Issue metadata
Sign in to add a comment
|
Crash in mojo::AssociatedBinding<blink::mojom::blink::BroadcastChannelClient>::RunConnect |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6320577642233856 Fuzzer: ochang_domfuzzer Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7ece5556a5a8 Crash State: mojo::AssociatedBinding<blink::mojom::blink::BroadcastChannelClient>::RunConnect mojo::internal::MultiplexRouter::ProcessTasks mojo::internal::MultiplexRouter::OnPipeConnectionError Recommended Security Severity: Low Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=406306:406354 Minimized Testcase (20.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96jvSunbC1g3lH9rqHD6QvmZAjCJ2a6E9TjtT5gCAZffTVcc5g1dPJdfBeB3EK5aHf3Myte55_xJbxAm2vYB1b8ppiEJ_VNx7d9wwIG0yuhXA1hOz65sqcotKH9Ens3tPkgewlo-DOl7e2I2HSVH2dXDtvl3iLlOvjLZmPbNtRcGH4b_DA?testcase_id=6320577642233856 Additional requirements: Requires Gestures Issue manually filed by: mbarbella See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 9 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Aug 9 2016
,
Aug 9 2016
yzshen, rockot, would one of you be the right owner for this bug?
,
Aug 9 2016
,
Aug 9 2016
,
Aug 10 2016
,
Aug 10 2016
,
Aug 10 2016
So this seems like somehow the BroadcastChannel instance (and thus the AssociatedBinding member instance) got destroyed without having had oilpan call the BroadcastChannel's pre-finalizer (which would have closed the AssociatedBinding). Not sure how that would happen, as at least my understanding of pre-finalizers is that oilpan is always supposed to call them before destroying objects...
,
Aug 10 2016
Hi, Kentaro. Would you please share your thoughts on comment#9? Some more background: With an ASAN build, the AssociatedBinding<> in BroadcastChannel crashes when the browser is shut down using ctrl + shift + q. That is because the message loop destruction observer calls the connection error handler, but the AssociatedBinding<> instance is invalid at that point already. I added some logging to AssociatedBinding, and noticed that we had less AssociatedBinding::Close() calls (called from BroadcastChannel::dispose) than constructor calls. AssociatedBinding::Close() should de-register it from receiving connection error notification. And we had no destructor calls at all.
,
Aug 11 2016
I noticed that BroadcastChannel is missing ThreadState::current()->registerPreFinalizer(this)... Then the pre-finalizer won't be invoked :)
,
Aug 11 2016
Ah yes, that would explain it... Would be helpful if there was some kind of automated presubmit and/or clang check to make sure registerPreFinalizer is called when USING_PRE_FINALIZER is present...
,
Aug 11 2016
Yeah, in 99.9% of the cases we need to write registerPreFinalizer() in a cpp file corresponding to a header file that has USING_PRE_FINALIZER. So it would be helpful to have a presubmit/gc-plugin check for the fact.
,
Aug 11 2016
Thanks for the help, Kentaro! Marijn: Would you please take this bug and fix it? Thanks!
,
Aug 11 2016
,
Aug 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c48d361b1a4271a871418b7f73029c8e831e45be commit c48d361b1a4271a871418b7f73029c8e831e45be Author: mek <mek@chromium.org> Date: Fri Aug 12 02:14:56 2016 Actually register the BroadcastChannel pre-finalizer. BroadcastChannel defined a pre-finalizer, but never registered it, so the finalizer was never being called. This fixes crashes caused by that. BUG= 635577 Review-Url: https://codereview.chromium.org/2243503002 Cr-Commit-Position: refs/heads/master@{#411521} [modify] https://crrev.com/c48d361b1a4271a871418b7f73029c8e831e45be/third_party/WebKit/Source/modules/broadcastchannel/BroadcastChannel.cpp
,
Aug 12 2016
Should be fixed now.
,
Aug 13 2016
,
Aug 23 2016
ClusterFuzz has detected this issue as fixed in range 413414:413421. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6320577642233856 Fuzzer: ochang_domfuzzer Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7ece5556a5a8 Crash State: mojo::AssociatedBinding<blink::mojom::blink::BroadcastChannelClient>::RunConnect mojo::internal::MultiplexRouter::ProcessTasks mojo::internal::MultiplexRouter::OnPipeConnectionError Recommended Security Severity: Low Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=406306:406354 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=413414:413421 Minimized Testcase (20.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96jvSunbC1g3lH9rqHD6QvmZAjCJ2a6E9TjtT5gCAZffTVcc5g1dPJdfBeB3EK5aHf3Myte55_xJbxAm2vYB1b8ppiEJ_VNx7d9wwIG0yuhXA1hOz65sqcotKH9Ens3tPkgewlo-DOl7e2I2HSVH2dXDtvl3iLlOvjLZmPbNtRcGH4b_DA?testcase_id=6320577642233856 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 19 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Aug 9 2016