Author: joone.hur
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/df7f78e35f95dfae098dd6197b012e0506f68e0f
Time: Mon Oct 03 19:06:15 2016
Lines 172-181 of file select_file_dialog_impl_gtk2.cc which potentially caused crash are changed in this cl (frame #4, "libgtk2ui::SelectFileDialogImplGTK::SelectFileImpl").
Minimum distance from crash line to modified line: 0. (file: select_file_dialog_impl_gtk2.cc, crashed on: 172, modified: 172).

@joone.hur: Request you to please take a look into it. Please help us to reassign if not with respect to your change.

Thanks.!

Ok, I'm looking into this issue.

  // Disable input events handling in the host window to make this dialog modal.
  views::DesktopWindowTreeHostX11* host =
      views::DesktopWindowTreeHostX11::GetHostForXID(
      owning_window->GetHost()->GetAcceleratedWidget());

https://cs.chromium.org/chromium/src/chrome/browser/ui/libgtk2ui/select_file_dialog_impl_gtk2.cc?q=GetHostForXID&sq=package:chromium&dr=C&l=173

It looks like |host| can be null.
  

owning_window->GetHost() could return null so we need to check it.

Here is a CL: https://codereview.chromium.org/2398723002/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/880dd7465806564cb4eac1cd4725a84cc6f817b6

commit 880dd7465806564cb4eac1cd4725a84cc6f817b6
Author: joone.hur <joone.hur@intel.com>
Date: Wed Oct 05 20:14:01 2016

Fix crash in aura::Window::GetHost

|owning_window->GetHost()| could return null so we need to check it.

BUG= 653039 

Review-Url: https://codereview.chromium.org/2398723002
Cr-Commit-Position: refs/heads/master@{#423269}

[modify] https://crrev.com/880dd7465806564cb4eac1cd4725a84cc6f817b6/chrome/browser/ui/libgtk2ui/select_file_dialog_impl_gtk2.cc

ClusterFuzz has detected this issue as fixed in range 425052:425143.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4975066624557056

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000048
Crash State:
  aura::Window::GetHost
  libgtk2ui::SelectFileDialogImplGTK::SelectFileImpl
  ui::SelectFileDialog::SelectFile
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=422398:422488
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=425052:425143

Minimized Testcase (0.18 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv966x0Ll7YTXVD4E-Pm6QVg8TbS2r7l8wF7ddbxrqu09qiIR0aHlbgZ4GqkV0KOug9WbYIJAkaJ6_RpRAOrNgObli5vCkGfZVNH0vCUH2bG03BeKKwhSxThqFSWXEa-2EJgd2_k3UlZBmz_ZmTU1FIXiUk0v7A?testcase_id=4975066624557056
<a id="blob-url" download=""</a>
<script>

    var string = "test";
    var link = document.getElementById("blob-url");
    link.href = "tel:+1-816-555-1212";
    link.click();
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/880dd7465806564cb4eac1cd4725a84cc6f817b6

commit 880dd7465806564cb4eac1cd4725a84cc6f817b6
Author: joone.hur <joone.hur@intel.com>
Date: Wed Oct 05 20:14:01 2016

Fix crash in aura::Window::GetHost

|owning_window->GetHost()| could return null so we need to check it.

BUG= 653039 

Review-Url: https://codereview.chromium.org/2398723002
Cr-Commit-Position: refs/heads/master@{#423269}

[modify] https://crrev.com/880dd7465806564cb4eac1cd4725a84cc6f817b6/chrome/browser/ui/libgtk2ui/select_file_dialog_impl_gtk2.cc

[Automated comment] removing mislabelled merge-merged-2840

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot