Predator has provided some possible suspects.

Suspect CL: https://chromium.googlesource.com/chromium/src/+/c62775cd257c4c05e748d3f685dfe6181c28c377

dcheng@ -- Could you please look into the issue, kindly re-assign if this is not related to your changes.


Thank You.

This has nothing to do with dcheng's CL. It started because I fixed the fuzzer and now it's finding bugs it couldn't find before.

This is a fun one!

Here's what happens:

Fuzzer calls CreateRequest() first. That request starts, and the socket write and read both complete synchronously with OK, but the response is malformed. This sends the attempt back to STATE_READ_RESPONSE (https://cs.chromium.org/chromium/src/net/dns/dns_transaction.cc?dr&l=260). The second socket read also returns with OK, but asynchronously. In the meantime, instead of ERR_IO_PENDING, the attempt returns to its caller with ERR_MALFORMED_RESPONSE, which is a synchronous return so it posts a DoCallback() (https://cs.chromium.org/chromium/src/net/dns/dns_transaction.cc?dr&l=610).

[A second transaction starts here and does some stuff, but this is irrelevant to the crash.]

Next, the fuzzer calls WaitForRequestComplete(). There's only the one request. This starts a RunLoop. The first thing it calls is the socket read finishing. This time it's a valid response, and this completes the attempt, which synchronously runs DoCallback(). That deletes the callback, but the transaction itself isn't deleted.

The next thing the RunLoop runs is the DoCallback() that was posted after receiving the ERR_MALFORMED_RESPONSE earlier. But the callback is already gone, so it crashes.

I don't know how to fix this without breaking something else, but wow, that ERR_MALFORMED_RESPONSE behavior is weird and I'm not surprised it doesn't work right.

I checked crash reports and it looks like this crash has happened in the wild, but it's extremely rare.

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/c62775cd257c4c05e748d3f685dfe6181c28c377 (Change CHECK to DCHECK in base::Pickle::WriteData.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Okay, fine, I'll assign it to myself if you're going to keep doing that.

Sorry for the spam. No need to keep it assigned to yourself, just corrected the issue on the ClusterFuzz side that caused the reassignment (it wasn't checking for previous assignments to the owner initially, but this shouldn't keep happening).

 Issue 777129  has been merged into this issue.

For more information, please see https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md.

The link referenced in the description is no longer valid.

 Issue 779323  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1009208271f8f3af982c4d3d9c65fa86ea378f9c

commit 1009208271f8f3af982c4d3d9c65fa86ea378f9c
Author: Miriam Gershenson <mgersh@chromium.org>
Date: Tue Oct 31 17:41:05 2017

Avoid crashes caused by multiple DnsAttempts

When DnsUDPAttempt gets a mismatched response, it returns
ERR_DNS_MALFORMED_RESPONSE but keeps the attempt running while another
one starts. DnsTransaction doesn't handle this case very well. This CL
handles the two crashes that the fuzzer has found and adds a regression
test that catches both of them. There's a bug filed
(https://crbug.com/779589) for a more complete fix.

Bug:  768150 ,  774846 
Change-Id: I0630d73a2e0d1cc179e7fe2139c030d58d25d90f
Reviewed-on: https://chromium-review.googlesource.com/743810
Reviewed-by: Julia Tuttle <juliatuttle@chromium.org>
Commit-Queue: Miriam Gershenson <mgersh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#512864}
[modify] https://crrev.com/1009208271f8f3af982c4d3d9c65fa86ea378f9c/net/dns/dns_transaction.cc
[modify] https://crrev.com/1009208271f8f3af982c4d3d9c65fa86ea378f9c/net/dns/dns_transaction_unittest.cc

Marking this one fixed, leaving issue 779589 open for the underlying cause.

ClusterFuzz testcase 5170821982322688 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4c4c55821ddb4c0fe2ce872bc6c29927384d6208

commit 4c4c55821ddb4c0fe2ce872bc6c29927384d6208
Author: Miriam Gershenson <mgersh@chromium.org>
Date: Fri Nov 03 14:18:29 2017

Avoid crashes caused by multiple DnsAttempts

When DnsUDPAttempt gets a mismatched response, it returns
ERR_DNS_MALFORMED_RESPONSE but keeps the attempt running while another
one starts. DnsTransaction doesn't handle this case very well. This CL
handles the two crashes that the fuzzer has found and adds a regression
test that catches both of them. There's a bug filed
(https://crbug.com/779589) for a more complete fix.

Bug:  768150 ,  774846 
Change-Id: I0630d73a2e0d1cc179e7fe2139c030d58d25d90f
Reviewed-on: https://chromium-review.googlesource.com/743810
Reviewed-by: Julia Tuttle <juliatuttle@chromium.org>
Commit-Queue: Miriam Gershenson <mgersh@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#512864}(cherry picked from commit 1009208271f8f3af982c4d3d9c65fa86ea378f9c)
Reviewed-on: https://chromium-review.googlesource.com/753821
Reviewed-by: Miriam Gershenson <mgersh@chromium.org>
Cr-Commit-Position: refs/branch-heads/3239@{#364}
Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}
[modify] https://crrev.com/4c4c55821ddb4c0fe2ce872bc6c29927384d6208/net/dns/dns_transaction.cc
[modify] https://crrev.com/4c4c55821ddb4c0fe2ce872bc6c29927384d6208/net/dns/dns_transaction_unittest.cc