!m_client in DocumentThreadableLoader.cpp |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4590488739119104 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !m_client in DocumentThreadableLoader.cpp blink::DocumentThreadableLoader::~DocumentThreadableLoader blink::HeapObjectHeader::finalize Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=407057:407074 Minimized Testcase (0.30 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97zTsUC8jySEV04pFhaV9UwbZ8v2i--XpfUzr1S_Wj-G005BZAzRfs4CkOeQmtaLcy8lwEBhGc2X2N8mZG1YMfBmWA0xPBouUFDvLRFZ5Us2quKleqoWw7JQ-iXc_fdbLGQI2_XlAWFtJq4cZmfxHKtIl_1ZQ?testcase_id=4590488739119104 <script> xhr = new XMLHttpRequest(); xhr.open("GET", false); xhr.onreadystatechange = function () { xhr.open("GET", true); xhr.send(); } xhr.send(); ; if (window.layoutTestController) layoutTestController.waitUntilDone(); setTimeout("tCFcrash()"); function tCFcrash() { gc() }</script> Additional requirements: Requires HTTP Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 24 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/44a428232115791ba479e01981a5450c8500ee70 commit 44a428232115791ba479e01981a5450c8500ee70 Author: yhirano <yhirano@chromium.org> Date: Wed Aug 24 08:43:12 2016 Suppress cancellation notification in XMLHttpRequest::endLoading We call ThreadableLoader::cancel in XMLHttpRequest::endLoading as it is required by ThreadableLoader, but that cancellation should not be notified to JS. Otherwise, the script can replace |m_loader| in the XMLHttpRequest instance and that violates the ThreadableLoader assumption itself. BUG=638567, 638432 Review-Url: https://codereview.chromium.org/2271033003 Cr-Commit-Position: refs/heads/master@{#414026} [modify] https://crrev.com/44a428232115791ba479e01981a5450c8500ee70/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp
,
Aug 25 2016
ClusterFuzz has detected this issue as fixed in range 413414:413421. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4590488739119104 Fuzzer: inferno_twister Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !m_client in DocumentThreadableLoader.cpp blink::DocumentThreadableLoader::~DocumentThreadableLoader blink::HeapObjectHeader::finalize Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=407057:407074 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=413414:413421 Minimized Testcase (0.30 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94jnFhzpncMvvwENZReLbYnyExjp2Mo-00N6EhqsTZ6gwNiwXSWJzzIcvVdfQlwk6eiOkq4s2B5Sf2Q3_p5XJ2VZrlkVQlD8_ClMHU8BA7IteQJWhAzsLs4SGfQgNXhUI56k7IqM9nKgf7Ktn8POm_TcxunNQ?testcase_id=4590488739119104 <script> xhr = new XMLHttpRequest(); xhr.open("GET", false); xhr.onreadystatechange = function () { xhr.open("GET", true); xhr.send(); } xhr.send(); ; if (window.layoutTestController) layoutTestController.waitUntilDone(); setTimeout("tCFcrash()"); function tCFcrash() { gc() }</script> Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 25 2016
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mummare...@chromium.org
, Aug 17 2016Labels: M-54 Te-Logged
Owner: yhirano@chromium.org
Status: Assigned (was: Untriaged)