Corrupt-block in _free_base |
|||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5013187590356992 Fuzzer: inferno_canvas_wrecker Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: Corrupt-block Crash Address: 0x7fff1000 Crash State: _free_base sk_free_releaseproc content::IndexedDBDispatcher::WillStopCurrentWorkerThread Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=399530:399564 Minimized Testcase (13.47 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94jDB87Bb7O0H0gmkR_VyBn9MbLul0Gc5FBSHbfrvRQUDpYl1xD1onyOemfqosnri2K35TRp0YGY3UQsNWNTeiQTWYs7eanF8Voiy10j-e9yIt_U4OQm8xO454XNsVSDxcMa3-OUZz1Q8v3jqMRh7PUhsQO-w Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 16 2016
bsalomon could you please take a look at this security bug and/or route it to the right person? Thanks!
,
Jun 17 2016
,
Jun 17 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 17 2016
,
Jun 18 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5095036077473792 Fuzzer: bj_broddelwerk Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: Corrupt-block Crash Address: 0x7fff1000 Crash State: _free_base sk_free_releaseproc ui::AXNode::Destroy Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=400221:400252 Minimized Testcase (0.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ZMo5d0vraRb5MYlM0_8aud1j7VlRkNd9CeecFEBImnRSuyHrin-N5hNG0_NWYfWBQ--31hhYtpnhQbq6yRzkvkKzUSSpIJ8BZCKV4l-3Aa5PiK_gHdJlB_WThKPcMQUsHC2mXK0-WSx1yYqXPdqxNoBDK-w?testcase_id=5095036077473792 Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 18 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5356664714952704 Fuzzer: inferno_canvas_wrecker Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: Corrupt-block Crash Address: 0x7fffa030 Crash State: _free_base sk_free_releaseproc SkRefCntBase::internal_dispose Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=399984:400002 Minimized Testcase (13.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94QiwH-MlJAsb4sdYGkYQRksudFZrNfYM_kpop5lMH9l0juJOn3GYBqfqmC0RIVeXYThgm4YwppW_virO8T4BrPXqJrvhZYz48svhD39Uvr3c1RE-tg_S0rVNig1WLuWdTYp9IKt6Gi_2Uet8bNSfSBk0iq6Q?testcase_id=5356664714952704 Additional requirements: Requires HTTP Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 18 2016
These corrupt-block crashes are very problematic for clusterfuzz, regression rqanges are all wrong due to only reproducing in that specific crash revision and then crash stacks change slightly.
,
Jun 18 2016
It's probably a real issue, I'll look at these crashes on Monday.
,
Jun 23 2016
M53 is branching soon and will be promoted to Beta in July.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.
,
Jun 25 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5406437564219392 Fuzzer: inferno_canvas_wrecker Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: Corrupt-block Crash Address: 0x7fffa030 Crash State: _free_base sk_free_releaseproc content::QuotaDispatcher::WillStopCurrentWorkerThread Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=399164:399271 Minimized Testcase (13.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95L6_i2ExifMnpj680NRpb0tCytA87MJ26GaGFYlI-InufLEtotd1und3RaVHQHZNUj5jls6mI1kQy55DYVhmbI9T1rglnnj4NGuT8iqxTE_opqObBYRzAtQfMHWJssluBFylMbwuMxR3f63Z9-LsrEgBWZqw?testcase_id=5406437564219392 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 28 2016
M53 is branching this week and will be promoted to Beta in July.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.
,
Jun 28 2016
Removing the RB label, as I don't think that it's necessary.
,
Jun 29 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 29 2016
Removing the RB label again and adding the Fracas-Wrong label to avoid Fracas to retag this bug as RB.
,
Jun 30 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 1 2016
M53 is branched today (2785) and will be promoted to Beta this month.Your bug is labelled as Beta ReleaseBlock, pls make sure to land and merge the fix to M53 branch 2785 by 5:00 PM PST on Friday 07/22 (sooner the better so it gets chance to bake in M53 dev releases it self). Thank you.
,
Jul 2 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5013187590356992 Fuzzer: inferno_canvas_wrecker Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: Corrupt-block Crash Address: 0x7fff1000 Crash State: _free_base sk_free_releaseproc content::IndexedDBDispatcher::WillStopCurrentWorkerThread Minimized Testcase (13.47 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94jDB87Bb7O0H0gmkR_VyBn9MbLul0Gc5FBSHbfrvRQUDpYl1xD1onyOemfqosnri2K35TRp0YGY3UQsNWNTeiQTWYs7eanF8Voiy10j-e9yIt_U4OQm8xO454XNsVSDxcMa3-OUZz1Q8v3jqMRh7PUhsQO-w?testcase_id=5013187590356992 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 5 2016
,
Jul 6 2016
,
Jul 6 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 6 2016
,
Jul 7 2016
Why were the Security Impact and Severity labels removed?
,
Jul 7 2016
Because it looks like a bug in SyzyAsan, I'm investigating on this but in the meantime I don't think that it should be considered as a security issue.
,
Jul 8 2016
Ok, changing the bug type away from security to prevent nags and stuff.
,
Jul 8 2016
Moving this nonessential bug to the next milestone. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 21 2016
,
Dec 6 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 16 2016