Issue 710483 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	----
Closed:	Apr 2017
Cc:	mstarzinger@chromium.org lfg@chromium.org
Components:	Blink>Bindings
EstimatedDays:	----
NextAction:	----
OS:	All , Mac
Pri:	2
Type:	Bug
Reproducible Stability-Memory-AddressSanitizer Needs-Feedback Clusterfuzz M-59 Stability-AFL Test-Predator-Wrong

Direct-leak in DecodeForDeserialization

Project Member Reported by ClusterFuzz, Apr 11 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6131776260145152

Fuzzer: afl_stylesheet_contents_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  DecodeForDeserialization
  v8::internal::Deserializer::PostProcessNewObject
  v8::internal::Deserializer::ReadObject
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=463587:463597

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96lS8FXqTvXTE_YQ982ZlYdpYDXedCbVelWT1vzU4VKj6m4glb4DWDwvQ5_fjqS5AvNYtn-VZ3BeIBoOvDbtrbUCLov5Lm9_Nm4AehzBQg1heftrhrz4DV6memiMk8nT-ZzGnwPHr-2KCFgLAaJpj7IA9GM8BglbP9SyFZHo4JzUUGzbCgLTzkxYbp5G2rprYrcypWikngeYb5nZEGSG-4DCSicf2SRgqwUtLqui0V-0JirSfDYHCVQ7_Sy9bFLxPS2b6wau8VTearB8C2T3ZY3eONGSPqFdWUh4qbSZL89SdQV3EoNcOcCS5DI5G-HsdnnNjBPC9CAbKk81_ql90LCAlXDudR7bLLW0BDk2cs4p3okGqU?testcase_id=6131776260145152


Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by msrchandra@chromium.org, Apr 11 2017

Components: Blink>JavaScript
Labels: M-59 Test-Predator-Wrong

Comment 2 by mstarzinger@chromium.org, Apr 13 2017

Components: -Blink>JavaScript Blink

It looks like V8's Isolate was never torn down (i.e. v8::Isolate::Dispose never called). Unfortunately not much can be done about this from the V8 side.

Comment 3 by dglazkov@chromium.org, Apr 13 2017

Cc: mstarzinger@chromium.org

mstarzinger@, would you help me understand what would be a potential cause of the problem? Even though it might not be a purely V8 issue, your expertise and understanding is appreciated.

It looks like the stack trace originates in gin, which also seems a bit weird.

Comment 4 by dglazkov@chromium.org, Apr 13 2017

Components: -Blink Blink>Bindings
Labels: -OS-Linux OS-All

Routing to bindings team for triage.

Comment 5 by adithyas@chromium.org, Apr 24 2017

Status: WontFix (was: Untriaged)

This looks like an intentional memory leak, the isolate in question here is a main thread isolate and we don't call v8::Isolate::Dispose for a main thread isolate.

Project Member

Comment 6 by ClusterFuzz, Jul 9 2017

Labels: OS-Mac

Project Member

Comment 7 by ClusterFuzz, Jul 14 2017

Labels: Needs-Feedback

ClusterFuzz testcase 6131776260145152 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

►

Issue 710483 link

Issue metadata

Direct-leak in DecodeForDeserialization

Issue description

Comment 1 by msrchandra@chromium.org, Apr 11 2017

Comment 1 Deleted

Comment 2 by mstarzinger@chromium.org, Apr 13 2017

Comment 2 Deleted

Comment 3 by dglazkov@chromium.org, Apr 13 2017

Comment 3 Deleted

Comment 4 by dglazkov@chromium.org, Apr 13 2017

Comment 4 Deleted

Comment 5 by adithyas@chromium.org, Apr 24 2017

Comment 5 Deleted

Comment 6 by ClusterFuzz, Jul 9 2017

Comment 6 Deleted

Comment 7 by ClusterFuzz, Jul 14 2017

Comment 7 Deleted

Sign in to add a comment