Null-dereference in SignalAction |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5873336566677504 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_chrome Platform Id: linux Crash Type: Null-dereference Crash Address: 0x000000000000 Crash State: SignalAction __msan_memset device::PlatformSensorProviderBase::MapSharedBufferForType Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=497651:497656 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5873336566677504 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 28 2017
,
Aug 28 2017
From the stacktrace it follows that memory mapping fails for some reason, the https://chromium-review.googlesource.com/c/chromium/src/+/638451 should fix the exact crash bug, but the reason why memory map failed must still be investigated.
,
Aug 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6998758de27567c7e075114c7fcf628c1faba70a commit 6998758de27567c7e075114c7fcf628c1faba70a Author: Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com> Date: Mon Aug 28 16:27:30 2017 PlatformSensorProviderBase: check mapping value before calling memset() In the PlatformSensorProviderBase::MapSharedBufferForType() method the 'mapping' value must be null checked before passing to memset(). Bug: 759318 Change-Id: Ieeb9e33d21953a8845dbf13b92dc9a7a996156ca Reviewed-on: https://chromium-review.googlesource.com/638451 Reviewed-by: Alexander Shalamov <alexander.shalamov@intel.com> Commit-Queue: Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com> Cr-Commit-Position: refs/heads/master@{#497772} [modify] https://crrev.com/6998758de27567c7e075114c7fcf628c1faba70a/services/device/generic_sensor/platform_sensor_provider_base.cc
,
Aug 28 2017
Issue 759319 has been merged into this issue.
,
Aug 29 2017
ClusterFuzz has detected this issue as fixed in range 497771:497777. Detailed report: https://clusterfuzz.com/testcase?key=5873336566677504 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_chrome Platform Id: linux Crash Type: Null-dereference Crash Address: 0x000000000000 Crash State: SignalAction __msan_memset device::PlatformSensorProviderBase::MapSharedBufferForType Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=497651:497656 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=497771:497777 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5873336566677504 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 29 2017
,
Aug 29 2017
ClusterFuzz testcase 5873336566677504 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Aug 30 2017
Issue 760545 has been merged into this issue.
,
Aug 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/826c2384ac82b95cc9f66659b6e95d9c70820f0c commit 826c2384ac82b95cc9f66659b6e95d9c70820f0c Author: Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com> Date: Wed Aug 30 21:52:10 2017 Fix handling of PlatformSensorFusion initialization failure When PlatformSensorFusion initialization fails, the object previously stored inside the callback passed to SensorProvider::CreateSensor() gets destroyed. The problem was that SensorProvider::RemoveSensor() had been called from the destructor of the destroyed object but the object itself had never been added to SensorProvider::sensor_map_. This patch fixes the problem. Bug: 760545 Bug: 759318 Change-Id: Ia752f2013649b471ba7a154ece128d1f5af554df Reviewed-on: https://chromium-review.googlesource.com/643509 Commit-Queue: Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com> Reviewed-by: Reilly Grant <reillyg@chromium.org> Reviewed-by: Jun Cai <juncai@chromium.org> Cr-Commit-Position: refs/heads/master@{#498628} [modify] https://crrev.com/826c2384ac82b95cc9f66659b6e95d9c70820f0c/services/device/generic_sensor/platform_sensor.cc [modify] https://crrev.com/826c2384ac82b95cc9f66659b6e95d9c70820f0c/services/device/generic_sensor/platform_sensor_provider_base.cc [modify] https://crrev.com/826c2384ac82b95cc9f66659b6e95d9c70820f0c/services/device/generic_sensor/platform_sensor_provider_base.h |
||||
►
Sign in to add a comment |
||||
Comment 1 by msrchandra@chromium.org
, Aug 28 2017Labels: M-62 Test-Predator-Wrong
Owner: reillyg@chromium.org
Status: Assigned (was: Untriaged)