it != device_change_subscribers_.end() in media_stream_dispatcher_host.cc |
|||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6327233753120768 Fuzzer: ipc_fuzzer_gen Job Type: windows_asan_chrome_ipc Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: it != device_change_subscribers_.end() in media_stream_dispatcher_host.cc Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94zKZV66znxnpTTvGUBtXsuVFP53LSJb4BHtTr_dThOYQwbJjO0HR1iFdqJ6mJN09g0XCFbrMXip5PrCcBOL6ydYBdrhz19tLILcCt8jOUAAwcKsJnh6Z8OKGNmvkjTRFoSXo8NuEdZrrbBj3uIps42qH4KpjSONb3suIu4IMEVqQKKSBY?testcase_id=6327233753120768 Filer: vishwath See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 1 2016
,
Jul 11 2016
I can't access the detailed report at https://cluster-fuzz.appspot.com/testcase?key=6327233753120768. can anybody paste call stack here?
,
Jul 13 2016
I also cannot open the test case. Page simply says "Invalid test case!" vishwath@, can you help fix the link?
,
Jul 13 2016
,
Jul 13 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4958465709834240 Fuzzer: ipc_fuzzer_gen Job Type: windows_asan_chrome_ipc Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: it != device_change_subscribers_.end() in media_stream_dispatcher_host.cc content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications IPC::MessageT<MediaStreamHostMsg_CancelDeviceChangeNotifications_Meta,std::tuple Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_ipc&range=404561:404562 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96QJKX4QOJcLtHaJu7IW6wnpjCnQsNIFqP5F6SXW1sE0a7A3V1_yCipo8FHkBuK_Kry4ZCAWQuWrwD6yVQZkAJaheGNsFkb_smismN3d_cqDQGIOpq9pZ_mxB0wxeOqEi_nvXilQTEkr6D853HWAFgRMt4uBsVZx_e2fj-UytcvHCkjE7I?testcase_id=4958465709834240 Filer: mbarbella See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 13 2016
Assigning to guidou@, who seems to have added this CHECK Stack trace is: [1872:1852:0709/142243:FATAL:media_stream_dispatcher_host.cc(278)] Check failed: it != device_change_subscribers_.end(). Backtrace: base::debug::StackTrace::StackTrace [0x80C1AE24+20] logging::LogMessage::~LogMessage [0x80AEF02C+300] content::MediaStreamDispatcherHost::OnCancelDeviceChangeNotifications [0x84AEDCB1+321] IPC::MessageT<MediaStreamHostMsg_CancelDeviceChangeNotifications_Meta,std::tuple<int>,void>::Dispatch<content::MediaStreamDispatcherHost,content::MediaStreamDispatcherHost,void,void (__thiscall content::MediaStreamDispatcherHost::*)(int)> [0x84AED734+644] content::MediaStreamDispatcherHost::OnMessageReceived [0x84AE894C+2684] content::BrowserMessageFilter::Internal::OnMessageReceived [0x847CB9AD+989] IPC::MessageFilterRouter::TryFilters [0x8383336E+654] IPC::ChannelProxy::Context::TryFilters [0x8380614F+159] IPC::ChannelProxy::Context::OnMessageReceived [0x838064B0+16] IPC::ChannelMojo::OnMessageReceived [0x837E6F83+915] IPC::internal::MessagePipeReader::Receive [0x83826775+1621] IPC::mojom::ChannelStub::Accept [0x838387A7+2647] mojo::InterfaceEndpointClient::HandleValidatedMessage [0x83846141+321] IPC::mojom::ChannelRequestValidator::Accept [0x8383955F+511] mojo::internal::MultiplexRouter::ProcessIncomingMessage [0x83859B36+966] mojo::internal::MultiplexRouter::Accept [0x83858A75+309] mojo::MessageHeaderValidator::Accept [0x83877048+1064] mojo::Connector::ReadSingleMessage [0x83878FBA+522] mojo::Connector::OnWatcherHandleReady [0x83879CC3+307] base::internal::Invoker<base::internal::BindState<void (__thiscall content::PepperLookupRequest<ppapi::host::ReplyMessageContext>::*)(int),base::internal::UnretainedWrapper<content::PepperLookupRequest<ppapi::host::ReplyMessageContext> > >,void __cdecl(in [0x859687C7+71] mojo::Watcher::CallOnHandleReady [0x83882577+503] mojo::edk::Core::Watch [0x8394060B+1259] base::internal::Invoker<base::internal::BindState<void (__cdecl*)(void (__cdecl*)(unsigned int,unsigned int,MojoHandleSignalsState,unsigned int),unsigned int,unsigned int,mojo::edk::HandleSignalsState const &,unsigned int),void (__cdecl*)(unsigned int,uns [0x8394B46A+122] mojo::edk::Watcher::MaybeInvokeCallback [0x839B6651+273] mojo::edk::RequestContext::~RequestContext [0x8397ADCA+570] mojo::edk::NodeChannel::OnChannelMessage [0x839B055E+6574] mojo::edk::Channel::OnReadComplete [0x839B50B6+1526] mojo::edk::Channel::Create [0x839BAAC1+12657] base::MessagePumpForIO::WaitForIOCompletion [0x80CA334D+1453] base::MessagePumpForIO::DoRunLoop [0x80CA27BC+332] base::MessagePumpWin::Run [0x80C9DDFC+460] base::MessageLoop::RunHandler [0x80AF7896+70] base::RunLoop::Run [0x80C11030+480] base::Thread::Run [0x80B26038+136] content::BrowserThreadImpl::IOThreadRun [0x846B7C4C+188] content::BrowserThreadImpl::Run [0x846B81FE+958] base::Thread::ThreadMain [0x80B263F7+839] base::PlatformThread::GetCurrentThreadPriority [0x80BAC907+567] __asan::AsanThread::ThreadStart [0x0233130E+142] __asan::PlatformTSDDtor [0x0232CF1E+142] BaseThreadInitThunk [0x754E7C04+36] RtlInitializeExceptionChain [0x7768AB8F+143] RtlInitializeExceptionChain [0x7768AB5A+90] (No symbol) [0x00000000]
,
Jul 13 2016
,
Jul 13 2016
FYI: Links in comment 6 all work. Original links are busted.
,
Jul 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a1cf8423d5032e9fc3d463ca7f36f9e282d2d29d commit a1cf8423d5032e9fc3d463ca7f36f9e282d2d29d Author: guidou <guidou@chromium.org> Date: Fri Jul 15 01:23:51 2016 Improve handling of invalid frame ID in MSDH::OnCancelDeviceChangeNotifications Use bad_message::ReceivedBadMessage() to handle an invalid frame ID passed via IPC. BUG= 624447 , 627436 Review-Url: https://codereview.chromium.org/2149943002 Cr-Commit-Position: refs/heads/master@{#405663} [modify] https://crrev.com/a1cf8423d5032e9fc3d463ca7f36f9e282d2d29d/content/browser/bad_message.h [modify] https://crrev.com/a1cf8423d5032e9fc3d463ca7f36f9e282d2d29d/content/browser/renderer_host/media/media_stream_dispatcher_host.cc [modify] https://crrev.com/a1cf8423d5032e9fc3d463ca7f36f9e282d2d29d/tools/metrics/histograms/histograms.xml
,
Jul 15 2016
,
Jul 16 2016
See also: https://cluster-fuzz.appspot.com/testcase?key=5917365846147072 https://cluster-fuzz.appspot.com/testcase?key=4958465709834240 https://cluster-fuzz.appspot.com/testcase?key=4616129016496128
,
Jul 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c75a1fcd1aa65d58972dcc321a37e0083d682358 commit c75a1fcd1aa65d58972dcc321a37e0083d682358 Author: Guido Urdaneta <guidou@chromium.org> Date: Mon Jul 18 21:42:55 2016 Improve handling of invalid frame ID in MSDH::OnCancelDeviceChangeNotifications Use bad_message::ReceivedBadMessage() to handle an invalid frame ID passed via IPC. BUG= 624447 , 627436 Review-Url: https://codereview.chromium.org/2149943002 Cr-Commit-Position: refs/heads/master@{#405663} (cherry picked from commit a1cf8423d5032e9fc3d463ca7f36f9e282d2d29d) Review URL: https://codereview.chromium.org/2157933004 . Cr-Commit-Position: refs/branch-heads/2785@{#201} Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382} [modify] https://crrev.com/c75a1fcd1aa65d58972dcc321a37e0083d682358/content/browser/bad_message.h [modify] https://crrev.com/c75a1fcd1aa65d58972dcc321a37e0083d682358/content/browser/renderer_host/media/media_stream_dispatcher_host.cc [modify] https://crrev.com/c75a1fcd1aa65d58972dcc321a37e0083d682358/tools/metrics/histograms/histograms.xml
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by brajkumar@chromium.org
, Jul 1 2016