New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 628856 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Dec 2016
Cc:
a...@chromium.org
creis@chromium.org
nasko@chromium.org
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug



Sign in to add a comment

NULL dereference in NavigationControllerImpl::ClassifyNavigation()

Project Member Reported by thestig@chromium.org, Jul 16 2016 
Seen on Clusterfuzz: https://cluster-fuzz.appspot.com/testcase?key=5810505969303552

#0 0x7f82fac1e953 in operator-> buildtools/third_party/libc++/trunk/include/memory:2713:83
#1 0x7f82fac1e953 in site_instance content/browser/frame_host/navigation_entry_impl.h:231
#2 0x7f82fac1e953 in content::NavigationControllerImpl::ClassifyNavigation(content::RenderFrameHostImpl*, FrameHostMsg_DidCommitProvisionalLoad_Params const&) const content/browser/frame_host/navigation_controller_impl.cc:1016
#3 0x7f82fac1d018 in content::NavigationControllerImpl::RendererDidNavigate(content::RenderFrameHostImpl*, FrameHostMsg_DidCommitProvisionalLoad_Params const&, content::LoadCommittedDetails*) content/browser/frame_host/navigation_controller_impl.cc:823:19
#4 0x7f82fb6f0a66 in content::NavigatorImpl::DidNavigate(content::RenderFrameHostImpl*, FrameHostMsg_DidCommitProvisionalLoad_Params const&) content/browser/frame_host/navigator_impl.cc:573:36
#5 0x7f82fac5a6a6 in content::RenderFrameHostImpl::OnDidCommitProvisionalLoad(IPC::Message const&) content/browser/frame_host/render_frame_host_impl.cc:1179:35

Comment 1 by thestig@chromium.org, Jul 16 2016 

Whoops, wrong link / stack trace. I'll refile it and update this bug.
Project Member

Comment 2 by ClusterFuzz, Jul 16 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5810505969303552

Fuzzer: ipc_fuzzer_mut
Job Type: linux_asan_chrome_ipc
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000008
Crash State:
  content::NavigationControllerImpl::ClassifyNavigation
  content::NavigationControllerImpl::RendererDidNavigate
  content::NavigatorImpl::DidNavigate
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_ipc&range=394867:394956

Minimized Testcase (45.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97qJAH59H-NbSSjdnWrzftdhOfRubcw-tz8kjeSvC3cQpmeLcSrjOsTiK2NisD3F0tC-OCuMtIGUvTaXBukLAn3U0vc9eCpZNXz5mfd4I2RBGBw3wJIXN2Hw8tIn_Nu41t5-KNL9rPDSxObZoS_cUQuRNfUGmLmydVTHlPSAhRJ6_YAfXo?testcase_id=5810505969303552

Filer: thestig

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 3 by thestig@chromium.org, Jul 16 2016

Cc: -pkotw...@chromium.org creis@chromium.org a...@chromium.org
Filed  bug 628857 ... for OnUpdateFaviconURL(), updating this bug.

Comment 4 by a...@chromium.org, Jul 16 2016

Summary: NULL dereference in NavigationControllerImpl::ClassifyNavigation() (was: NULL dereference in WebContentsImpl::OnUpdateFaviconURL())
:\
Project Member

Comment 5 by ClusterFuzz, Dec 5 2016

Status: WontFix (was: Untriaged)
ClusterFuzz testcase is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment