New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 636299 link

Starred by 1 user
Status: Duplicate
Owner:
sigbjo...@opera.com
Email to this user bounced
Closed: Aug 2016
Cc:
nyerramilli@chromium.org
cbiesin...@chromium.org
bokan@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::Node::unregisterMutationObserver

Project Member Reported by ClusterFuzz, Aug 10 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5384560152150016

Fuzzer: inferno_twister
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x00000008
Crash State:
  blink::Node::unregisterMutationObserver
  blink::MutationObserverRegistration::unregister
  blink::MutationObserver::disconnect
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_content_shell&range=410785:410843

Minimized Testcase (9.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94vhCjGvs3pyP8NvgqJ3JSzQJRBeB8BfIjXHQbaUNJwhNrrpJSiXoo5bSqIjzFOZD2oRclVwlaYcApmHyvdFZfWUZjX25oK1B8EE1yehJrcrc-0OBP1SMpwHnsq6O5TEOKLDCXbMak1Vl_dvD5PooARWO1-gg?testcase_id=5384560152150016

Issue manually filed by: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by nyerramilli@chromium.org, Aug 10 2016

Cc: cbiesin...@chromium.org nyerramilli@chromium.org
Components: Tools>Test>FindIt>WrongResult
Labels: findit-wrong Te-Logged
Owner: bokan@chromium.org
Status: Assigned (was: Untriaged)
providing Findit results for internal purpose:
Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: adamk@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a11a7f4704c620de6123316ee5c75c600798b9fd
Time: Mon Oct 17 22:31:25 2011
The CL last changed line 1943 of file Node.cpp, which is stack frame 0.

Author: sigbjornf@opera.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8d3c0bd9ce51f5dcfc0807fb0c3775ed15d6675e
Time: Thu May 08 08:09:06 2014
The CL last changed line 107 of file MutationObserverRegistration.cpp, which is stack frame 1.

Author: kouhei@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8d8f2e1e111607fec4c8aa3885e3f55a0b2fb3f3
Time: Fri Mar 27 07:16:44 2015
The CL last changed line 145 of file MutationObserver.cpp, which is stack frame 2.

Author: verwaest
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/5c73b25ff58e32bcd69153de15a786210769426c
Time: Thu Mar 10 12:14:46 2016
The CL last changed line 19 of file api-arguments.cc, which is stack frame 3.

Author: yangguo
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/a4bd96a6e2f6b0f19f8fd9379ba42bd6e75190be
Time: Mon Jul 25 19:15:01 2016
The CL last changed line 106 of file builtins-api.cc, which is stack frame 4.

Author: yangguo
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/a4bd96a6e2f6b0f19f8fd9379ba42bd6e75190be
Time: Mon Jul 25 19:15:01 2016
The CL last changed line 135 of file builtins-api.cc, which is stack frame 5.

Author: yangguo
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/a4bd96a6e2f6b0f19f8fd9379ba42bd6e75190be
Time: Mon Jul 25 19:15:01 2016
The CL last changed line 123 of file builtins-api.cc, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>DOM

assigning to bokan@ /cbiesinger@ (https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/OWNERS
Could you please check the above issue & help us in finding an owner.

Comment 2 by bokan@chromium.org, Aug 10 2016

Cc: bokan@chromium.org
Owner: sigbjo...@opera.com
Nothing jumped out from the regression range but I'm not sure I'd know.

It looks to me like m_registrationNode is NULL in MutationObserverRegistration::unregister(). This is DCHECK'd but the ASAN build is release (I'm guessing with DCHECKs off). sigbjornf@ added this DCHECK so he may have a better sense of what's going wrong. Sigbjorn, could you please triage? Thanks.

Comment 3 by sigbjo...@opera.com, Aug 10 2016 

Windows version of issue 592322?

Comment 4 by bokan@chromium.org, Aug 10 2016

Mergedinto: 592322
Status: Duplicate (was: Assigned)
Looks like it. Thanks Sigbjorn!

According to issue 592322 this is flaky so the regression range shouldn't be trusted.

Comment 5 by kateso...@chromium.org, Oct 18 2016

Components: -Tools>Test>FindIt>WrongResult
Labels: Test-Predator-Wrong
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment