Null-dereference READ in blink::ScriptWrappableVisitor::ScheduleIdleLazyCleanup |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6442702811168768 Fuzzer: afl_v8_serialized_script_value_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::ScriptWrappableVisitor::ScheduleIdleLazyCleanup blink::ScriptWrappableVisitor::TraceEpilogue v8::internal::MarkCompactCollector::MarkLiveObjects Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6442702811168768 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
,
Sep 11 2017
,
Sep 15 2017
The crash is at https://chromium.googlesource.com/chromium/src/+/975794ee43d7036fb94be988a9f6751db85c7a3a/third_party/WebKit/Source/platform/bindings/ScriptWrappableVisitor.cpp#100 The code in question hasn't changed for over half a year. I guess we either don't have |CurrentThread()| or |Scheduler()|. Will investigate next week.
,
Sep 15 2017
,
Sep 28 2017
I am unable to reproduce this issue and would suggest a WontFix here. haraken/keishi: Do you know at the top of your head whether there is a way to have CurrentThread() to return nullptr? It is probably null in some use case but I cannot find it.
,
Sep 28 2017
Is it possible that the garbage collection is triggered after the thread is shut down?
,
Sep 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ac81591259746749c24a6fa8eff709e319d8eee6 commit ac81591259746749c24a6fa8eff709e319d8eee6 Author: Michael Lippautz <mlippautz@chromium.org> Date: Fri Sep 29 06:53:38 2017 [wrapper-tracing] Don't try to schedule cleanup without a thread Bug: chromium:763687 Change-Id: I06180bbdf66d837a6bafe800ce674cb8aaaf0ee9 Reviewed-on: https://chromium-review.googlesource.com/690155 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#505314} [modify] https://crrev.com/ac81591259746749c24a6fa8eff709e319d8eee6/third_party/WebKit/Source/platform/bindings/ScriptWrappableVisitor.cpp
,
Sep 29 2017
That's a speculative fix since I was unable to reproduce the actual issue. Let's see what CF has to say about it. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by msrchandra@chromium.org
, Sep 11 2017Components: Blink
Labels: Test-Predator-Wrong-CLs
Owner: mlippautz@chromium.org
Status: Assigned (was: Untriaged)