New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 754409 link

Starred by 1 user
Status: WontFix
Owner:
joelhockey@chromium.org
Closed: Oct 2017
Cc:
pnangunoori@chromium.org
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in test_runner::TestPlugin::Initialize

Project Member Reported by ClusterFuzz, Aug 10 2017 
Detailed report: https://clusterfuzz.com/testcase?key=4805022406934528

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  test_runner::TestPlugin::Initialize
  blink::LocalFrameClientImpl::CreatePlugin
  blink::HTMLPlugInElement::LoadPlugin
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4805022406934528

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. If the fix resolved the issue, please close the bug by marking as Fixed.

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by pnangunoori@chromium.org, Sep 13 2017

Cc: msrchandra@chromium.org pnangunoori@chromium.org
Labels: Test-Predator-Wrong-CLs
Owner: slangley@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.
Using the code search for the file, “LocalFrameClientImpl.cpp” assigning to concern owner from GIT blame.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/4213a7a72e73afe82d0850794d543e57b4c00bf4

@slangley  -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.

Thank You.

Comment 2 by slangley@chromium.org, Sep 18 2017

Owner: joelhockey@chromium.org
Assigning to joelhockey@ based on changes to plugins and this seems to be triggered by WebPluginContainerImpl* container = WebPluginContainerImpl::Create(element, web_plugin) returning nullptr.
Project Member

Comment 3 by ClusterFuzz, Oct 1 2017

Components: Blink
Labels: Test-Predator-AutoComponents
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 4 by rtoy@chromium.org, Oct 2 2017

Components: -Blink Internals>Plugins

Comment 5 by joelhockey@chromium.org, Oct 4 2017 

This has not been crashing since Sep 22, so ignoring for now.  It will auto-close on Oct 17 if it is no longer seen.

Comment 6 by joelhockey@chromium.org, Oct 4 2017 

This error is not caused by WebPluginContainerImpl::Create returning nullptr.  The nullptr is returned on the line prior to the crash by:

blink::Platform::Current()->CreateOffscreenGraphicsContext3DProvider(
          attrs, url, nullptr, &gl_info); 

A speculative fix would be to change:

if (!context_provider_->BindToCurrentThread())
    context_provider_ = nullptr;

To have a nullptr guard and be:

if (context_provider && !context_provider_->BindToCurrentThread())
    context_provider_ = nullptr;
Project Member

Comment 7 by ClusterFuzz, Oct 6 2017

Status: WontFix (was: Assigned)
ClusterFuzz testcase 4805022406934528 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 8 by mbarbe...@chromium.org, Nov 7 2017

Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components

Sign in to add a comment