Crash in google::protobuf::EnumValueDescriptor::type |
|||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6320375486218240 Fuzzer: libFuzzer_renderer_proto_tree_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x62180045c768 Crash State: google::protobuf::EnumValueDescriptor::type google::protobuf::internal::GeneratedMessageReflection::SetEnum void protobuf_mutator::CopyField::ForType<protobuf_mutator::ConstFieldInstance:: Sanitizer: address (ASAN) Recommended Security Severity: Medium Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6320375486218240 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. If the fix resolved the issue, please close the bug by marking as Fixed.
,
Aug 29 2017
,
Aug 30 2017
,
Aug 30 2017
,
Aug 30 2017
,
Aug 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1a8df4c7627e59b8116d766d28d65d2a4e1566e9 commit 1a8df4c7627e59b8116d766d28d65d2a4e1566e9 Author: Vitaly Buka <vitalybuka@chromium.org> Date: Wed Aug 30 20:31:53 2017 Update src/third_party/libprotobuf-mutator b2c4fb591..b3323e24e Bug: 760280 Change-Id: Ib58b2acfebdf8bee712c1a7d0419874c2044cdfc Reviewed-on: https://chromium-review.googlesource.com/642460 Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Vitaly Buka <vitalybuka@chromium.org> Cr-Commit-Position: refs/heads/master@{#498592} [modify] https://crrev.com/1a8df4c7627e59b8116d766d28d65d2a4e1566e9/DEPS [modify] https://crrev.com/1a8df4c7627e59b8116d766d28d65d2a4e1566e9/content/test/fuzzer/renderer_proto_tree_fuzzer.cc [modify] https://crrev.com/1a8df4c7627e59b8116d766d28d65d2a4e1566e9/third_party/libprotobuf-mutator/BUILD.gn
,
Sep 19 2017
vitalybuka: is this fixed now?
,
Sep 19 2017
Nope. I hoped maybe roll will fix, but it didn't. This does not look like a bug in Chromium, but rather in mutator library. As crash rate is low, I am going to work on this in Oct.
,
Sep 30 2017
Vitaly, we are going to temporarily disable renderer_proto_tree_fuzzer on ClusterFuzz side because it's very slow ( <1 exec/s) + in 50% of runs it crashes on this libprotobuf issue. Due to that, we probably won't see new stats from CF, but the target will stay in the repo for local reproducing and bug fixing. Also, there are variant of this crash: https://clusterfuzz.com/v2/testcase-detail/4719368222277632 https://clusterfuzz.com/v2/testcase-detail/5058591919964160
,
Oct 1 2017
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 16 2017
ClusterFuzz testcase 6320375486218240 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 7 2017
,
Jan 23 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by dominickn@chromium.org
, Aug 29 2017Components: Tools>Stability>libFuzzer
Owner: vitalyb...@chromium.org
Status: Assigned (was: Untriaged)