Based on the Code Search for the file - url_request_context.cc

Suspecting the below:

========================================================

Commit - 015b9e49b2b82b72978298e5a44b9f374300f31f

Review URL - https://codereview.chromium.org/2103383002

--------------------------------------------------------

Commit - f31e72ec019d02417b1e5207391d5436ea7391e8

Review URL - https://codereview.chromium.org/1913273003

--------------------------------------------------------

Commit - 8e329d672df2c725b3add82a186f30a1241eee01

Review URL - https://codereview.chromium.org/1523433002

========================================================

@nharper/csharrison/mmenke: Could you please look into this issue.

Thank you.

Not a network issue.  Something is issuing a request and not destroying it before the network stack is torn down.  Since the test file is a PDF file, I'm assuming it's the request for the PDF file itself that isn't being torn down in time.

Not a PDF plugin issue. content_shell doesn't have a built in PDF viewer.

Think this bug needs some repro instructions.

It's not clear either what "linux_ubsan_vptr_content_shell_drt" is, or how to run it.

ClusterFuzz has detected this issue as fixed in range 411891:411894.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5184322244182016

Fuzzer: tokenfuzz_pdf_april16
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  false. Leaked 1 URLRequest(s). First URL: file:///mnt/scratch0/clusterfuzz/slave
  net::URLRequestContext::AssertNoURLRequests
  net::URLRequestContext::~URLRequestContext
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=407779:407792
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=411891:411894

Minimized Testcase (6305.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97a8-ETSTSL5Fo0tDRR_NttNVzA3D6bBExPpnqekuuxJ_h4UqxotKADoO96ldCH3lND9xmrNGCDDAinL7j2ZimE59veQqInJGrLByRhiq4fT0Ko_yeftvYnlmWVkUvCyWK5eaOufhpfb1AMayV7_l5eYwK6IGBNnxH-AF42biQ-x_0XjlM?testcase_id=5184322244182016

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

CF is still complaining hence reopening this issue for further investigation.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5840748551602176

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  false. Leaked 1 URLRequest(s). First URL: https://www.mydomain.com/?key=value in
  net::URLRequestContext::AssertNoURLRequests
  net::URLRequestContext::~URLRequestContext
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=413421:413430

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95uH6EHH9OdlJ_1WY0_iKKcvAUs1KVaBjvGT9OqVGs4x5dFOX4GRqw3uVVutDP03glHJJtQhlRgCBzyTi-D_xWYa2UXmPNLElveSYV0XXq8EIsf-Ym7EX7QrMMYYBTp5y_Isv6lHJ7KICIIjL-sRzvLkR743Q?testcase_id=5840748551602176


Issue manually filed by: durga.behera

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5260294643515392

Fuzzer: tokenfuzz_pdf_curated
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  false. Leaked 1 URLRequest(s). First URL: file:///mnt/scratch0/clusterfuzz/slave
  net::URLRequestContext::AssertNoURLRequests
  net::URLRequestContext::~URLRequestContext
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96RXywjqw88VUFcM6Ya3xZBL1Bh2GZISB1rYfym1KrTTtmrv7-CObmKquOjPcVQMQs4iqgaaWm8bKUrWK5WpxIrKM-HxBSyqPpRGSs1NeYO8dkFm18NGP9Kpf2qgWrz89Hy1E8UjoWihP63GvygLeKyEqBCbUSWlZIs3dzaLuhDpRQMsYo?testcase_id=5260294643515392


Issue manually filed by: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4815173540118528

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  false. Leaked 1 URLRequest(s). First URL: https://www.mydomain.com/path/ in url_
  net::URLRequestContext::AssertNoURLRequests
  net::URLRequestContext::~URLRequestContext
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=407779:407803

Minimized Testcase (0.33 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96AYnGVcMiSlSWoNek76wifN226nFIEZEsmMGLTI9HIl9UgTM5MGQhanS1kc-xbrOZyh5PleS_96gJQdFD4ucmgFGEcOxV7T9Oby-hFVtTFXu0txlXC1rCOmA3dUwaEm67dg9DMLAdX-coSj91oDpLanAcL8A?testcase_id=4815173540118528
<a id="dl" download="foo.pdf"> is a blob URL.
<script>
function click(elmt)
{
    
    eventSender.mouseMoveTo(elmt.offsetLeft + 5, elmt.offsetTop + 5);
    eventSender.mouseDown();
    eventSender.mouseUp();
}

    var link = document.getElementById("dl");
    link.href = "https://www.mydomain.com/path/";
    click(link);
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Possible suspect was not found using Find it and CL.
Using Code Search for the file "net::URLRequestContext::AssertNoURLRequests" assigning to the concern owner.

Suspecting the Commit#
https://chromium.googlesource.com/chromium/src/+/96ab36a707e8e8633ec92185bd3f41a5157af83b

@xunjieli -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

I don't think a CL landed a week ago is likely to have caused a leak detected in July, 5 months ago.

Marking this Untriaged so it's in Network triager's queue.

net::URLRequestContext::AssertNoURLRequests gets tickled by callers of net/ code not canceling request before destroying the URLRequestContext.

It seems that original report (leaking request to file:///mnt/scratch0/clusterfuzz/slave) and report from Comment 10 (leaking request to https://www.mydomain.com/path/) are not related.

I also agree that neither can be caused by commit https://chromium.googlesource.com/chromium/src/+/96ab36a707e8e8633ec92185bd3f41a5157af83b which has landed much later.

Is there a new report with more info from net::URLRequestContext::AssertNoURLRequests?

I'm not sure that the Needs-Feedback label is useful here. Removing it so this goes back in the main triage queue.

I tried to reproduce both #8 and #10 using the instructions, and got it running (took a while, and would have taken a lot longer if I weren't familiar with python tools) but didn't see any crashes on either one after several tries.

Looks like the problem is stemming from <a download>, so adding download label.

I still have no idea what "tokenfuzz_pdf_april16", "ochang_domfuzzer", "tokenfuzz_pdf_curated", or "linux_asan_content_shell_drt", nor how to run them.  Codesearch is not illuminating, so they don't seem to be target names.  I assume any investigation would start with a repro, so I'm not sure that feedback isn't still needed, to reproduce the fuzzer results.

I followed the instructions in the link at the bottom of most of the clusterfuzz automated comments on this bug, such as #10: https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs, and go/clusterfuzz-repro which it links to. I did have some setup issues, but was able to debug them and get the script running. Even if the issue is with the tools and not with the test case being flaky, having this sit around with Needs-Feedback on it seems unlikely to get that solved.

Also, in case anyone wants a list of all the crashes associated with this bug, they're at https://cluster-fuzz.appspot.com/v2/testcases?q=group%3A6053635872260096.

What's the name of the actual target one has to run the fuzz input on?  None of those strings are actual target names, as far as I can tell.

As far as I can tell, this fuzzer is generating layout tests and running them in content_shell built with particular args. I found it easiest to use the method where you download the exact build the test ran with rather than trying to build it myself.

Network triager here, marking this available. Seems like a valid bug without a clear owner. Feel free to undo this if I'm wrong.

SGTM.  Not sure we can make forward progress here without more input from the fuzzer team (Being able to build and run the test gives a lot more tools at one's disposal than just having pre-built binaries that repro the issue).

ClusterFuzz has detected this issue as fixed in range 458506:458585.

Detailed report: https://clusterfuzz.com/testcase?key=4815173540118528

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  false. Leaked 1 URLRequest(s). First URL: https://www.mydomain.com/path/ in url_
  net::URLRequestContext::AssertNoURLRequests
  net::URLRequestContext::~URLRequestContext
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=407779:407803
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=458506:458585

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94nXKXAvOJwGEmXtOD2lJKp-Oj6v7LbqpVsiNov4Hmex9x-lVHj9YZgpBNgV7nW_WDurVeBLwn1IZokP_dgUwxnjAkHpyAAoN-hyNkj-avLk7aj7VyMcPFmSum-1xzpu2fEg5zm9pXlYhPOn_rZpXi9PZhUmqg4xILPcFbwxtSTcFEEZcxCwrEqeIXR3y5ucdrv0yQvnNmWIkokx1e7pVdoyUGsWUNtUeflfgDYSSYHXO-pd3xwnhh_cLo_724O9RxuZdH4gbZ42SMUoHViuV6tr1YNj8O5AVzswJws4qICgnkmFpvzLw1sTsiY-5iE9udfQ2ZSkGE17iKrkcYTFZCMioms7dfzDpQVPjRVh4jYZcdvKsB65iA86cJUiekxCY_YXgRcFSeoibwsYeYf9sCzaHI3kQ?testcase_id=4815173540118528


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 458506:458585.

Detailed report: https://clusterfuzz.com/testcase?key=5840748551602176

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  false. Leaked 1 URLRequest(s). First URL: https://www.mydomain.com/?key=value in
  net::URLRequestContext::AssertNoURLRequests
  net::URLRequestContext::~URLRequestContext
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=413421:413430
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=458506:458585

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96sxQT4VL_48YB7S5uZ_QYHFL2_CcHfMTqOm7iC4oVcl19_98ciSNVZ4rlh9hie6POUrB2uCr5xeS9ugMG4VRLFBw8ubAqbjaZ2K278U75rB7E9jpV295D5rb1Y8LWyHJwjDsxh1kZP71wIKLuSOCje6zOJi_5ECed5tyatuFUmgzxaVOJQWbkkCSJemVZo256ZJAtUqEqmFNniO5rS93AZtjX2G6ha4AtxdnD_xXeRvFwlS01yFD6FdbNbeESmhlSkBLTavSYpS5PnZjshjqlaMuM08zSD2l37j9jolexX4luFOcXk9dIVmi6K6UkgKriTbKlNnlemHbAE0NQr13KTaMwMSi76T0S2KdpMYsJKUjptPuWkYb9ja8v3LZz67BsMOeo1AbMT2QmzGzmVapiE0ynLBQ?testcase_id=5840748551602176


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Testcases associated with wrong issue, closing.