Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in test_runner::MockWebSpeechRecognizer::PostRunTaskFromQueue |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5828443105394688 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: test_runner::MockWebSpeechRecognizer::PostRunTaskFromQueue base::debug::TaskAnnotator::RunTask blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue Recommended Security Severity: Low Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=420048:420163 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95ati8PZBuA9KC_Ne8YZU2MnLJnLY_PpELksRCn6gCUx8JhLdZFBfQ53DZGMRlLy4iHG5UuiiHeUGYJcIU2wGpdSYHKICOZTKBNiWNChbsfI9sqqSwgPqOTo48GL6hSEtuo-uUfau95mPASniEatdL3Heh4yQ?testcase_id=5828443105394688 Additional requirements: Requires Gestures Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 22 2016
@tzik: Can you please take a look? https://chromium.googlesource.com/chromium/src/+/5f3ffb296e91d9616af89883b9d64bfa1be60b34%5E%21/#F4 appears to have changed code in this area within the regression range.
,
Sep 22 2016
,
Sep 23 2016
It's not related to my change, since it's reproducible even after my CL is reverted. This is due to null MockWebSpeechRecognizer::handle_. It is set by MockWebSpeechRecognizer::start(), and cleared by EndedTask::run() which is posted by MWSR::start(). So, if another start() is called while a task is in-flight, the latter task may touch null MWSR::handle_ on its run() after the former EndTask::run() is clobber it.
,
Oct 25 2016
,
Dec 1 2016
https://codereview.chromium.org/2525933002/ avoids the problem in #c4.
,
Dec 14 2016
,
Dec 14 2016
Marking as fixed/wfm per #6.
,
Dec 14 2016
,
Mar 3 2017
ClusterFuzz has detected this issue as fixed in range 454456:454459. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5828443105394688 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: test_runner::MockWebSpeechRecognizer::PostRunTaskFromQueue base::debug::TaskAnnotator::RunTask blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue Sanitizer: memory (MSAN) Recommended Security Severity: Low Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=420048:420163 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=454456:454459 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95ati8PZBuA9KC_Ne8YZU2MnLJnLY_PpELksRCn6gCUx8JhLdZFBfQ53DZGMRlLy4iHG5UuiiHeUGYJcIU2wGpdSYHKICOZTKBNiWNChbsfI9sqqSwgPqOTo48GL6hSEtuo-uUfau95mPASniEatdL3Heh4yQ?testcase_id=5828443105394688 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 22 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Sep 22 2016