Issue metadata
Sign in to add a comment
|
Crash in chrome::GetURLAndTitleToBookmark |
||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6365606770376704 Fuzzer: cdiehl_dharma Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: chrome::GetURLAndTitleToBookmark chrome::BookmarkCurrentPageIgnoringExtensionOverrides BubbleIconView::OnKeyReleased Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=400445:400609 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv979Xf2umAkNsTnBm3gED7h21VkJNuaoxzeyZIM3qvm5FWOAHSLpayeQ8sgWtkc0wngrCgT-jS-zPMZz4jjtSJ1b5yBtssetVf6jEfJPkZA9ju2x4AyGLQ0Hk7FLiKp_qcr3EKWExxDZ6PS8s6rSqN4Y-FcZIKapoVds9ISX06q7LcmOvCGgVwjgXFrkuvykyTXcd2y9vvJgcPSsRKFny2wnTwH89Em3425u2Ab8jFvdzCjitcV2AYt09OMzLCenQbGW210yJIcaL0IFBoD7aC32_ipOUm3XcZjWUrrt31pG1yuNXYsIKdS54nOeYFO2B_UcBCmsSyEnQ6oPGAbaqsEdeYD29noHV8sJnb6w2xKrKCFbY5GrZ3mC0ur-sMsj4MnYN7y_oNxe9Yf9N6HXXs69k6fxFw?testcase_id=6365606770376704 Additional requirements: Requires Gestures Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Feb 7 2017
If I'm reading this stack right, the crash is an attempt to deref a null active WebContents, when bookmarking a page by hitting space on the star. The stack looks elided; I think it's omitting traversal through BrowserCommandController::ExecuteCommandWithDisposition(), which early-returns if (browser_->tab_strip_model()->active_index() == TabStripModel::kNoTab). This would mean the tab strip model has an active tab, but browser->tab_strip_model()->GetActiveWebContents() is null. That seems scary; I would hope there's no window of time where those are out of sync. Reassigning to sky who knows the tab strip model better than me to confirm whether this is possible during shutdown or something. I think if it is, and we make these be in sync, we fix this. Otherwise, we could bandaid, but it seems wrong.
,
Feb 8 2017
More specifically I think the index of the active tab is out of sync with the model. There are some weird cases where this can happen (mostly reentrancy). I don't directly see that in the stack here, but it could be the fuzzer is doing something that triggers the reentrancy earlier on we're seeing the crash after the fact. The only thing I can think of is to add some CHECKs to isolate when this is happening.
,
Feb 9 2017
ClusterFuzz has detected this issue as fixed in range 448982:449020. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6365606770376704 Fuzzer: cdiehl_dharma Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: chrome::GetURLAndTitleToBookmark chrome::BookmarkCurrentPageIgnoringExtensionOverrides BubbleIconView::OnKeyReleased Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=400445:400609 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=448982:449020 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv979Xf2umAkNsTnBm3gED7h21VkJNuaoxzeyZIM3qvm5FWOAHSLpayeQ8sgWtkc0wngrCgT-jS-zPMZz4jjtSJ1b5yBtssetVf6jEfJPkZA9ju2x4AyGLQ0Hk7FLiKp_qcr3EKWExxDZ6PS8s6rSqN4Y-FcZIKapoVds9ISX06q7LcmOvCGgVwjgXFrkuvykyTXcd2y9vvJgcPSsRKFny2wnTwH89Em3425u2Ab8jFvdzCjitcV2AYt09OMzLCenQbGW210yJIcaL0IFBoD7aC32_ipOUm3XcZjWUrrt31pG1yuNXYsIKdS54nOeYFO2B_UcBCmsSyEnQ6oPGAbaqsEdeYD29noHV8sJnb6w2xKrKCFbY5GrZ3mC0ur-sMsj4MnYN7y_oNxe9Yf9N6HXXs69k6fxFw?testcase_id=6365606770376704 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 9 2017
ClusterFuzz testcase 6365606770376704 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 9 2017
There are a couple of quite old cluster fuzz resports (540612). So, this isn't fixed.
,
Feb 9 2017
Issue 690398 has been merged into this issue.
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by nyerramilli@chromium.org
, Feb 7 2017Labels: -Type-Bug Test-Predator-Wrong-CLs M-56 Type-Bug-Regression
Owner: pkasting@chromium.org
Status: Assigned (was: Untriaged)