Direct-leak in Update |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6080858963574784 Fuzzer: afl_content_security_policy_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Direct-leak Crash Address: Crash State: Update InitializeBuiltinFromReservation v8::internal::BuiltinDeserializer::InitializeBuiltinsTable Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=499980:500028 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6080858963574784 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 2 2017
,
Oct 2 2017
One of the sources of the leaks is from blink::LocalFrame::LocalFrame. Setting component to Blink>Internals, according to core/frame/OWNERS.
,
Oct 3 2017
Test Predator has given the following results: Reduce situations where TaskRunnerHelper can't get a per-frame task queue by japhet@chromium.org Changelist touched lines near the crashed line in frame #4 blink::Document::Document(blink::DocumentInit const&, unsigned char) (distance = 65 lines away) Top touched frame is #2 blink::Document::AddConsoleMessage(in Document.cpp) Changed files DeviceSingleWindowEventController.cpp, PlatformEventController.cpp, PlatformEventController.h, with the same CrashedDirectory(third_party/WebKit/Source/core/frame) as LocalFrameView.cpp (in frame#2, frame#3, frame#4), LocalFrame.cpp (in frame#4, frame#5, frame#7), Settings.h (in frame#4), LayoutSubtreeRootList.h (in frame#2), LocalDOMWindow.cpp (in frame#8, frame#3), Settings.cpp (in frame#5), PageScaleConstraintsSet.h (in frame#4, frame#5) Changed files Document.cpp, Document.h, TaskRunnerHelper.cpp, with the same CrashedDirectory(third_party/WebKit/Source/core/dom) as Node.cpp (in frame#1), Document.cpp (in frame#8, frame#2, frame#4, frame#6, frame#7), ContextFeatures.h (in frame#4), ContextFeatures.cpp (in frame#7) Touched files in stacktrace - Document.cpp Changed files DeviceSingleWindowEventController.cpp, PlatformEventController.cpp, PlatformEventController.h, with the same CrashedComponent(Blink>Internals) as LocalFrameView.cpp (in frame#2, frame#3, frame#4), LocalFrame.cpp (in frame#4, frame#5, frame#7), ContentSecurityPolicyFuzzer.cpp (in frame#5, frame#6, frame#7), ContentSecurityPolicy.cpp (in frame#3), Settings.h (in frame#4), LayoutSubtreeRootList.h (in frame#2), SecurityOrigin.cpp (in frame#5), LocalDOMWindow.cpp (in frame#8, frame#3), Settings.cpp (in frame#5), PageScaleConstraintsSet.h (in frame#4, frame#5) Changed files CanvasAsyncBlobCreator.cpp, CanvasAsyncBlobCreator.h, with the same CrashedComponent(Blink>HTML) as HTMLDocument.cpp (in frame#5), HTMLDocument.h (in frame#6) Changed files Document.cpp, Document.h, TaskRunnerHelper.cpp, with the same CrashedComponent(Blink>DOM) as Node.cpp (in frame#1), Document.cpp (in frame#8, frame#2, frame#4, frame#6, frame#7), ContextFeatures.h (in frame#4), ContextFeatures.cpp (in frame#7) @japhet -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes. Thank You.
,
Oct 4 2017
I reverted my change locally and it still appears to be leaking. This is very strange, because the leak reports appear to be for initialization data (the DummyPageHolder that is explicitly commented to be leaked, V8 init data, etc). That makes me think this is a case of missing suppressions, but I'm not sure. jbroman@, it looks like you wrote this fuzzer, do you have any thoughts? Feel free to reassign to me if you're not a good person to bug about this.
,
Oct 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/808d1dbc8faa17e394f74376a8fdbdecd9d0696f commit 808d1dbc8faa17e394f74376a8fdbdecd9d0696f Author: Jeremy Roman <jbroman@chromium.org> Date: Wed Oct 04 21:24:08 2017 Do not check for memory leaks from CSP fuzzer initialization. Memory allocated here is expected to leak. Bug: 770463 Change-Id: Iaa741c9753e018fe76d7e008d40d42a79e93c6fa Reviewed-on: https://chromium-review.googlesource.com/701416 Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Jeremy Roman <jbroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#506521} [modify] https://crrev.com/808d1dbc8faa17e394f74376a8fdbdecd9d0696f/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyFuzzer.cpp
,
Oct 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/6a02154b51b6cfcc7ec49a1a7b55bea4724e9e49 commit 6a02154b51b6cfcc7ec49a1a7b55bea4724e9e49 Author: Jeremy Roman <jbroman@chromium.org> Date: Tue Oct 10 22:16:55 2017 CSP Fuzzer: Initialize the lsan disabled scope after Oilpan. Bug: 770463 , 771855 Change-Id: I681bd5c48cae4ddb2816961d85e2019e959e8763 Reviewed-on: https://chromium-review.googlesource.com/710512 Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Jeremy Roman <jbroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#507793} [modify] https://crrev.com/6a02154b51b6cfcc7ec49a1a7b55bea4724e9e49/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicyFuzzer.cpp
,
Oct 13 2017
ClusterFuzz testcase 6080858963574784 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 7 2017
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Oct 1 2017Labels: Test-Predator-AutoComponents