!m_client in DocumentThreadableLoader.cpp |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5292897929003008 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !m_client in DocumentThreadableLoader.cpp blink::DocumentThreadableLoader::~DocumentThreadableLoader blink::HeapObjectHeader::finalize Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=407057:407074 Minimized Testcase (0.25 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv9768v-jvMDEhqSgO18nUzDQrgN-hGcys2AqSLRgPoWBFAKK67r1tDEuZ8_TeShX0FRMKE8gTTnhjza4uu773PNxRhcAdcZO1HD9S6OOps7kEP1RWY-71J9kdDEzt7-0hHB6RK9y0OstH_C6bsyjFq1HPeIVlQ?testcase_id=5292897929003008 <script> testRunner.waitUntilDone(); gc(); function __f_103() { __v_103.send(); } __v_103 = new XMLHttpRequest; __v_103.onloadstart = function() { __f_103() }; __v_103.open("GET", true); __v_103.send(); </script> Issue manually filed by: ligimole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 3 2016
Findit did not provide any suspect, below is the information, Suspected CLs Findit failed to find any stack trace. Is it in a new format? Assigning to the concern owner fro the CL, https://chromium.googlesource.com/chromium/src/+log/4efe303049482f275e9fe76533db2e4fd7a5119a..56b1490f30437ec92df7897ee8e7a12a9ed98691?pretty=fuller Suspecting Commit# 56b1490f30437ec92df7897ee8e7a12a9ed98691 Suspecting Review URL# https://codereview.chromium.org/2146403004 @yhirano -- Could you please look into the issue, kindly re-assign if it is not related your change. Thank You.
,
Nov 4 2016
According to the spec, send() in onloadstart must be rejected, because send() flag is set: https://xhr.spec.whatwg.org/#dom-xmlhttprequest-send > If the send() flag is set, throw an InvalidStateError exception. But Blink's xhr doesn't implement the send() flag, and tries to start XHR request, leading crash. I think this is an existing bug and can fix by setting send() flag.
,
Nov 11 2016
,
Nov 14 2016
,
Nov 14 2016
Thanks!
,
Nov 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/78363083b0281dbc05ba3ce3c73eec1bf9dcc9b1 commit 78363083b0281dbc05ba3ce3c73eec1bf9dcc9b1 Author: sigbjornf <sigbjornf@opera.com> Date: Tue Nov 15 08:58:33 2016 XMLHttpRequest: implement "send() flag" tracking and updating per spec. The implementation has until now tracked/approximated the spec's "send() flag"[1] by checking if the XMLHttpRequest object had an active loader. That object does not have lifetime equal to what the spec requires for the "send() flag", nor is the loader set for sync XHR send()s. There's no good reason to hold out on tracking this flag per spec, so introduce it here. [1] - https://xhr.spec.whatwg.org/#send-flag R=yhirano BUG= 649516 Review-Url: https://codereview.chromium.org/2496933002 Cr-Commit-Position: refs/heads/master@{#432148} [add] https://crrev.com/78363083b0281dbc05ba3ce3c73eec1bf9dcc9b1/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/onloadstart-send.html [add] https://crrev.com/78363083b0281dbc05ba3ce3c73eec1bf9dcc9b1/third_party/WebKit/LayoutTests/http/tests/xmlhttprequest/withCredentials-after-send.html [modify] https://crrev.com/78363083b0281dbc05ba3ce3c73eec1bf9dcc9b1/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp [modify] https://crrev.com/78363083b0281dbc05ba3ce3c73eec1bf9dcc9b1/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.h
,
Nov 15 2016
,
Nov 18 2016
ClusterFuzz has detected this issue as fixed in range 431896:432166. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5292897929003008 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !m_client in DocumentThreadableLoader.cpp blink::DocumentThreadableLoader::~DocumentThreadableLoader blink::HeapObjectHeader::finalize Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=407057:407074 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=431896:432166 Minimized Testcase (0.25 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv9768v-jvMDEhqSgO18nUzDQrgN-hGcys2AqSLRgPoWBFAKK67r1tDEuZ8_TeShX0FRMKE8gTTnhjza4uu773PNxRhcAdcZO1HD9S6OOps7kEP1RWY-71J9kdDEzt7-0hHB6RK9y0OstH_C6bsyjFq1HPeIVlQ?testcase_id=5292897929003008 <script> testRunner.waitUntilDone(); gc(); function __f_103() { __v_103.send(); } __v_103 = new XMLHttpRequest; __v_103.onloadstart = function() { __f_103() }; __v_103.open("GET", true); __v_103.send(); </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by hirosh...@chromium.org
, Oct 6 2016