New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 676843 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2017
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug

Blocked on:
issue 717559



Sign in to add a comment

Crash in ash::GetCenterOfDisplayForView

Project Member Reported by ClusterFuzz, Dec 23 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5260606732238848

Fuzzer: ochang_search_index_mutator
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  ash::GetCenterOfDisplayForView
  ash::AppListPresenterDelegate::Init
  app_list::AppListPresenterImpl::Show
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=439820:440026

Minimized Testcase (1205.83 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94MRKt9Lfk9X2QkIFT95KLFs1ZU3dMU-jVGgR2mRM4IBl0KRqSdlbHrSpXYsOeqPdKLg-oncpPXSNBu1d0Ci2yV9iesmz7roy_KZ28zUXOyuiTq4I5yaFsuu725lw2pW_4cWtUbhdETAYok9AHhwU8OEcTIxDtSGzB0bo4wbnkEzIszgrM?testcase_id=5260606732238848

Additional requirements: Requires Gestures

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: msrchandra@chromium.org
Labels: Test-Predator-Correct-CLs
Owner: jamescook@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Find it results --
The result is a list of CLs that change the crashed files. 

Author: jamescook
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/7f99e933e595824281102ff6737075dccbbc4d5c
Time: Tue Dec 20 18:10:35 2016
File wm_shell.cc is changed in this cl (and is part of stack frame #3, "ash::WmShell::ToggleAppList")
Minimum distance from crash line to modified line: 19. (file: wm_shell.cc, crashed on: 397, modified: 416).

@jamescook -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You. 
Cc: msw@chromium.org
Status: Started (was: Assigned)
+msw since your CL touches AppListPresenterDelegate

I suspect this is due to the shelf being created asynchronously during login after my CL. The repro case involves pressing the "super" key, which is the Windows key, which is the search key on chromeos, which spawns the app list.

I'm guessing that clusterfuzz is injecting the keystroke before the shelf is constructed, so the applist tries to look up the app list button in the shelf, gets null, and we get this crash.

Note to other readers: The "testcase" above is a pornographic video. View at your own risk.

Project Member

Comment 3 by ClusterFuzz, Jan 5 2017

ClusterFuzz has detected this issue as fixed in range 441432:441510.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5260606732238848

Fuzzer: ochang_search_index_mutator
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  ash::GetCenterOfDisplayForView
  ash::AppListPresenterDelegate::Init
  app_list::AppListPresenterImpl::Show
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=439820:440026
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=441432:441510

Minimized Testcase (1205.83 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94MRKt9Lfk9X2QkIFT95KLFs1ZU3dMU-jVGgR2mRM4IBl0KRqSdlbHrSpXYsOeqPdKLg-oncpPXSNBu1d0Ci2yV9iesmz7roy_KZ28zUXOyuiTq4I5yaFsuu725lw2pW_4cWtUbhdETAYok9AHhwU8OEcTIxDtSGzB0bo4wbnkEzIszgrM?testcase_id=5260606732238848

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Jan 5 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5260606732238848 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Labels: ClusterFuzz-Wrong
Status: Started (was: Verified)
I still think this is a legitimate issue.

Project Member

Comment 6 by bugdroid1@chromium.org, Jan 5 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/64a56f0578be10ab62cdb66cbbbf62d5f306b489

commit 64a56f0578be10ab62cdb66cbbbf62d5f306b489
Author: jamescook <jamescook@chromium.org>
Date: Thu Jan 05 16:39:27 2017

cros: Fix clusterfuzz crash when spawning app list very early in startup

The app list relies on the shelf being created for positioning. If a test
injects a search-key-press event as the very first event processed by the
message loop then the app list code that relies on the shelf may crash.

It's theoretically possible a user could hit the search key after login but
before the window manager has created the shelf. Don't rely on the existance
of the shelf app list button to init the app list.

BUG= 676843 
TEST=none

Review-Url: https://codereview.chromium.org/2615743002
Cr-Commit-Position: refs/heads/master@{#441673}

[modify] https://crrev.com/64a56f0578be10ab62cdb66cbbbf62d5f306b489/ash/app_list/app_list_presenter_delegate.cc

Status: Fixed (was: Started)
Project Member

Comment 8 by ClusterFuzz, Jan 6 2017

ClusterFuzz has detected this issue as fixed in range 441432:441510.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5260606732238848

Fuzzer: ochang_search_index_mutator
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  ash::GetCenterOfDisplayForView
  ash::AppListPresenterDelegate::Init
  app_list::AppListPresenterImpl::Show
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=439820:440026
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=441432:441510

Minimized Testcase (1205.83 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96fUL-V8s_yInPDYDzutVQeWK8cjtPMilvXkCUTnnf_EDvmYqtmSPK6HZ-7TDbDtXL_hq1cB7R-5YBQEm-ix3W-aHRGi8R-N1QjpCQHrRJpLB1twTFbFV27u2q5iV49tiC7q27cYmV2fVo33w4Nkt203rsUfnjjMQ1lRbjXTpnURoQwKQe-EphKnG_q3xmg03piwEXoCUuk5gFG69CQX1_Ua5dge_mmqJ2IyE49pRJTwXxADaqFvv_IrwHMJ7wMj9InugPJnpKge1xAItltFrfbGVKynHLoqQNImGaBdoKjOHkNEIkOV0CUzZlnnEBkuJ2bFNF3rivWK3iF_xTglQI2S7RPl5_RawGBKMsb7SWfoEjLEiF4g4UvU6J-7B8RcjPaRaY9paG8pU9FiLca9B4nStOZJQ?testcase_id=5260606732238848

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Blockedon: 717559
Labels: -ClusterFuzz-Wrong
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Sign in to add a comment