Crash in content::RenderThreadImpl::GetAudioRendererMixerManager |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4609103047688192 Fuzzer: libfuzzer_renderer_tree_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000478 Crash State: content::RenderThreadImpl::GetAudioRendererMixerManager content::NewMixableSink content::AudioDeviceFactory::NewSwitchableAudioRendererSink Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=423381:423433 Minimized Testcase (0.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv978o_Hq-jMfps22aSg0XZCd6kfT1lpPcOe3BEZDtWUJcxASgf6Dw6u5e6nqlKP0BIUnSfddNbdz0u4XK1BhrCU8oJNumnh5foY-XlK022VDTCS_yH47V9RmagTttl27hAzb1H_-u7g69x1W7jPMxjF-tBoZMQ?testcase_id=4609103047688192 Issue manually filed by: mmohammad See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 31 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/64b9793077e8daf693a06eab4b98dc5a6374630d commit 64b9793077e8daf693a06eab4b98dc5a6374630d Author: olka <olka@chromium.org> Date: Mon Oct 31 16:13:58 2016 Checking RendererThreadImpl for null when creating media player. Also adding CHECKs for it not being nullptr in AudioDeviceFactory. RendererThreadImpl lives in TLS, and a call to lazy_tls.Pointer()->Get()::GetAudioRendererMixerManager() ( https://cs.chromium.org/chromium/src/content/renderer/media/audio_device_factory.cc?dr=CSs&q=AudioDeviceFa&sq=package:chromium&l=76 https://cs.chromium.org/chromium/src/content/renderer/render_thread_impl.cc?q=RenderThreadImpl::current&sq=package:chromium&dr=CSs&l=1575) end up accessing |audio_renderer_mixer_manager_| of nullptr. BUG= 657167 TESTING=running failed clusterfuzz test locally: test passes after the fix. Review-Url: https://codereview.chromium.org/2460303003 Cr-Commit-Position: refs/heads/master@{#428728} [modify] https://crrev.com/64b9793077e8daf693a06eab4b98dc5a6374630d/content/renderer/media/audio_device_factory.cc [modify] https://crrev.com/64b9793077e8daf693a06eab4b98dc5a6374630d/content/renderer/render_frame_impl.cc
,
Oct 31 2016
,
Nov 1 2016
ClusterFuzz has detected this issue as fixed in range 428710:428740. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4609103047688192 Fuzzer: libfuzzer_renderer_tree_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000478 Crash State: content::RenderThreadImpl::GetAudioRendererMixerManager content::NewMixableSink content::AudioDeviceFactory::NewSwitchableAudioRendererSink Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=423381:423433 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=428710:428740 Minimized Testcase (0.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv978o_Hq-jMfps22aSg0XZCd6kfT1lpPcOe3BEZDtWUJcxASgf6Dw6u5e6nqlKP0BIUnSfddNbdz0u4XK1BhrCU8oJNumnh5foY-XlK022VDTCS_yH47V9RmagTttl27hAzb1H_-u7g69x1W7jPMxjF-tBoZMQ?testcase_id=4609103047688192 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by mmohammad@chromium.org
, Oct 18 2016Status: Assigned (was: Untriaged)