Issue metadata
Sign in to add a comment
|
Use-after-poison in virtual thunk to blink::Document::isHeapObjectAlive |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5682495502942208 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Use-after-poison READ 4 Crash Address: 0x51ae1a68 Crash State: virtual thunk to blink::Document::isHeapObjectAlive blink::ObjectAliveTrait<blink::ExecutionContext, true>::isHeapObjectAlive bool blink::ThreadHeap::isHeapObjectAlive<blink::ExecutionContext> Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=411921:411923 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv947KX5eY0qvLf0xx3316cAhqpmOwnqRXzuO1qO2q8axWny6tXrROCuN-T5B1mjjBMyW43RlCUaykqeixCHACxzctnSQAOnXs_iqTcJOTB8WIzArHwWyWLvF7PEyszUPTm91ikgUFXediT9Jj6soSnD-dVlO8g?testcase_id=5682495502942208 Additional requirements: Requires HTTP Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 18 2016
,
Oct 18 2016
,
Oct 26 2016
ClusterFuzz has detected this issue as fixed in range 426422:426435. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5682495502942208 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Use-after-poison READ 4 Crash Address: 0x51ae1a68 Crash State: virtual thunk to blink::Document::isHeapObjectAlive blink::ObjectAliveTrait<blink::ExecutionContext, true>::isHeapObjectAlive bool blink::ThreadHeap::isHeapObjectAlive<blink::ExecutionContext> Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=411921:411923 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=426422:426435 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv947KX5eY0qvLf0xx3316cAhqpmOwnqRXzuO1qO2q8axWny6tXrROCuN-T5B1mjjBMyW43RlCUaykqeixCHACxzctnSQAOnXs_iqTcJOTB8WIzArHwWyWLvF7PEyszUPTm91ikgUFXediT9Jj6soSnD-dVlO8g?testcase_id=5682495502942208 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 26 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 26 2016
,
Oct 28 2016
,
Oct 29 2016
Your change meets the bar and is auto-approved for M55 (branch: 2883)
,
Oct 31 2016
**** Bulk edit - please ignore if not applicable **** Please merge your change to M55 branch 2883 today before 5:00 PM PT or latest by tomorrow, Tuesday (11/01/16) 4:00 PM PT so we can take it for this week Beta release.
,
Oct 31 2016
I don't see any cl here. Is there a merge needed? If not, please remove "Merge-Approved-55" label. Thank you.
,
Nov 1 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 1 2016
Removing merge approved until we work out what to merge.
,
Jan 2 2017
,
Jan 24 2017
,
Feb 1 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Oct 18 2016Labels: Pri-1
Owner: tzik@chromium.org
Status: Available (was: Untriaged)