New issue
Advanced search Search tips

Issue 632604 link

Starred by 1 user
Status: Verified
Owner:
kinuko@chromium.org
Closed: Aug 2016
Cc:
kouhei@chromium.org
chrishtr@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Crash in blink::WebString::WebString

Project Member Reported by ClusterFuzz, Jul 29 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5811734724214784

Fuzzer: inferno_twister
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000238
Crash State:
  blink::WebString::WebString
  blink::WebURL::WebURL
  blink::WebDocument::url
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=407875:407911

Minimized Testcase (1.35 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ELlKyS4I0kIIT1NnoZfhxGkG7It59aWawifBqEUGR4XkUQ9fZ1cD4Ukg0LOBvzXRELgZU-hTyZLJ5bknUxGx8y4s4OGkmgigNs-r1uhvmyfuIJrE09T-0CFz_Xdk49ktHPMnQk0ct_aZ9klPPV7UfaRpdpg?testcase_id=5811734724214784

Additional requirements: Requires HTTP

Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by rnimmagadda@chromium.org, Jul 29 2016

Cc: chrishtr@chromium.org
Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 -Type-Bug M-54 Findit-for-crash Te-Logged Pri-2 Type-Bug-Regression
Owner: tommycli@chromium.org
Status: Assigned (was: Untriaged)
Based on this issue "630557".

@tommycli: Could you please have a look into this issue.

Else,

Suspecting:

Author: chrishtr
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4d8cc225bfd10539a79521d2bedc492ed3078fc5
Time: Thu Mar 03 18:33:40 2016
The CL last changed line 38 of file WebURL.cpp, which is stack frame 4.

@chrishtr: Could you please look into this issue.

Thank you.

Comment 2 by chrishtr@chromium.org, Jul 29 2016

Cc: kouhei@chromium.org
Components: -Tools>Test>FindIt>CorrectResult Blink>Loader
Owner: kinuko@chromium.org
Status: Untriaged (was: Assigned)
This is not due to my patch. That was just a rename. I think it's a problem
due to code in chrome_extensions_renderer_client.cc accessing the URL and
document while it's still in a half-loaded state.
Project Member

Comment 3 by ClusterFuzz, Aug 2 2016 

ClusterFuzz has detected this issue as fixed in range 408642:408661.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5811734724214784

Fuzzer: inferno_twister
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000238
Crash State:
  blink::WebString::WebString
  blink::WebURL::WebURL
  blink::WebDocument::url
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=407875:407911
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=408642:408661

Minimized Testcase (1.35 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ELlKyS4I0kIIT1NnoZfhxGkG7It59aWawifBqEUGR4XkUQ9fZ1cD4Ukg0LOBvzXRELgZU-hTyZLJ5bknUxGx8y4s4OGkmgigNs-r1uhvmyfuIJrE09T-0CFz_Xdk49ktHPMnQk0ct_aZ9klPPV7UfaRpdpg?testcase_id=5811734724214784

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Aug 2 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Untriaged)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment