New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 764879 link

Starred by 2 users
Status: Fixed
Owner:
lukasza@chromium.org
Closed: Jan 2018
Cc:
kkaluri@chromium.org
msrchandra@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in base::Value::SetKey

Project Member Reported by ClusterFuzz, Sep 13 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5423879458914304

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x0000000004b0
Crash State:
  base::Value::SetKey
  base::DictionaryValue::MergeDictionary
  content::BlinkTestController::OnLayoutTestRuntimeFlagsChanged
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=501548:501566

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5423879458914304

Additional requirements: Requires Gestures

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by kkaluri@chromium.org, Sep 14 2017

Cc: msrchandra@chromium.org kkaluri@chromium.org
Components: Blink>HTML>Base
Labels: Test-Predator-Wrong-CLs M-63
Owner: jdoerrie@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.
Using Code Search for the file, "values.cc" assigning to the concern owner who might be related or worked on similar file.

Suspect CL : https://chromium.googlesource.com/chromium/src/+/9f90ad7cab5f6a4402529cde802b82129562f83d

jdoerrie@ -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.
Project Member

Comment 2 by ClusterFuzz, Sep 14 2017

Labels: OS-Windows OS-Mac

Comment 3 by jdoerrie@chromium.org, Sep 18 2017

Owner: kkaluri@chromium.org
kkaluri@, unfortunately I am unable to reproduce this issue, it appears to be flaky. Furthermore, I doubt the suspected change is the culprit, as it didn't change any functionality. Therefore, I am reassigning this to you.
Project Member

Comment 4 by ClusterFuzz, Sep 30 2017

Labels: ClusterFuzz-Top-Crash ReleaseBlock-Beta
Testcase 5423879458914304 is a top crash on ClusterFuzz for windows platform. Please prioritize fixing this crash.

Marking this crash as a Beta release blocker.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 5 by ClusterFuzz, Oct 1 2017

Components: Internals>Core Test
Labels: Test-Predator-AutoComponents
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 6 by ajha@chromium.org, Oct 4 2017

Owner: xiaoche...@chromium.org
As per https://clusterfuzz.com/v2/testcase-detail/5423879458914304?noredirect=1 shows suspect as https://chromium.googlesource.com/chromium/src/+/2925e1d42d5bc7a91c98a7239424104a43672c02.

Hence assigning to xiaochengh@ for inputs.

Comment 7 by xiaoche...@chromium.org, Oct 4 2017

Owner: ----
Status: Untriaged (was: Assigned)
Seems that the test case can create two different crashes.

1. blink_test_controller.cc(313) Check failed: instance_.

Crashes when running the test case in content_shell with --run-layout-test

2. SelectionTemplate.cpp(261) Check failed: position.IsConnected(). null

Crashes when running *without* --run-layout-test, after staying on the page for ~1s

No idea why it crashes at 1. Shouldn't be relevant to my patch, which doesn't touch any test code.

I've forked 2 as issue 771685
Project Member

Comment 8 by ClusterFuzz, Oct 4 2017

Labels: Test-Predator-AutoOwner
Owner: xiaoche...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/2925e1d42d5bc7a91c98a7239424104a43672c02 (Reland "Stop TextIterator from emit double newlines after H4~6 elements").

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 9 by xiaoche...@chromium.org, Oct 4 2017

Owner: kkaluri@chromium.org
Not again...

Comment 10 by mbarbe...@chromium.org, Oct 4 2017 

Sorry for the reassignment spam. Initially it wasn't checking for earlier assignments to a particular owner, but this has been fixed and shouldn't happen again.

Comment 11 by kkaluri@chromium.org, Oct 6 2017

Labels: CF-NeedsTriage
Owner: ----
Status: Untriaged (was: Assigned)

Comment 12 by gov...@chromium.org, Oct 10 2017 

M63 is branching on this Thursday (10/12) and M63 beta promotion is coming very soon. Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.

Comment 13 by ajha@chromium.org, Oct 11 2017

Cc: lukasza@chromium.org
Components: Blink>Infra
As per C#7 and first crash is in 'blink_test_controller.cc', cc'ing lukasza@ for  related work on  Issue 765581  and for more inputs on this.

Adding Blink>Infra as well for someone from the respective team for more inputs.

Comment 14 by kochi@chromium.org, Oct 16 2017

Cc: -lukasza@chromium.org
Labels: -ReleaseBlock-Beta
Owner: lukasza@chromium.org
Status: Available (was: Untriaged)
If blink_test_controller.cc is the source of crashes, it shouldn't matter
for release blocker (test runner only). Removing RB-Beta.

lukasza@, could you take a look?  Or could you assign someone appropriate?

Comment 15 by mbarbe...@chromium.org, Nov 7 2017

Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components

Comment 16 by mbarbe...@chromium.org, Nov 7 2017

Labels: -Test-Predator-AutoOwner Test-Predator-Auto-Owner

Comment 17 by foolip@chromium.org, Dec 15 2017 

lukasza@, any update on this P1?

Comment 18 by lukasza@chromium.org, Dec 15 2017

Status: Started (was: Available)
Thanks for the ping.  I have a speculative fix in the CL @ https://chromium-review.googlesource.com/c/chromium/src/+/830966
Project Member

Comment 19 by bugdroid1@chromium.org, Dec 23 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f227b491129856b41e3c04334d515c2202662f34

commit f227b491129856b41e3c04334d515c2202662f34
Author: Lukasz Anforowicz <lukasza@chromium.org>
Date: Sat Dec 23 00:19:24 2017

Before dereferencing, check if BlinkTestController::Get() is null.

This is a speculative fix for  https://crbug.com/764879 .  I cannot repro
the problem locally, but it seems that
LayoutTestHostMsg_LayoutTestRuntimeFlagsChanged IPC arrives when
BlinkTestController has already been destructed.

Bug:  764879 
Change-Id: I174227bdbc5a6da95308d1d067b17ebcfe30b3af
Reviewed-on: https://chromium-review.googlesource.com/830966
Commit-Queue: Ɓukasz Anforowicz <lukasza@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#526102}
[modify] https://crrev.com/f227b491129856b41e3c04334d515c2202662f34/content/shell/browser/layout_test/layout_test_browser_main.cc
[modify] https://crrev.com/f227b491129856b41e3c04334d515c2202662f34/content/shell/browser/layout_test/layout_test_content_browser_client.cc
[modify] https://crrev.com/f227b491129856b41e3c04334d515c2202662f34/content/shell/browser/layout_test/layout_test_devtools_bindings.cc
[modify] https://crrev.com/f227b491129856b41e3c04334d515c2202662f34/content/shell/browser/layout_test/layout_test_message_filter.cc
[modify] https://crrev.com/f227b491129856b41e3c04334d515c2202662f34/content/shell/browser/layout_test/secondary_test_window_observer.cc
[modify] https://crrev.com/f227b491129856b41e3c04334d515c2202662f34/content/shell/browser/shell.cc

Comment 20 by lukasza@chromium.org, Jan 2 2018

Status: Fixed (was: Started)
Marking as fixed - hopefully ClusterFuzz will complain if it detects that the issue still repros.

Sign in to add a comment