Null-dereference READ in content::BlinkTestController::OnDumpFrameLayoutResponse |
|||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4978265663209472 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: content::BlinkTestController::OnDumpFrameLayoutResponse content::mojom::LayoutTestControl_DumpFrameLayout_ForwardToCallback::Accept mojo::InterfaceEndpointClient::HandleValidatedMessage Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=482782:482851 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4978265663209472 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 17 2017
,
Sep 21 2017
This is a duplicate of issue 753647 (which ClusterFuzz has for some reason decided is fixed and verified) and very similar to issue 735423 (and maybe issue 760445 ). I have no idea what is going on / how is the situation here possible. But... to silence these bug reports, maybe I can put together a symptomatic fix and always bind a weak pointer instead of base::Unretained(this)?
,
Sep 21 2017
WIP CL @ https://chromium-review.googlesource.com/677786 I am not proud...
,
Sep 21 2017
,
Sep 28 2017
Crash in blink test runner, updating component accordingly.
,
Oct 1 2017
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 2 2017
This doesn't seem like a core Mojo platform issue. Removing Internals>Mojo
,
Oct 17 2017
,
Nov 7 2017
,
Dec 13 2017
,
Dec 15 2017
,
Dec 19 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e679eb591b3d49ee08cacb83bf4b3e2d5cc4a80e commit e679eb591b3d49ee08cacb83bf4b3e2d5cc4a80e Author: Lukasz Anforowicz <lukasza@chromium.org> Date: Tue Dec 19 16:44:17 2017 Fix for UaF of |this| in BlinkTestController::OnDumpFrameLayoutResponse. As shown in https://crbug.com/765581 , it is possible that BlinkTestController is destroyed before BlinkTestController::OnDumpFrameLayoutResponse gets called: 1. To prevent UaF crashes in this case, this CL wraps |this| in a base::WeakPtr. This is a speculative fix (I was never able to repro the UaF locally), but I am pretty confident it should avoid the crashes reported in https://crbug.com/765581 2. BlinkTestController should only be destroyed *after* a test is over. Therefore it is rather surprising that BlinkTestController gets destroyed while we are in the middle of generating a layout dump. To help demystify this surprise the CL adds a DCHECK to BlinkTestController::OnInitiateLayoutDump to make sure that only one layout dump is happening at a time. Bug: 765581 Change-Id: I07431bb60316d668c4bd1b465d25bcbfb12e6b96 Reviewed-on: https://chromium-review.googlesource.com/677786 Commit-Queue: Ćukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Alex Moshchuk <alexmos@chromium.org> Cr-Commit-Position: refs/heads/master@{#525056} [modify] https://crrev.com/e679eb591b3d49ee08cacb83bf4b3e2d5cc4a80e/content/shell/browser/layout_test/blink_test_controller.cc [modify] https://crrev.com/e679eb591b3d49ee08cacb83bf4b3e2d5cc4a80e/content/shell/browser/layout_test/blink_test_controller.h
,
Dec 19 2017
Marking as fixed - I am assumming that ClusterFuzz will complain if the issue still repros.
,
Dec 26 2017
ClusterFuzz testcase 4978265663209472 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label. |
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by kkaluri@chromium.org
, Sep 15 2017Components: Infra>Client>Mojo Blink
Labels: M-62 Test-Predator-Wrong
Owner: lukasza@chromium.org
Status: Assigned (was: Untriaged)