New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 677586 link

Starred by 1 user
Status: WontFix
Owner:
lfg@chromium.org
Closed: Jan 2017
Cc:
kenrb@chromium.org
blundell@chromium.org
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in autofill::ContentAutofillDriver::TransformBoundingBoxToViewportCoordinates

Project Member Reported by ClusterFuzz, Dec 30 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5100704562937856

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  autofill::ContentAutofillDriver::TransformBoundingBoxToViewportCoordinates
  autofill::AutofillManager::OnQueryFormFieldAutofill
  autofill::mojom::AutofillDriverStubDispatch::Accept
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=438491:438528

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97wFR1dXCS0kW382NxCM3hcZXAEH-Z8vdYlSBZmR53TiQLHVfaQuLX78dogsSagCetRUdL9EpRaDK2THMFSaytatk2wK3Suz4FQ_zk4o9RDsrfPAKMi9LNIyYISoOGyxCIRi_txnKRr2EhmY3K16iVH8ulIjtQfV4t81PG9u0K9BoH4Bj-LxHaNoLARVu3NSRKEQwpftZmzf2G4duidnZ_mG04SrZBpO5KNUDsImhC20lSzN5ybum_D82gxalycYFAQexBeJzcW9JSRbqDcz1gCenHjVNjtmWEiIIN7UWsj_mF2tXteNt_9NtRcUf0016t7tjFaF50x_ZenC9HCH-SAmgivbRuGOB_7a2KTNOaDGYgdjmA?testcase_id=5100704562937856


Additional requirements: Requires Gestures

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by msrchandra@chromium.org, Jan 3 2017

Cc: msrchandra@chromium.org
Components: UI>Browser>Autofill
Labels: Test-Predator-Wrong-CLs
Owner: blundell@chromium.org
Status: Assigned (was: Untriaged)
Find it and CL did not provide any possible suspects.
Using Code Search for the file, "content_autofill_driver.cc" assigning to the concern owner.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/e0a9f158f10a9f5ee5d21d571518ff46929af89f

@blundell -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by blundell@chromium.org, Jan 3 2017

Cc: vabr@chromium.org blundell@chromium.org
Owner: ma...@chromium.org
It's not that CL (just a renaming CL). To mathp@ for triage.

Comment 3 by ma...@chromium.org, Jan 4 2017

Owner: kenrb@chromium.org
Assigning to kenrb@ who last touched (and added) the function.

Comment 4 by kenrb@chromium.org, Jan 4 2017

Cc: kenrb@chromium.org
Owner: lfg@chromium.org
The most likely CL responsible for the regression is https://chromium.googlesource.com/chromium/src/+/9431efdc7b0146ef74f75ce160f2ba343ca2d550.

lfg@: Your CL shouldn't have caused this, so there is probably a pre-existing underlying bug, but would you mind investigating?

Comment 5 by lfg@chromium.org, Jan 4 2017

Status: WontFix (was: Assigned)
I've looked into this today, and I'm unable to reproduce the crash. I've re-ran the clusterfuzz task and it also can't reproduce it anymore.

Here's a summary of what I found:

The RenderWidgetHostView can be destroyed in 3 places:
1) RenderFrameHostManager::DiscardUnusedFrame
   - This can't be the source, since it shouldn't be possible to interact with the pending RFH, so that RFH's autofill agent can't be the one sending the message.
2) RenderFrameHostManager::CommitPending
   - Can't be this one either, since early in the function we call FrameTreeNode::ResetForNewProcess, which destroys the frame and the autofill driver.
3) RenderWidgetHost::OnRenderProcessGone
   - I don't think it's this one, as I wouldn't expect mojo to deliver messages after the render process is destroyed. Also, in this case, I would expect clusterfuzz to find an earlier renderer crash.

For now, I'll close this as WontFix.

Comment 6 by vabr@chromium.org, Nov 29

Cc: -vabr@chromium.org

Sign in to add a comment