_content_shell Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x7eb0df02dd70 Crash State: mojo::InterfacePtr<media::mojom::blink::ImageCapture>::reset blink::ImageCapture::onServiceConnectionError mojo::internal::Router::OnConnectionError Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=391023:391189 Minimized Testcase (0.14 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97_iSoRm467yPxwB1gLlynLv9QIKsDhyNPXOpmZhaF6nrN_vGRjEIrE36mZWnBcs3agw0Jyry0CDy06EctxY5BDQ8mHsSbG4-uNnPvctZAhUBhccEu95-l-Gv9b45ie3j94QT2yf-t0wkcxLSejixDCrxJr2w <canvas id='canvas0'> <script> var stream = canvas0.captureStream(); var capturer = new ImageCapture(stream.getVideoTracks()[0]); </script> Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 12 2016
,
Jun 12 2016
,
Jun 12 2016
,
Jun 13 2016
,
Jun 15 2016
Lowering prio since this code is all behind the chrome://flags/#enable-experimental-web-platform-features flag, so is probably used by just a handful of developers.
,
Jun 15 2016
,
Jun 15 2016
,
Jun 16 2016
,
Jun 16 2016
Any update on this bug as it is marked as M52 stable blocker?
,
Jun 16 2016
Like I said in #6, this code is behind a flag chrome://flags/#enable-experimental-web-platform-features sheriffbot@ put the stable blocker label in #9, removing.
,
Jun 17 2016
,
Jun 17 2016
Argh! releaseblock-stable again! How can I prevent sheriffbot@ from adding it again?
,
Jun 17 2016
In this case, by updating security impact to None, which indicates that it's not a bug in a component that's enabled by default. ReleaseBlock-NA would also work.
,
Jun 21 2016
,
Jun 21 2016
From the stack it looks like the mojo::InterfacePtr that blink::ImageCapture is holding has become invalid. That would be possible if the ImageCapture has been freed but since we used WeakPersistentThisPointer the WTF::Function shouldn't have been called in this case.
#0 0x10aee13a8 in swap<media::mojom::blink::ImageCaptureProxy *> third_party/llvm-build/Release+Asserts/include/c++/v1/type_traits:4423:9
#1 0x10aee13a8 in Swap mojo/public/cpp/bindings/lib/interface_ptr_state.h:92
#2 0x10aee13a8 in mojo::InterfacePtr<media::mojom::blink::ImageCapture>::reset() mojo/public/cpp/bindings/interface_ptr.h:121
#3 0x10aee0a35 in blink::ImageCapture::onServiceConnectionError() third_party/WebKit/Source/modules/imagecapture/ImageCapture.cpp:197:15
#4 0x10aee79e4 in operator()<> third_party/WebKit/Source/wtf/Functional.h:188:16
#5 0x10aee79e4 in callInternal<0> third_party/WebKit/Source/wtf/Functional.h:350
#6 0x10aee79e4 in WTF::PartBoundFunctionImpl<(WTF::FunctionThreadAffinity)1, std::__1::tuple<blink::WeakPersistentThisPointer<blink::ImageCapture>&&>, WTF::FunctionWrapper<void (blink::ImageCapture::*)()> >::operator()() third_party/WebKit/Source/wtf/Functional.h:341
#7 0x1087d1218 in Run mojo/public/cpp/bindings/callback.h:82:24
#8 0x1087d1218 in mojo::internal::Router::OnConnectionError() mojo/public/cpp/bindings/lib/router.cc:312
#9 0x1087b03d4 in Run mojo/public/cpp/bindings/callback.h:82:24
#10 0x1087b03d4 in mojo::internal::Connector::HandleError(bool, bool) mojo/public/cpp/bindings/lib/connector.cc:342
#11 0x1087b1327 in OnHandleReadyInternal mojo/public/cpp/bindings/lib/connector.cc:226:5
#12 0x1087b1327 in mojo::internal::Connector::OnWatcherHandleReady(unsigned int) mojo/public/cpp/bindings/lib/connector.cc:209
#13 0x1087e2485 in Run base/callback.h:397:12
#14 0x1087e2485 in OnHandleReady mojo/public/cpp/system/watcher.cc:122
#15 0x1087e2485 in mojo::Watcher::MessageLoopObserver::WillDestroyCurrentMessageLoop() mojo/public/cpp/system/watcher.cc:32
#16 0x10537a084 in base::MessageLoop::~MessageLoop() base/message_loop/message_loop.cc:173:3
#17 0x10537b66d in ~MessageLoop base/message_loop/message_loop.cc:138:29
#18 0x10537b66d in base::MessageLoop::~MessageLoop() base/message_loop/message_loop.cc:138
#19 0x110169717 in operator() third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2540:13
#20 0x110169717 in reset third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2746
#21 0x110169717 in content::RenderThreadImpl::Shutdown() content/renderer/render_thread_impl.cc:965
#22 0x10f78c9b6 in content::ChildProcess::~ChildProcess() content/child/child_process.cc:72:19
#23 0x1102032e4 in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:210:3
#24 0x1051228dc in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:787:12
#25 0x10512042d in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:28
#26 0x105040ed2 in ContentMain
#27 0x1042e2c13 in start
#16 0x1a (<unknown module>)
,
Jun 22 2016
So I just got bug 622298. It sounds like this might be hitting the same thing, whatever that is.
,
Jun 22 2016
Hmm nevermind. It's probably not the same thing.
,
Jul 2 2016
ClusterFuzz has detected this issue as fixed in range 403412:403423. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4771448996757504 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_content_shell Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x7eb0df02dd70 Crash State: mojo::InterfacePtr<media::mojom::blink::ImageCapture>::reset blink::ImageCapture::onServiceConnectionError mojo::internal::Router::OnConnectionError Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=391023:391189 Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=403412:403423 Minimized Testcase (0.14 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97_iSoRm467yPxwB1gLlynLv9QIKsDhyNPXOpmZhaF6nrN_vGRjEIrE36mZWnBcs3agw0Jyry0CDy06EctxY5BDQ8mHsSbG4-uNnPvctZAhUBhccEu95-l-Gv9b45ie3j94QT2yf-t0wkcxLSejixDCrxJr2w?testcase_id=4771448996757504 <canvas id='canvas0'> <script> var stream = canvas0.captureStream(); var capturer = new ImageCapture(stream.getVideoTracks()[0]); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 2 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 2 2016
,
Jul 18 2016
Issue 629002 has been merged into this issue.
,
Jul 18 2016
Bug 619376 is the same crash, but it doesn't look fixed at the moment. Could you please take a look?
,
Nov 23 2016
,
Mar 6 2017
#23: I'm not sure what you mean, you said " Bug 619376 is the same crash"... as this one? But this one is 619376 :-) Anyway marking this issue as Fixed as per #19, please reopen if needed.
,
Jun 13 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Jun 12 2016Owner: mcasas@chromium.org
Status: Assigned (was: Available)