Direct-leak in blink::SourceLocation::create |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5635704232345600 Fuzzer: afl_content_security_policy_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Direct-leak Crash Address: Crash State: blink::SourceLocation::create blink::Document::addConsoleMessage blink::ContentSecurityPolicy::applyPolicySideEffectsToExecutionContext Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=442377:442447 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96vx-aDU_4T8-zWLHM1MqQRJ9ioNmI1tyn23I1xBqdesWg8_ZmTvafHR3HBcFrDZey3dH84v0qLUryhWqzviNXMnKrjOmzIsHFmZKuAYrGusZ0pGz_7tPFqaZB0zCAxSv5XrpJg_N_AxqaIyfUIjbscDs6GaPw9R-k9rv074YuQwwD-mjOpgRdKsEc5REALVGtgq_JwpFfGKV5tGpHgv7v1pjYSv4qtYxs-fDfYVWaE2gFGMuELVNBUKhlpDy_s3Q-7s4YLllIdlPjEMvnZSO0x33vxzdbtQ8kpLpEsB3_EwHSJpis-fYquD8WV_NwtknEc_xACNBfwNIcy1yynArbZes1nyhLJo7av9oOv4wzopCLgxxeCCa0bLiBa7Msf0taq3rg3avYXD0PRwGZxao03Q3MaIA?testcase_id=5635704232345600 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Mar 29 2017
Using Code Search for the file, "SourceLocation.cpp" assigning to the concern owner from GitBlame. Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/9d858647530db2c22e1267e443034d23f2e602d9%5E%21/third_party/WebKit/Source/bindings/core/v8/SourceLocation.cpp @lukasza -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Apr 27 2017
jbroman@ / mmoroz@ - I think this leak is an artifact of how the fuzzer runs. I am guessing that SourceLocation + ConsoleMessage are kept alive by |g_page_holder| from third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyFuzzer.cpp. Could you PTAL?
,
Apr 27 2017
,
Apr 28 2017
lukasza@, actually this seems fine to me, as LSAN doesn't report leaks in cases like that. The comment at https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyFuzzer.cpp?l=14 also confirms that it is intended. To be totally sure, I tried it with the following patch: --- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyFuzzer.cpp +++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyFuzzer.cpp @@ -17,11 +17,12 @@ DummyPageHolder* g_page_holder = nullptr; int LLVMFuzzerInitialize(int* argc, char*** argv) { InitializeBlinkFuzzTest(argc, argv); - g_page_holder = DummyPageHolder::Create().release(); +// g_page_holder = DummyPageHolder::Create().release(); return 0; } int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + g_page_holder = DummyPageHolder::Create().release(); String header = String::FromUTF8(data, size); unsigned hash = header.IsNull() ? 0 : header.Impl()->GetHash(); @@ -41,6 +42,8 @@ int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { BlinkGC::kGCWithSweep, BlinkGC::kForcedGC); + delete g_page_holder; + return 0; } And behavior didn't change. Also, the issue has been marked as non reproducible ~2 weeks ago, so I think it would be fine to close it as unintended fix (probably): [2017-04-13 08:39:24 UTC] clusterfuzz-linux-0266: Progression task errored out: Known crash revision 463938 did not crash. [2017-04-13 08:39:25 UTC] clusterfuzz-linux-0266: Progression task errored out: Test case appears to be flaky. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Mar 22 2017Components: Blink>SecurityFeature
Labels: M-59 Test-Predator-Wrong