Crash in blink::ExecutionContext::contentSecurityPolicy |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5406861978501120 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::ExecutionContext::contentSecurityPolicy blink::FetchManager::Loader::start blink::FetchManager::fetch Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=441432:441510 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96vb0uQrdZN4PSrkJez6KXdoxAeZTGk48GBsESt4UlLYFP91AZNeOiyxfKGA6_BKsHk2tg4a3HyaQY322shLjfwpMywI98cd4qtsb3vGskvXQoDB631xNtQCt1cBczQ2RJPEEJqGkY0rTD_HbdQwjbgdDxoV1rWYuubHC8aJ-bGKoPQZ2UdGZMBZoDEKTMbk_JBtteDheu9pKf1T6fAitRRA3l5_zBHo_gl-D95JIy4GsM2wDzenc1WcL8rTXyrKpp7DhZfqCjaCN4xH1NNHyXZAeBWKc9Qn7woljmK5HTHWjfUfv8Km6dG5woJpGWPoiKhxWJfl-CRYZx5T3-awK9q2tdAesT_ZC_yVRLJ_tC3pMDRqU4?testcase_id=5406861978501120 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 6 2017
It doesn't match clusterfuzz' reported regression range, so I should be careful about claiming..but I reckon this is due to https://codereview.chromium.org/2557023002 -- trying to fetch() on a manager without an ExecutionContext.
,
Jan 6 2017
,
Jan 8 2017
If https://codereview.chromium.org/2557023002 is the culprit, it means that scriptState->contextIsValid() is not enough to prevent FetchManager from accessing a detached ExecutionContext. I agree that there's some subtle difference between when scriptState->contextIsValid() starts returning false and when the ExecutionContext gets detached, but I'll be a bit surprised if the difference causes this kind of bug. Let me take a closer look on Tuesday.
,
Jan 8 2017
Was it understood why https://codereview.chromium.org/1924193002 was needed? No discussion on the bug nor review, hence the question.
,
Jan 12 2017
I remember https://codereview.chromium.org/1897783002/ is related.
,
Jan 13 2017
ClusterFuzz has detected this issue as fixed in range 443258:443393. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5406861978501120 Fuzzer: lcamtuf_cross_fuzz Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::ExecutionContext::contentSecurityPolicy blink::FetchManager::Loader::start blink::FetchManager::fetch Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=441432:441510 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=443258:443393 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96vb0uQrdZN4PSrkJez6KXdoxAeZTGk48GBsESt4UlLYFP91AZNeOiyxfKGA6_BKsHk2tg4a3HyaQY322shLjfwpMywI98cd4qtsb3vGskvXQoDB631xNtQCt1cBczQ2RJPEEJqGkY0rTD_HbdQwjbgdDxoV1rWYuubHC8aJ-bGKoPQZ2UdGZMBZoDEKTMbk_JBtteDheu9pKf1T6fAitRRA3l5_zBHo_gl-D95JIy4GsM2wDzenc1WcL8rTXyrKpp7DhZfqCjaCN4xH1NNHyXZAeBWKc9Qn7woljmK5HTHWjfUfv8Km6dG5woJpGWPoiKhxWJfl-CRYZx5T3-awK9q2tdAesT_ZC_yVRLJ_tC3pMDRqU4?testcase_id=5406861978501120 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 13 2017
ClusterFuzz testcase 5406861978501120 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 13 2017
(I don't see what could explain such an improvement in that fix range.)
,
Jan 15 2017
Reported again ( issue 681378 ), so testcase is presumably unstable. |
||||
►
Sign in to add a comment |
||||
Comment 1 by sigbjo...@opera.com
, Jan 6 2017