New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 755534 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner:
Closed: Aug 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Null-dereference READ in blink::Scrollbar::ConvertFromRootFrameToParentView

Project Member Reported by ClusterFuzz, Aug 15 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5747480737349632

Fuzzer: marty_html_twiddler
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000000
Crash State:
  blink::Scrollbar::ConvertFromRootFrameToParentView
  blink::ScrollbarTheme::HitTestWithRootFramePoint
  blink::Scrollbar::MouseMoved
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=494105:494256

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5747480737349632

Additional requirements: Requires Gestures

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Cc: msrchandra@chromium.org
Components: Blink>Scroll
Labels: Test-Predator-Wrong-CLs M-62
Owner: chaopeng@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.
Using Code Search for the file, "ScrollbarTheme.cpp", assigning concern owner using GIT Blame.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/2a88dac7dd3caf5155d4e82f08c86d12484dbf18

@chaopeng -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.
Magic Signatureblink::Scrollbar::ConvertFromRootFrameToParentView

Stack trace:
-----------
Thread 0 (id: 8052) CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000000 ] MAGIC SIGNATURE THREAD
Stack Quality86%Show frame trust levels
0x000007fed12c612a	(chrome_child.dll -Scrollbar.cpp:583 )	blink::Scrollbar::ConvertFromRootFrameToParentView(blink::IntPoint const &)
0x000007fed12bf578	(chrome_child.dll -ScrollbarTheme.cpp:209 )	blink::ScrollbarTheme::HitTestWithRootFramePoint(blink::ScrollbarThemeClient const &,blink::IntPoint const &)
0x000007fed12c5caa	(chrome_child.dll -Scrollbar.cpp:439 )	blink::Scrollbar::MouseMoved(blink::WebMouseEvent const &)
0x000007fecef0f447	(chrome_child.dll -EventHandler.cpp:827 )	blink::EventHandler::HandleMouseMoveOrLeaveEvent(blink::WebMouseEvent const &,WTF::Vector<blink::WebMouseEvent,0,WTF::PartitionAllocator> const &,blink::HitTestResult *,bool,bool)
0x000007feceef6743	(chrome_child.dll -EventHandler.cpp:746 )	blink::EventHandler::HandleMouseMoveEvent(blink::WebMouseEvent const &,WTF::Vector<blink::WebMouseEvent,0,WTF::PartitionAllocator> const &)
0x000007fecef00b34	(chrome_child.dll -MouseEventManager.cpp:349 )	blink::MouseEventManager::FakeMouseMoveEventTimerFired(blink::TimerBase *)
0x000007fece9c4123	(chrome_child.dll -Timer.cpp:174 )	blink::TimerBase::RunInternal()
0x000007fece7c27c0	(chrome_child.dll -task_annotator.cc:57 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x000007fece80e7ce	(chrome_child.dll -task_queue_manager.cc:532 )	blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue *,bool,blink::scheduler::LazyNow,base::TimeTicks *)
0x000007fece80d150	(chrome_child.dll -task_queue_manager.cc:330 )	blink::scheduler::TaskQueueManager::DoWork(bool)
0x000007fece7c27c0	(chrome_child.dll -task_annotator.cc:57 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x000007fece7c1e43	(chrome_child.dll -message_loop.cc:410 )	base::MessageLoop::RunTask(base::PendingTask *)
0x000007fecf8d3d01	(chrome_child.dll -message_loop.cc:421 )	base::MessageLoop::DeferOrRunPendingTask(base::PendingTask)
0x000007fece7c08d5	(chrome_child.dll -message_loop.cc:528 )	base::MessageLoop::DoWork()
0x000007fece7baad8	(chrome_child.dll -message_pump_default.cc:33 )	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x000007fece7bb330	(chrome_child.dll -run_loop.cc:123 )	base::RunLoop::Run()
0x000007fece7a71e0	(chrome_child.dll -renderer_main.cc:219 )	content::RendererMain(content::MainFunctionParams const &)
0x000007fece7a6dfd	(chrome_child.dll -content_main_runner.cc:408 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x000007fece7a00af	(chrome_child.dll -content_main_runner.cc:690 )	content::ContentMainRunnerImpl::Run()
0x000007fece775d10	(chrome_child.dll -main.cc:469 )	service_manager::Main(service_manager::MainParams const &)
0x000007fece775885	(chrome_child.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x000007fece771efb	(chrome_child.dll -chrome_main.cc:122 )	ChromeMain
0x000000013f6c3d80	(chrome.exe -main_dll_loader_win.cc:199 )	MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks)
0x000000013f6c1774	(chrome.exe -chrome_exe_main_win.cc:275 )	wWinMain
0x000000013f792252	(chrome.exe -exe_common.inl:253 )	__scrt_common_main_seh
0x777659cc	(kernel32.dll + 0x000159cc )	
0x7799a560	(ntdll.dll + 0x0002a560 )	
0x777ebaaf	(kernel32.dll + 0x0009baaf )	
0x777ebaaf	(kernel32.dll + 0x0009baaf )	

Link to the list of builds:
--------------------------
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3AScrollbar%3A%3AConvertFromRootFrameToParentView%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D&unnest=

Thanks..!!
Cc: ligim...@chromium.org
Labels: ReleaseBlock-Stable
This is a recent regression.Please have a fix soon.
Project Member

Comment 4 by ClusterFuzz, Aug 16 2017

Labels: OS-Linux

Comment 5 by ajha@chromium.org, Aug 18 2017

Cc: ajha@chromium.org
Labels: -Type-Bug Type-Bug-Regression
There is one more variant of this magic signature regressed in the same regression range and has the same root cause as this one:

Magic signature: blink::ScrollableArea::GetScrollAnimator

Stack trace:
============
Thread 0 (id: 5400) CRASHED [EXCEPTION_ACCESS_VIOLATION_READ @ 0x00000010 ] MAGIC SIGNATURE THREAD
Stack Quality92%Show frame trust levels
0x00007ffe0a35d024	(chrome_child.dll -ScrollableArea.cpp:88 )	blink::ScrollableArea::GetScrollAnimator()
0x00007ffe0ccc4a49	(chrome_child.dll -Scrollbar.cpp:617 )	blink::Scrollbar::ScrollableAreaTargetPos()
0x00007ffe0ccc49e6	(chrome_child.dll -Scrollbar.cpp:170 )	blink::Scrollbar::ThumbWillBeUnderMouse()
0x00007ffe0ccc486b	(chrome_child.dll -Scrollbar.cpp:182 )	blink::Scrollbar::AutoscrollPressedPart(double)
0x00007ffe0a3c3f93	(chrome_child.dll -Timer.cpp:174 )	blink::TimerBase::RunInternal()
0x00007ffe0a1c2830	(chrome_child.dll -task_annotator.cc:57 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x00007ffe0a20e62e	(chrome_child.dll -task_queue_manager.cc:532 )	blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue *,bool,blink::scheduler::LazyNow,base::TimeTicks *)
0x00007ffe0a20cfb0	(chrome_child.dll -task_queue_manager.cc:330 )	blink::scheduler::TaskQueueManager::DoWork(bool)
0x00007ffe0a1c2830	(chrome_child.dll -task_annotator.cc:57 )	base::debug::TaskAnnotator::RunTask(char const *,base::PendingTask *)
0x00007ffe0a1c1eb3	(chrome_child.dll -message_loop.cc:410 )	base::MessageLoop::RunTask(base::PendingTask *)
0x00007ffe0b2d7aa1	(chrome_child.dll -message_loop.cc:421 )	base::MessageLoop::DeferOrRunPendingTask(base::PendingTask)
0x00007ffe0a1c0945	(chrome_child.dll -message_loop.cc:528 )	base::MessageLoop::DoWork()
0x00007ffe0a1bab48	(chrome_child.dll -message_pump_default.cc:33 )	base::MessagePumpDefault::Run(base::MessagePump::Delegate *)
0x00007ffe0a1bb3a0	(chrome_child.dll -run_loop.cc:123 )	base::RunLoop::Run()
0x00007ffe0a1a7250	(chrome_child.dll -renderer_main.cc:219 )	content::RendererMain(content::MainFunctionParams const &)
0x00007ffe0a1a6e6d	(chrome_child.dll -content_main_runner.cc:408 )	content::RunNamedProcessTypeMain(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,content::MainFunctionParams const &,content::ContentMainDelegate *)
0x00007ffe0a1a011f	(chrome_child.dll -content_main_runner.cc:690 )	content::ContentMainRunnerImpl::Run()
0x00007ffe0a175d10	(chrome_child.dll -main.cc:469 )	service_manager::Main(service_manager::MainParams const &)
0x00007ffe0a175885	(chrome_child.dll -content_main.cc:19 )	content::ContentMain(content::ContentMainParams const &)
0x00007ffe0a171efb	(chrome_child.dll -chrome_main.cc:122 )	ChromeMain
0x00007ff600943f00	(chrome.exe -main_dll_loader_win.cc:199 )	MainDllLoader::Launch(HINSTANCE__ *,base::TimeTicks)
0x00007ff600941774	(chrome.exe -chrome_exe_main_win.cc:275 )	wWinMain
0x00007ff600a121e2	(chrome.exe -exe_common.inl:253 )	__scrt_common_main_seh
0x00007ffe4bfa8363	(KERNEL32.DLL + 0x00008363 )	BaseThreadInitThunk
0x00007ffe4e817090	(ntdll.dll + 0x00067090 )	
0x00007ffe4ae84e1f	(KERNELBASE.dll + 0x00054e1f )	

Link to the list of the builds:
===============================
https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3AScrollableArea%3A%3AGetScrollAnimator%27%20AND%20product.name%3D%27Chrome%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D&unnest=

chaopeng@: Could you please take a look at these crashes and confirm if both are related.

Status: Started (was: Assigned)

Comment 7 by ajha@chromium.org, Aug 21 2017

Labels: -ReleaseBlock-Stable ReleaseBlock-Beta
Just to update, this is #6 renderer crash on the latest Windows Dev(62.0.3188.4 - 158 crashes from 151 clients).

chaopeng@: Requesting to expedite the fix and if possible land before next Dev release scheduled on 08/22.

Thank you!  


Project Member

Comment 8 by ClusterFuzz, Aug 21 2017

ClusterFuzz has detected this issue as fixed in range 495551:495853.

Detailed report: https://clusterfuzz.com/testcase?key=5747480737349632

Fuzzer: marty_html_twiddler
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000000
Crash State:
  blink::Scrollbar::ConvertFromRootFrameToParentView
  blink::ScrollbarTheme::HitTestWithRootFramePoint
  blink::Scrollbar::MouseMoved
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=494105:494256
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=495551:495853

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5747480737349632

Additional requirements: Requires Gestures

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Aug 21 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5747480737349632 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Status: Started (was: Verified)
Cc: chaopeng@chromium.org
 Issue 758154  has been merged into this issue.
 Issue 758156  has been merged into this issue.
Status: WontFix (was: Started)
The patch is reverted. This issue should be fix.

Sign in to add a comment