New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 703635 link

Starred by 1 user
Status: Verified
Owner:
sunjian@chromium.org
Last visit > 30 days ago
Closed: Apr 2017
Cc:
msrchandra@chromium.org
mac-bugs-priority@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::LocalFrame::document

Project Member Reported by ClusterFuzz, Mar 21 2017

Comment 1 by msrchandra@chromium.org, Mar 21 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Correct-CLs M-59
Owner: sunjian@chromium.org
Status: Assigned (was: Untriaged)
Assigning to concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: sunjian
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/36d0286404018e441692f66d1289f33ff33a05d1
Time: Fri Mar 17 20:11:49 2017
Lines 86-129 of file PerformanceNavigationTiming.cpp which potentially caused crash are changed in this cl (frame #3, "getAllowRedirectDetails"; frame #4, "blink::PerformanceNavigationTiming::unloadEventStart").
Minimum distance from crash line to modified line: 0. (file: PerformanceNavigationTiming.cpp, crashed on: 128, modified: 128).

@sunjian -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.
Project Member

Comment 2 by ClusterFuzz, Apr 9 2017 

ClusterFuzz has detected this issue as fixed in range 458746:463137.

Detailed report: https://clusterfuzz.com/testcase?key=5481860651286528

Fuzzer: lcamtuf_cross_fuzz
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000038
Crash State:
  blink::LocalFrame::document
  blink::PerformanceNavigationTiming::unloadEventStart
  blink::V8PerformanceNavigationTiming::unloadEventStartAttributeGetterCallback
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=457847:457874
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=458746:463137

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97_p7aTwwzyaWumnNpqHG_wL607iv0yVUgVGzRhm8yKxt7HSRmAnKOg744hlZPQydXNXERNzfeYyN0lixkYPALEOEJ6m4-2r91H4KueObCEC2vb3deh8naNxybvDPqzAegShvQHfhWmLJdJF3Yjmk5Y01WLpty26lboB8H9Tq3MpdS3hxWcxyCRTC2z3BO1ST7ZKwqdFir9Dzjq916-5oUt_bfYP_ZSh-ulp9jTvYik88eva75op7WMnAYoeKcy9EawgJX0MxYO4iME3PdVSwuG1W8ZLUWm4l8UiQMR63QSkYFUgAEOp80PNEcR2AG3gDLdxuWj7xskNlVnDrM5-uBcQlCBxgLYzKKf6SdMHjqnC3OSU1QZJGU_85VFA--ibBybfJsUYl3KfEA5tZGNiNs9ymjUag?testcase_id=5481860651286528


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by ClusterFuzz, Apr 9 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5481860651286528 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment