Abrt in blink::ReportFatalErrorInMainThread |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5913349715132416 Fuzzer: inferno_layout_test_fuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Abrt Crash Address: 0x03e900000001 Crash State: blink::ReportFatalErrorInMainThread v8::V8::FromJustIsNothing WebCoreTestSupport::injectInternalsObject Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=390623:390629 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5913349715132416 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 8 2017
Lowering priority, this is in testing code only.
The test case sets a setter for the 'internal' property, which throws when being called.
This makes this code in WebCoreTestSupport.cpp fail:
global
->Set(scriptState->GetContext(),
blink::V8AtomicString(scriptState->GetIsolate(), "internals"),
internals)
.ToChecked();
One solution would be to use {global->CreateDataProperty} instead of {global->Set}.
@Michi: Would this be the right fix for this issue?
,
Jun 9 2017
+jochen The proposed fix would silence this CF issue. Are there more occurences of this patterns, i.e. should we expect more similar issues?
,
Jun 9 2017
Since its only in testing code, I would be fine with such a fix. But I don't have the necessary overview to judge how many such places might be affected. If this is only the tip of the iceberg, then I am not sure fixing all property access sites in test code will scale. Jochen, what's your take?
,
Jun 9 2017
sgtm
,
Jun 9 2017
https://chromium-review.googlesource.com/529125
,
Jun 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a9ef138c0e921e8d0986228a15e4c282e113e1f8 commit a9ef138c0e921e8d0986228a15e4c282e113e1f8 Author: Clemens Hammacher <clemensh@chromium.org> Date: Mon Jun 12 10:26:59 2017 Use CreateDataProperty instead of Set We just want to set a data property on the global object, without triggering user-defined setters. R=jochen@chromium.org BUG= chromium:729993 Change-Id: Idd12d95282916c60f84cc0cbed9117be8d18bee4 Reviewed-on: https://chromium-review.googlesource.com/529125 Reviewed-by: Jochen Eisinger <jochen@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#478583} [modify] https://crrev.com/a9ef138c0e921e8d0986228a15e4c282e113e1f8/third_party/WebKit/Source/core/testing/v8/WebCoreTestSupport.cpp
,
Jun 12 2017
,
Jun 13 2017
ClusterFuzz has detected this issue as fixed in range 478555:478688. Detailed report: https://clusterfuzz.com/testcase?key=5913349715132416 Fuzzer: inferno_layout_test_fuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Abrt Crash Address: 0x03e900000001 Crash State: blink::ReportFatalErrorInMainThread v8::V8::FromJustIsNothing WebCoreTestSupport::injectInternalsObject Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=390623:390629 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=478555:478688 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5913349715132416 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by msrchandra@chromium.org
, Jun 6 2017Labels: Test-Predator-Wrong-CLs M-60