New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 627820 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jul 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Crash in blink::ThreadState::getPersistentRegion

Project Member Reported by ClusterFuzz, Jul 13 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6417573642240000

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::ThreadState::getPersistentRegion
  blink::PersistentBase<blink::Geolocation,
  base::internal::Invoker<base::internal::BindState<void
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=403412:403423

Minimized Testcase (6.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97L3fGlg3yllUeWMaJ_aZhfYV3ghGw4foNDNGacJWfmA98jKzfbQ8iyB7loZzRcWvu7IDbWwdkYapfgEySpqGr_yfp6jai9LlTiWruUBd7SNiPL22CqW9SVTNuoXsLRspSVkS2ZYlCPf4wNm1ug5W2CaGiZ0g?testcase_id=6417573642240000

Additional requirements: Requires Gestures

Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: haraken@chromium.org
Components: Blink>Location
Labels: -Type-Bug M-54 findit-for-crash Te-Logged Type-Bug-Regression
Owner: sigbjo...@opera.com
Status: Assigned (was: Available)
Suspecting:

Author: sigbjornf
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/3e5bcb132b1af136ba6faa1c152dcba2c298549f
Time: Mon May 23 14:28:16 2016
The CL last changed line 64 of file Persistent.h, which is stack frame 3.

@sigbjornf: Could you please look into this issue.

Thank you.

Comment 2 by sigbjo...@opera.com, Jul 14 2016

Cc: sigbjo...@opera.com
Owner: tzik@chromium.org
It is not too interesting to look for suspects at the top of the stack for these kinds of bugs..

Re-assigning to tzik@ -- a (too) late shutdown of a geolocation callback object. A latent problem perhaps, but its intro is related to  https://codereview.chromium.org/2091713002 

Comment 3 by tzik@chromium.org, Jul 14 2016

Cc: tzik@chromium.org
 Issue 628140  has been merged into this issue.
Project Member

Comment 4 by bugdroid1@chromium.org, Jul 14 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/33871d83b7ee98a1aa5692f8f835d44b7da65ef5

commit 33871d83b7ee98a1aa5692f8f835d44b7da65ef5
Author: tzik <tzik@chromium.org>
Date: Thu Jul 14 12:12:06 2016

Pass weak pointer by ref in Bind implementation

Weak pointer in Bind impl is historically passed by value, however when
a blink::WeakPersistent is passed as a receiver of a method after
blink::ThreadState is destroyed, it can no longer be copied and causes
crash.

BUG= 627820 

Review-Url: https://codereview.chromium.org/2145383002
Cr-Commit-Position: refs/heads/master@{#405475}

[modify] https://crrev.com/33871d83b7ee98a1aa5692f8f835d44b7da65ef5/base/bind_internal.h

Project Member

Comment 5 by ClusterFuzz, Jul 14 2016

ClusterFuzz has detected this issue as fixed in range 405467:405481.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6417573642240000

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::ThreadState::getPersistentRegion
  blink::PersistentBase<blink::Geolocation,
  base::internal::Invoker<base::internal::BindState<void
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=403412:403423
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=405467:405481

Minimized Testcase (6.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97L3fGlg3yllUeWMaJ_aZhfYV3ghGw4foNDNGacJWfmA98jKzfbQ8iyB7loZzRcWvu7IDbWwdkYapfgEySpqGr_yfp6jai9LlTiWruUBd7SNiPL22CqW9SVTNuoXsLRspSVkS2ZYlCPf4wNm1ug5W2CaGiZ0g?testcase_id=6417573642240000

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Jul 14 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Components: Blink>Geolocation
Components: -Blink>Location

Sign in to add a comment