Crash in blink::LinkLoader::loadLink |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6036611474391040 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x000000000058 Crash State: blink::LinkLoader::loadLink blink::HTMLLinkElement::loadLink blink::LinkStyle::process Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=404895:404947 Minimized Testcase (1.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97pKvII9ijob1aihYRu62D5kTsVcQpEeP5nwkdHSLZma9DC5h_luxd2hfBlV0QJOQoWbjp9b70T8ZRXl8OGX4vlGhOdacyWloXmuwNdn06Bce3Ch8ZyxwJb3SNdO_2JZRvz7H1G-blGXUHShBZq5Mg0Q8a8fw?testcase_id=6036611474391040 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 22 2016
Assigning to the concern owner from CL -- https://chromium.googlesource.com/chromium/src/+log/5ec6b59e8d82e1f47eee4108898ad63fb783686f..f8e016bfad2544663aab1bdcccd652477cbfbfe2?pretty=fuller Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/97c9fecf4a50dd69ccf162aa1c75c7f40cdbbf58 @kinuko -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Dec 27 2016
I don't think my change is relevant, and I can't repro this on my Mac. Can't find similar crash after M55 on Mac either on crash reports (have some crashes for LinkLoader::linkLoad on Android though slightly look different / can't get super helpful stack)... lowering the priority for now until we start to see more reports.
,
Jan 19 2017
This snaps Chrome Linux 55.0.2883.87 (Official Build) (64-bit) so if you couldn't reproduce it with an ASAN build it's probably fixed. The funny thing is, I can reproduce this at r444673 which is quite recent: Received signal 11 SEGV_MAPERR 000000000068 #0 0x7f1aac471b1e base::debug::StackTrace::StackTrace() #1 0x7f1aac47165f base::debug::(anonymous namespace)::StackDumpSignalHandler() #2 0x7f1aac8e0330 <unknown> #3 0x7f1a9c21498c WTF::VectorBufferBase<>::buffer() #4 0x7f1a9c2178c5 WTF::Vector<>::data() #5 0x7f1a9c23d7d9 WTF::operator==() #6 0x7f1a9c68370d WTF::operator!=() #7 0x7f1a9c68e492 blink::operator!=() #8 0x7f1a931e9665 blink::LinkLoader::loadLink() #9 0x7f1a92a88a53 blink::HTMLLinkElement::loadLink() #10 0x7f1a92b1f0d8 blink::LinkStyle::process() #11 0x7f1a92a887f1 blink::HTMLLinkElement::process() #12 0x7f1a92a884b8 blink::HTMLLinkElement::parseAttribute() #13 0x7f1a924d6193 blink::Element::attributeChanged() #14 0x7f1a92a38957 blink::HTMLElement::attributeChanged() #15 0x7f1a924de1a3 blink::Element::didAddAttribute() #16 0x7f1a924de0e5 blink::Element::appendAttributeInternal() #17 0x7f1a924e7556 blink::Element::setAttributeInternal() #18 0x7f1a924d166a blink::Element::setAttribute() #19 0x7f1a938bab22 blink::HTMLLinkElementV8Internal::typeAttributeSetter() #20 0x7f1a938baa20 blink::HTMLLinkElementV8Internal::typeAttributeSetterCallback() #21 0x7f1aa034bafb v8::internal::FunctionCallbackArguments::Call() #22 0x7f1aa041a713 v8::internal::(anonymous namespace)::HandleApiCallHelper<>() #23 0x7f1aa0419813 v8::internal::Builtins::InvokeApiFunction() #24 0x7f1aa097ae2c v8::internal::Object::SetPropertyWithAccessor() #25 0x7f1aa099038b v8::internal::Object::SetPropertyInternal() #26 0x7f1aa0990066 v8::internal::Object::SetProperty() #27 0x7f1aa08ba0b6 v8::internal::StoreIC::Store() #28 0x7f1aa08c15dc v8::internal::__RT_impl_Runtime_StoreIC_Miss() #29 0x04219308426e <unknown> r8: 0000000000000000 r9: 00007ffd926c4758 r10: 0000000000000000 r11: 00007ffd926c4547 r12: 0000000000000000 r13: 00007ffd926c4ed8 r14: 0000000000000000 r15: 00007f1a938ba870 di: 0000000000000068 si: 00007ffd926c4738 bp: 00007ffd926c4400 bx: 0000000000000000 dx: 0f478820a2e25600 ax: 00007ffd926c4738 cx: 0f478820a2e25601 sp: 00007ffd926c4400 ip: 00007f1a9c21498c efl: 0000000000010202 cgf: 0000000000000033 erf: 0000000000000004 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000068 [end of stack trace] This should be an easy bisect and to track down null deref.
,
Jan 25 2017
dominicc@: Could you please help with any test file to repro and bisect this manually on Official Chrome builds.
,
Jan 25 2017
Turns out this repro has been crashing since ancient times, at least as far back as r326929 but probably earlier. I did not verify it's exactly the same reason. Bisect is probably not that useful with this bug, we should just fix it.
,
May 27 2017
ClusterFuzz has detected this issue as fixed in range 474922:474938. Detailed report: https://clusterfuzz.com/testcase?key=6036611474391040 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000068 Crash State: blink::LinkLoader::LoadLink blink::HTMLLinkElement::LoadLink blink::LinkStyle::Process Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=404895:404947 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=474922:474938 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6036611474391040 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 27 2017
ClusterFuzz testcase 6036611474391040 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by patricia...@chromium.org
, Dec 19 2016