Direct-leak in std::__1::unique_ptr<WTF::Function<base::internal::MakeUnboundRunTypeImpl<void |
|||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6703427791093760 Fuzzer: bj_broddelwerk Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Direct-leak Crash Address: Crash State: std::__1::unique_ptr<WTF::Function<base::internal::MakeUnboundRunTypeImpl<void blink::HTMLDocumentParser::startBackgroundParser blink::HTMLDocumentParser::appendBytes Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=393856:393893 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96QtD4i1vF9LiQegeu3IfTku3kD8e9nkXyU8LKATdiMnaBuXfUGkdDPNQh8NYsS-FDz5D2yCOyBNQUTBG_76H-SY0rxErGnyDvbrvGluP2kg3BreG6XNQBXui12IvbFoSYrMC7fFg49g7YOMfnB_Uo9f8dVTnux0gHceaRsq7EjYfxDSyI?testcase_id=6703427791093760 Additional requirements: Requires Gestures Filer: kavvaru See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 13 2016
Moving this nonessential bug to the next milestone. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 13 2016
,
Jul 13 2016
Let's move this on the triage queue. Looks like this is leaking MediaValuesCached mediaType.
,
Jul 18 2016
Hm, I reprod with the given build, but when I tried at Linux TOT (#405981) LSAN reported a LOT of leaks. Too many to be really actionable and it makes me question the report. Might look into reproing on Mac if I have time.
,
Jul 29 2016
LSAN is supported only on x86_64 linux, I couldn't build this on my local Mac (and I don't have good access to other machines right now :( ). kouhei@, yoav@ or csharrison@ do you think either of you could look into this one further and see if it's a real issue we need to fix?
,
Jul 29 2016
on TOTT (#408635) I ran this: ASAN_OPTIONS="detect_leaks=1 symbolize=1" python ~/clusterfuzz/src/tools/on_demand/run_gestures_on_device_local.py --config ~/Downloads/config_6703427791093760.zip --build ~/chromium/src/out/asan/ --verbose with args.gn: is_asan = true enable_nacl = false is_debug = false use_goma = true and I feel like LSAN thinks we practically leaked the entire render process. Attached is the dump.
,
Jul 30 2016
+inferno, is there a precedent to LSAN leak explosions in the renderer? I'm not sure what to make of this.
,
Jul 30 2016
It's leaking a Document, so expect to see all the allocations that's reachable from it in the report. Notice that Document itself won't be reported as a leak, as it is in the Oilpan heap, which we don't attempt to have cleaned out completely before LSan kicks in. The testcase might show a leak with the LeakDetector also, given that it is a document? --enable-leak-detection w/out LSan to find out.
,
Aug 1 2016
sigbjornf@, thanks for the insight. I reproduced with ASAN_OPTIONS="detect_leaks=0" and passing --enable-leak-detection into the testcase config. I received a very similar leak result with those parameters. What is the real difference here? Seems like --enable-leak-detection is still seeing the (fake) Document leak.
,
Aug 2 2016
random idea from your friendly bug triage: could this be a heap corruption that reveals itself as a leak? Could we feed the same testcase to the regular ASan?
,
Aug 3 2016
,
Aug 5 2016
csharrison: since you already invested some time into it, can you please triage it further? (comment #11 contains a lame idea:)
,
Aug 5 2016
Yeah no problem. I don't have an asan build handy with me right now but I think I tried that and it didn't find anything until I added --enable-leak-detection or LSAN options.
,
Aug 14 2016
ClusterFuzz has detected this issue as fixed in range 411875:411885. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6703427791093760 Fuzzer: bj_broddelwerk Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Direct-leak Crash Address: Crash State: std::__1::unique_ptr<WTF::Function<base::internal::MakeUnboundRunTypeImpl<void blink::HTMLDocumentParser::startBackgroundParser blink::HTMLDocumentParser::appendBytes Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=396459:396493 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=411875:411885 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96QtD4i1vF9LiQegeu3IfTku3kD8e9nkXyU8LKATdiMnaBuXfUGkdDPNQh8NYsS-FDz5D2yCOyBNQUTBG_76H-SY0rxErGnyDvbrvGluP2kg3BreG6XNQBXui12IvbFoSYrMC7fFg49g7YOMfnB_Uo9f8dVTnux0gHceaRsq7EjYfxDSyI?testcase_id=6703427791093760 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 14 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 14 2016
So, this wrong. The fixed range shows has: https://codereview.chromium.org/2221193002 Which adds testing configs to put the BackgroundHTMLParser on the main thread on bots. I don't think this should be marked as fixed until that experiment lands on HEAD. The test case should still repro locally.
,
Aug 15 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 10 2017
And, the experiment landed. |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by kavvaru@chromium.org
, Jul 13 2016Labels: Te-Logged M-53
Owner: nduca@chromium.org
Status: Assigned (was: Available)