Issue 642869  has been merged into this issue.

Author: enne
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/9848a61393772cc8a9aa8349c68f7d436c743369
Time: Wed Aug 31 20:20:22 2016
File gpu_process_transport_factory.cc is changed in this cl (and is part of stack frame #4, "content_shell!content::GpuProcessTransportFactory::GpuProcessTransportFactory+0xa2 ")
File gpu_process_transport_factory.cc is changed in this cl (and is part of stack frame #3, "content_shell!content::GpuProcessTransportFactory::~GpuProcessTransportFactory+0x7e ")
Minimum distance from crash line to modified line: 10. (file: gpu_process_transport_factory.cc, crashed on: 178, modified: 168).

Suspected Project: chromium
Suspected Component: Internals>Core

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4815935561269248

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x000000000000
Crash State:
  Bad-cast to cc::BeginFrameSource from invalid vptr
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=415626:415740

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97sIjKJw5sbHqpBiyZ6eLD9HzSFM3T6DfjdLueA4odIFFL-9hAhKUkLH2_I2xLXywPZyla5-ZpxlxGpZ5sNzz4rKhqKWBZEO3Jt0lAuHBmxWDIaDV79rgSnW4rjuIMHg0v2MPNyPd1rKbPFf0Gf7j5uWtRrjA?testcase_id=4815935561269248


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

This change has been reverted already in https://codereview.chromium.org/2304483002

ClusterFuzz has detected this issue as fixed in range 415740:415894.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4815935561269248

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x000000000000
Crash State:
  Bad-cast to cc::BeginFrameSource from invalid vptr
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=415626:415740
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=415740:415894

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97sIjKJw5sbHqpBiyZ6eLD9HzSFM3T6DfjdLueA4odIFFL-9hAhKUkLH2_I2xLXywPZyla5-ZpxlxGpZ5sNzz4rKhqKWBZEO3Jt0lAuHBmxWDIaDV79rgSnW4rjuIMHg0v2MPNyPd1rKbPFf0Gf7j5uWtRrjA?testcase_id=4815935561269248


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This is still happening on [Crash Revision] r416459 which includes the revert. e.g. see last tested stacktrace in https://cluster-fuzz.appspot.com/testcase?key=5617721922551808.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6474678371876864

Fuzzer: inferno_twister
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6120002a8230
Crash State:
  cc::SurfaceManager::UnregisterBeginFrameSource
  cc::Display::~Display
  cc::Display::~Display
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=415049:415600

Minimized Testcase (8.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96kMN7V_D5qHTcxeLKoNG2X4ZAgd0B8_9IdHTZ4zfN5_MuxMo0eTXUMT9H8oGKgklMWGtVM7sDiN4efO14WALaAvVY5v36g84bPWHVYOvN4ETqeq85PK0gDxYWm-wjrtBxEwmM3C1mJCWoTtHVoeJhdcUbs0w?testcase_id=6474678371876864

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

c#12 points toward another cl

The result is a list of CLs that change the crashed files.

Author: enne
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/5828897e19ecb4671add8a25212e29f481779b47
Time: Tue Aug 30 06:00:08 2016
File gpu_process_transport_factory.cc is changed in this cl (and is part of stack frame #4, "content::GpuProcessTransportFactory::~GpuProcessTransportFactory"; frame #5, "~GpuProcessTransportFactory"; frame #6, "non-virtual thunk to content::GpuProcessTransportFactory::~GpuProcessTransportFactory")
Minimum distance from crash line to modified line: 36. (file: gpu_process_transport_factory.cc, crashed on: 249, modified: 285).

Suspected Project: chromium
Suspected Component: Internals>Core

Friendly ping, this is currently a Beta-blocker and needs to get fixed and merged as soon as feasible, as M54 is going to beta this Thursday 9/8

Users experienced this crash on the following builds:

Win Canary 55.0.2851.0 -  1.57 CPM, 9 reports, 4 clients (signature cc::SurfaceManager::UnregisterBeginFrameSource)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1a1031cf083156956a7b6f4934089281da6981c0

commit 1a1031cf083156956a7b6f4934089281da6981c0
Author: enne <enne@chromium.org>
Date: Tue Sep 06 23:11:20 2016

Fix GpuProcessTransportFactory destructor crash

https://codereview.chromium.org/2297473002 changed a raw pointer in
GpuProcessTransportFactory into a unique_ptr, which caused some
additional shutdown behavior (destroying map entries) that was not
there before the patch.

PerCompositorData depends on SurfaceManager existing (to unregister
begin frame sources from ~Display).  So, SurfaceManager's lifetime
should exceed the lifetime of all Displays.

BUG= 642803 

Review-Url: https://codereview.chromium.org/2318753002
Cr-Commit-Position: refs/heads/master@{#416756}

[modify] https://crrev.com/1a1031cf083156956a7b6f4934089281da6981c0/content/browser/compositor/gpu_process_transport_factory.cc
[modify] https://crrev.com/1a1031cf083156956a7b6f4934089281da6981c0/content/browser/compositor/gpu_process_transport_factory.h

ClusterFuzz has detected this issue as fixed in range 416628:416826.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6474678371876864

Fuzzer: inferno_twister
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6120002a8230
Crash State:
  cc::SurfaceManager::UnregisterBeginFrameSource
  cc::Display::~Display
  cc::Display::~Display
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=415049:415600
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=416628:416826

Minimized Testcase (8.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96kMN7V_D5qHTcxeLKoNG2X4ZAgd0B8_9IdHTZ4zfN5_MuxMo0eTXUMT9H8oGKgklMWGtVM7sDiN4efO14WALaAvVY5v36g84bPWHVYOvN4ETqeq85PK0gDxYWm-wjrtBxEwmM3C1mJCWoTtHVoeJhdcUbs0w?testcase_id=6474678371876864

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M54 (branch: 2840)

The crashes in ~GpuProcessTransportFactory were caused by r415192 and r415738, both of which did not make it into m54.  No merge should be needed here.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot