Crash in blink::SubframeLoadingDisabler::SubframeLoadingDisabler |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6573662926012416 Fuzzer: ochang_domfuzzer Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::SubframeLoadingDisabler::SubframeLoadingDisabler blink::LocalFrame::detach blink::Page::willBeDestroyed Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=438853:439220 Minimized Testcase (1.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96wRWvhizhdWpvouyOdQ0xg-QRTurpBWvgqmxr_Va7nfLMnyOABX8_Tvi-xQhFhpW4_B4CTQC7YEQRdoGMpulhSc7YilioESjOk5pF3mcPVFQtnwCafvdhtRbcXsLxwlSHdBuimZlE7UUdMSLVZqwgkfP1R_EuQ8rhoTq5RJ1iqdKSiV_A9BLpNipZcRTzaf5OmA872QIkdaOXo0Kvc4mN5UuUBLYmF3aEYNp9wc46w4qGugUlUAl65npx7WVLIAgMuE4NDQ9N6rwt0eoqO5PQ78RZzTy2d4fXDvDo9YLivKv2qUGWCSGVwBEeGYjtZjPjzTDgmLd2QI-e-8kQWmIqkRshai-hLMdSYxzHeuoKcmWTxYjE7fZVKh3LyyGcHVT5E2baBEd_-z9wYegwfzyRj5P3XKA?testcase_id=6573662926012416 Additional requirements: Requires Gestures Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 1 2017
LSan-only shutdown issue. A (very) late-finalized ImageResourceContent object holding an SVGImage is finalized after all the static persistent roots have been released in ThreadState::cleanupMainThread(). This causes finalizers to touch a now-cleared Persistent<> (for a static global) and fail. My initial guess would be that the ImageResourceContent object (or something that refers to it) is kept alive by another static persistent and won't be finalized by the initial GC that's performed.
,
Jan 2 2017
,
Jan 2 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c53d9f4af3d1f42cbf785ceab1139b61050f0e43 commit c53d9f4af3d1f42cbf785ceab1139b61050f0e43 Author: sigbjornf <sigbjornf@opera.com> Date: Mon Jan 02 15:57:20 2017 No longer clean out main thread's heap for LSan's benefit. The extra GCing that cleanupMainThread() appears to be redundant, as LSan will have performed leak detection prior to the main thread shutting down. R= BUG= 677684 Review-Url: https://codereview.chromium.org/2604413002 Cr-Commit-Position: refs/heads/master@{#441068} [modify] https://crrev.com/c53d9f4af3d1f42cbf785ceab1139b61050f0e43/third_party/WebKit/Source/platform/heap/ThreadState.cpp
,
Jan 2 2017
,
Jan 3 2017
ClusterFuzz has detected this issue as fixed in range 441064:441076. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6573662926012416 Fuzzer: ochang_domfuzzer Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::SubframeLoadingDisabler::SubframeLoadingDisabler blink::LocalFrame::detach blink::Page::willBeDestroyed Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=438853:439220 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=441064:441076 Minimized Testcase (1.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96wRWvhizhdWpvouyOdQ0xg-QRTurpBWvgqmxr_Va7nfLMnyOABX8_Tvi-xQhFhpW4_B4CTQC7YEQRdoGMpulhSc7YilioESjOk5pF3mcPVFQtnwCafvdhtRbcXsLxwlSHdBuimZlE7UUdMSLVZqwgkfP1R_EuQ8rhoTq5RJ1iqdKSiV_A9BLpNipZcRTzaf5OmA872QIkdaOXo0Kvc4mN5UuUBLYmF3aEYNp9wc46w4qGugUlUAl65npx7WVLIAgMuE4NDQ9N6rwt0eoqO5PQ78RZzTy2d4fXDvDo9YLivKv2qUGWCSGVwBEeGYjtZjPjzTDgmLd2QI-e-8kQWmIqkRshai-hLMdSYxzHeuoKcmWTxYjE7fZVKh3LyyGcHVT5E2baBEd_-z9wYegwfzyRj5P3XKA?testcase_id=6573662926012416 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||
►
Sign in to add a comment |
||||
Comment 1 by sigbjo...@opera.com
, Jan 1 2017