Issue metadata
Sign in to add a comment
|
Crash in url::UIDNAWrapper::UIDNAWrapper |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6091498691231744 Fuzzer: libfuzzer_html_preload_scanner_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x03e900007817 Crash State: url::UIDNAWrapper::UIDNAWrapper base::DefaultLazyInstanceTraits<url::UIDNAWrapper>::New base::internal::LeakyLazyInstanceTraits<url::UIDNAWrapper>::New Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=416298:416360 Minimized Testcase (0.60 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97IdT3x5OwaTTXJ-tITxtvQN1nEtUR4Tcqhfx19LhfUe8cQPYbdH8eKUwoTIT56TdW7atjB7yPdd8xCwHRYDunIMq3pk_3WTbnjOLFVAqnLolfps9cqO1cVC8svbrWGacb4VJBACinl4-wEKo7NwjYeBsK3xg?testcase_id=6091498691231744 Additional requirements: Requires Gestures Issue manually filed by: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 7 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6750797591478272 Fuzzer: libfuzzer_html_preload_scanner_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false. failed to open UTS46 data with error: 4 in url_canon_icu.cc url::IDNToASCII url::DoIDNHost Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=416270:416323 Minimized Testcase (0.10 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95T9EwqQK95x90kV5bzfTkP_byv0rYYVjA4ZdhPC2G0hZwscA8PBaqy6G6Q4cYKjcfAY2NZQpGp7gsX96A8HamJt0XCGTW7HFu67rikHgwhWKhVtKqmHR18uYwe0Yt5fEqdZKAMD-h25rW2ySsnF-6N-WxTQw?testcase_id=6750797591478272 <!DOCTYPE html> <meta charsEt="utf-4"> <base href="http://exa������������������/"> if (window.testRunner) See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 7 2016
Looks like this also has been found with Release MSan build.
,
Sep 7 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5357096004747264 Fuzzer: libfuzzer_html_preload_scanner_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x03e90000568c Crash State: UIDNAWrapper Pointer Get Minimized Testcase (1.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96bWGaDzRDYLT1rd9QkwULz7AqTECwiLECBV-rSahqZXod8m50VNH7EU82S3bYpPgc1--dRQeGi-NGGqPgoGzqPqmlkLEri7NYyhxlTFSPsb8TDeDPo771AzFWRCYu6YyddhZPzJS_D_CeaQc_N764Vng47Lg?testcase_id=5357096004747264 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 7 2016
Release ASan as well. Waiting for UBSan to make it "monster kill" :)
,
Sep 7 2016
Unfortunately I don't think this is a real bug, because we're passing an invalid document url to the scanner. Will upload a fix with some better DCHECKs.
,
Sep 7 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/42754d4bc93465269b460b5912a3d7f30549e53c commit 42754d4bc93465269b460b5912a3d7f30549e53c Author: csharrison <csharrison@chromium.org> Date: Wed Sep 07 22:22:05 2016 DCHECK that the document url is valid in HTMLPreloadScanner This patch asserts that the document url passed into the scanner is valid. This fixes a fuzzer issue where the fuzzer was passing in an empty (invalid) url. BUG= 644667 Review-Url: https://codereview.chromium.org/2318283002 Cr-Commit-Position: refs/heads/master@{#417092} [modify] https://crrev.com/42754d4bc93465269b460b5912a3d7f30549e53c/third_party/WebKit/Source/core/html/parser/HTMLDocumentParserTest.cpp [modify] https://crrev.com/42754d4bc93465269b460b5912a3d7f30549e53c/third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp [modify] https://crrev.com/42754d4bc93465269b460b5912a3d7f30549e53c/third_party/WebKit/Source/core/html/parser/HTMLPreloadScannerFuzzer.cpp
,
Sep 9 2016
ClusterFuzz has detected this issue as fixed in range 416997:417261. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6091498691231744 Fuzzer: libfuzzer_html_preload_scanner_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x03e900007817 Crash State: url::UIDNAWrapper::UIDNAWrapper base::DefaultLazyInstanceTraits<url::UIDNAWrapper>::New base::internal::LeakyLazyInstanceTraits<url::UIDNAWrapper>::New Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=416298:416360 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=416997:417261 Minimized Testcase (0.60 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97IdT3x5OwaTTXJ-tITxtvQN1nEtUR4Tcqhfx19LhfUe8cQPYbdH8eKUwoTIT56TdW7atjB7yPdd8xCwHRYDunIMq3pk_3WTbnjOLFVAqnLolfps9cqO1cVC8svbrWGacb4VJBACinl4-wEKo7NwjYeBsK3xg?testcase_id=6091498691231744 Additional requirements: Requires Gestures See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 9 2016
ClusterFuzz has detected this issue as fixed in range 417039:417277. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6750797591478272 Fuzzer: libfuzzer_html_preload_scanner_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false. failed to open UTS46 data with error: 4 in url_canon_icu.cc url::IDNToASCII url::DoIDNHost Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=416270:416323 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=417039:417277 Minimized Testcase (0.10 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95T9EwqQK95x90kV5bzfTkP_byv0rYYVjA4ZdhPC2G0hZwscA8PBaqy6G6Q4cYKjcfAY2NZQpGp7gsX96A8HamJt0XCGTW7HFu67rikHgwhWKhVtKqmHR18uYwe0Yt5fEqdZKAMD-h25rW2ySsnF-6N-WxTQw?testcase_id=6750797591478272 <!DOCTYPE html> <meta charsEt="utf-4"> <base href="http://exaあんこう祭り/"> if (window.testRunner) See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 9 2016
ClusterFuzz has detected this issue as fixed in range 417024:417277. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5357096004747264 Fuzzer: libfuzzer_html_preload_scanner_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x03e90000568c Crash State: UIDNAWrapper Pointer Get Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417024:417277 Minimized Testcase (1.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96bWGaDzRDYLT1rd9QkwULz7AqTECwiLECBV-rSahqZXod8m50VNH7EU82S3bYpPgc1--dRQeGi-NGGqPgoGzqPqmlkLEri7NYyhxlTFSPsb8TDeDPo771AzFWRCYu6YyddhZPzJS_D_CeaQc_N764Vng47Lg?testcase_id=5357096004747264 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 9 2016
,
Oct 7 2016
still seeing this issue please see the below comment. thanks
,
Oct 7 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4740881452367872 Fuzzer: libfuzzer_stylesheet_contents_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false. failed to open UTS46 data with error: 4 in url_canon_icu.cc url::UIDNAWrapper::UIDNAWrapper base::DefaultLazyInstanceTraits<>::New Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423366:423427 Minimized Testcase (1.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96oigdvRdmkiHj9K6p_4_Ex2YDfjbEVC5uWqlijAZ1wIYfStqeYNxMVt4XPVe_vW1KqjFJoNPzzx3m27zaaPilJ8Scgh6SSZj0ZPpsHYbNwjJyuHoMQQcM4MA2t1Z7VxZmmzcqVkKKSgrk75LQvK_vhU6zgog?testcase_id=4740881452367872 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 7 2016
Can you open another bug for that? This fuzzer tests a completely different set of code than the one for this bug.
,
Oct 18 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6164959379849216 Fuzzer: libfuzzer_radamsa_stylesheet_contents_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x03e9000071ab Crash State: url::UIDNAWrapper::UIDNAWrapper base::DefaultLazyInstanceTraits<url::UIDNAWrapper>::New base::internal::LeakyLazyInstanceTraits<url::UIDNAWrapper>::New Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=423381:423433 Minimized Testcase (1.73 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94nFQ8Du_BYurHYg9OkONC00Z6E5XMx7bqVRgX92Re2jn6SnIt4pHc8AeYnDcS_ytio2CWLfoAfjVn-wiv6u6OOEKTaKrozxyrTzyVpBm6PWZvItHB3ucmV7Q71oAyVcQcyYeby62GVf3yPtGZLfJTRIEShaA?testcase_id=6164959379849216 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 19 2016
Eh looks like clusterfuzz wants to use this issue. Fine by me. The parser context has no valid base URL. Which is an implicit precondition for parsing. Probably it should be impossible to create a parser context without a base URL, if possible.
,
Oct 19 2016
Specifically it looks like we use completeURL() for font and image urls. I see a TODO(timloh) here that's relevant: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/css/CSSSyntaxDescriptor.cpp?rcl=1476847656&l=155
,
Oct 19 2016
Scratch that. The null base URL just exposes the problem, which is improper ICU initialization.
,
Oct 19 2016
,
Oct 20 2016
ClusterFuzz has detected this issue as fixed in range 426179:426229. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4740881452367872 Fuzzer: libfuzzer_stylesheet_contents_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false. failed to open UTS46 data with error: 4 in url_canon_icu.cc url::UIDNAWrapper::UIDNAWrapper base::DefaultLazyInstanceTraits<>::New Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423366:423427 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=426179:426229 Minimized Testcase (1.98 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96oigdvRdmkiHj9K6p_4_Ex2YDfjbEVC5uWqlijAZ1wIYfStqeYNxMVt4XPVe_vW1KqjFJoNPzzx3m27zaaPilJ8Scgh6SSZj0ZPpsHYbNwjJyuHoMQQcM4MA2t1Z7VxZmmzcqVkKKSgrk75LQvK_vhU6zgog?testcase_id=4740881452367872 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 20 2016
ClusterFuzz has detected this issue as fixed in range 426217:426270. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6164959379849216 Fuzzer: libfuzzer_radamsa_stylesheet_contents_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x03e9000071ab Crash State: url::UIDNAWrapper::UIDNAWrapper base::DefaultLazyInstanceTraits<url::UIDNAWrapper>::New base::internal::LeakyLazyInstanceTraits<url::UIDNAWrapper>::New Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=423381:423433 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=426217:426270 Minimized Testcase (1.73 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94nFQ8Du_BYurHYg9OkONC00Z6E5XMx7bqVRgX92Re2jn6SnIt4pHc8AeYnDcS_ytio2CWLfoAfjVn-wiv6u6OOEKTaKrozxyrTzyVpBm6PWZvItHB3ucmV7Q71oAyVcQcyYeby62GVf3yPtGZLfJTRIEShaA?testcase_id=6164959379849216 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Sep 7 2016Components: Internals>Preload
Owner: csharrison@chromium.org