New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 644269 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Sep 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::ContentDecryptionModuleResultPromise::reject

Project Member Reported by ClusterFuzz, Sep 6 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5363680659374080

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::ContentDecryptionModuleResultPromise::reject
  blink::ContentDecryptionModuleResultPromise::completeWithError
  blink::WebContentDecryptionModuleResult::completeWithError
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=398942:399015

Minimized Testcase (20.94 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96esh8OxE3GFxUDHjyoYooKMEzXbeD69NmuO9x0y3C5gp7xdryQ_ktAXIRLqNcTKSuOMLaAaKa9Dqd1Y9mTh-Ed14g7jBXyu-BqoY0FyQ-nH-Vi8C6rjHIYxw_4TACw9rcRxghakT-XwEcMzFGbBRNnZnjTtYogY9KN7lTKHFZ9uhLjsJo?testcase_id=5363680659374080

Issue manually filed by: ashejole

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: ashej...@chromium.org
Labels: Te-Logged ToolsTestsFindItCorrectResult
Owner: jrumm...@chromium.org
Status: Assigned (was: Untriaged)
Suspected CLs	The result is a list of CLs that change the crashed files.

Author: jrummell
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/3135b5eec1c39fb213cbf906f81553efa8cbaf67
Time: Thu Jun 09 19:57:00 2016
Lines 96-101 of file ContentDecryptionModuleResultPromise.cpp which potentially caused crash are changed in this cl (frame #0, "blink::ContentDecryptionModuleResultPromise::reject").
Minimum distance from crash line to modified line: 0. (file: ContentDecryptionModuleResultPromise.cpp, crashed on: 96, modified: 96).

Suspected Project: chromium

From the above suspected @jrummell: Hey, would you mind checking the above issue and see if its related to your change ?

Appreciate your help.

Thank you!
Status: Started (was: Assigned)
Based on the crash it looks like the ExecutionContext is gone. I'll add a check for it.
Project Member

Comment 3 by bugdroid1@chromium.org, Sep 7 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d0abaf6c13603474382963075424bf7586558d74

commit d0abaf6c13603474382963075424bf7586558d74
Author: jrummell <jrummell@chromium.org>
Date: Wed Sep 07 00:32:22 2016

Add check for null pointer

When resources are freed, asynchronous tasks may fail later and cause
promises to be rejected. However, since the resource is gone, this
crashes. Add a check that the ExecutionContext still exists before
using it.

BUG= 644269 
TEST=test case doesn't crash

Review-Url: https://codereview.chromium.org/2314253002
Cr-Commit-Position: refs/heads/master@{#416797}

[modify] https://crrev.com/d0abaf6c13603474382963075424bf7586558d74/third_party/WebKit/Source/modules/encryptedmedia/ContentDecryptionModuleResultPromise.cpp

Project Member

Comment 4 by ClusterFuzz, Sep 8 2016

ClusterFuzz has detected this issue as fixed in range 416781:416842.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5363680659374080

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::ContentDecryptionModuleResultPromise::reject
  blink::ContentDecryptionModuleResultPromise::completeWithError
  blink::WebContentDecryptionModuleResult::completeWithError
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=398942:399015
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=416781:416842

Minimized Testcase (20.94 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96esh8OxE3GFxUDHjyoYooKMEzXbeD69NmuO9x0y3C5gp7xdryQ_ktAXIRLqNcTKSuOMLaAaKa9Dqd1Y9mTh-Ed14g7jBXyu-BqoY0FyQ-nH-Vi8C6rjHIYxw_4TACw9rcRxghakT-XwEcMzFGbBRNnZnjTtYogY9KN7lTKHFZ9uhLjsJo?testcase_id=5363680659374080

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Sep 8 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment