New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 697421 link

Starred by 1 user
Status: Verified
Owner:
lfg@chromium.org
Closed: Mar 2017
Cc:
msrchandra@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::WebLocalFrameImpl::frameWidget

Project Member Reported by ClusterFuzz, Mar 1 2017

Comment 1 by msrchandra@chromium.org, Mar 1 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Correct-CLs M-58
Owner: lfg@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: lfg
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/9b5618b8aa52feeccbb3203046b56b8e75d9423a
Time: Wed Feb 15 20:43:37 2017
File WebViewImpl.cpp is changed in this cl (and is part of stack frame #1, "blink::WebViewImpl::didNotAcquirePointerLock")
Minimum distance from crash line to modified line: 5. (file: WebViewImpl.cpp, crashed on: 2539, modified: 2534).

@lfg -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by lfg@chromium.org, Mar 1 2017

Labels: OS-Mac OS-Windows
Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 7 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4d8296ca0eee12ba5876ea0cafde76e0f8359981

commit 4d8296ca0eee12ba5876ea0cafde76e0f8359981
Author: lfg <lfg@chromium.org>
Date: Tue Mar 07 03:04:12 2017

Fix crash when de-referencing the WebFrameWidget.

This change adds a null check before de-referencing the main frame. This
fixes a race where the main frame is swapped while there is a in-flight
request to lock the mouse.

BUG= 697421 

Review-Url: https://codereview.chromium.org/2728683007
Cr-Commit-Position: refs/heads/master@{#455027}

[modify] https://crrev.com/4d8296ca0eee12ba5876ea0cafde76e0f8359981/third_party/WebKit/Source/web/WebViewImpl.cpp
Project Member

Comment 4 by ClusterFuzz, Mar 8 2017 

ClusterFuzz has detected this issue as fixed in range 454873:455055.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6681371138588672

Fuzzer: marcin_towalski_cm
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000068
Crash State:
  blink::WebLocalFrameImpl::frameWidget
  blink::WebViewImpl::didNotAcquirePointerLock
  content::RenderWidgetMouseLockDispatcher::OnLockMouseACK
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=450720:450815
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=454873:455055

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv9631StbL--YsL6l07YjcWtph3pMFEOpVZgdnbLPLie45nROgN5zV4OFc_ppcmyGK4K2Td8xbxPBN5ZZUdyItIe20E80o6qpTcr-y_XfDqbMxqeALvNdmGew65OyA100pOEzMnSW5YWzwctm_q38UFtoHjEjMgPKR7fkoMhc6FTjS8FonmuqISB8wieExD3rfLikm427HtWzoEtjQFVW1xP9kNf9uJgmB4B7S-RpjootouyOO3LmqcQTiNcaNaejBV5lr_o5wnqNHqE3lnoxsExPeG6MzvTrYWTzsXlUBr58VRbXT-J9hUcq66DTkpzdvpKO0vAnOE15hey10W-T7D-iZA57zIaCM9kxnl7VL6ngg0b2SHk?testcase_id=6681371138588672


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Mar 8 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 6681371138588672 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment