Null-dereference in aura::client::GetCaptureWindow |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6449693893853184 Fuzzer: inferno_twister Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: Null-dereference Crash Address: 0x0000005b Crash State: aura::client::GetCaptureWindow aura::WindowTreeHost::OnHostLostWindowCapture ui::WinWindow::_ProcessWindowMessage Memory Tool: SYZYASAN Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=505526:505529 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6449693893853184 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 3 2017
I have a fix up at https://chromium-review.googlesource.com/c/chromium/src/+/696846 (needs test)
,
Oct 3 2017
,
Oct 3 2017
,
Oct 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/026e47eb0e26eea7976036f40d7b2529a79abdcb commit 026e47eb0e26eea7976036f40d7b2529a79abdcb Author: Sadrul Habib Chowdhury <sadrul@chromium.org> Date: Thu Oct 05 04:27:07 2017 aura: Fix a tear down crash. It is possible to receive a capture-lost message while destroying a WindowTreeHost. Make sure the code works correctly if that happens. BUG= 770670 Change-Id: Idc176e7df5c9b9516264379cd086d441b71c4460 Reviewed-on: https://chromium-review.googlesource.com/696846 Commit-Queue: Sadrul Chowdhury <sadrul@chromium.org> Reviewed-by: Scott Violet <sky@chromium.org> Cr-Commit-Position: refs/heads/master@{#506648} [modify] https://crrev.com/026e47eb0e26eea7976036f40d7b2529a79abdcb/ui/aura/BUILD.gn [modify] https://crrev.com/026e47eb0e26eea7976036f40d7b2529a79abdcb/ui/aura/window_tree_host.cc [modify] https://crrev.com/026e47eb0e26eea7976036f40d7b2529a79abdcb/ui/aura/window_tree_host_unittest.cc [modify] https://crrev.com/026e47eb0e26eea7976036f40d7b2529a79abdcb/ui/platform_window/stub/stub_window.h
,
Oct 5 2017
,
Oct 7 2017
ClusterFuzz testcase 4558175717294080 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 7 2017
ClusterFuzz has detected this issue as fixed in range 506613:506660. Detailed report: https://clusterfuzz.com/testcase?key=6449693893853184 Fuzzer: inferno_twister Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: Null-dereference Crash Address: 0x0000005b Crash State: aura::client::GetCaptureWindow aura::WindowTreeHost::OnHostLostWindowCapture ui::WinWindow::_ProcessWindowMessage Memory Tool: SYZYASAN Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=505526:505529 Fixed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=506613:506660 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6449693893853184 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||
►
Sign in to add a comment |
|||
Comment 1 by pnangunoori@chromium.org
, Oct 3 2017Labels: M-63 Test-Predator-Wrong
Owner: sadrul@chromium.org
Status: Assigned (was: Untriaged)