Null-dereference READ in test_runner::TestPlugin::Initialize |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6634697529753600 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: test_runner::TestPlugin::Initialize blink::HTMLEmbedElement::UpdatePluginInternal blink::HTMLPlugInElement::UpdatePlugin Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6634697529753600 Additional requirements: Requires Gestures Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information. Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
,
Oct 9 2017
Predator and CL could not provide any possible suspects. Using the code search for the file, “HTMLEmbedElement.cpp” assigning to concern owner from GIT blame. Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/f12fc43363084c86d32bf151fe94f2994a9df8c8 @japhet -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes. Thank You.
,
Oct 9 2017
This crash is flaky: clusterfuzz isn't reliably reproducing it, and I can't seem to get it to repro locally. The crashing line is https://chromium.googlesource.com/chromium/src/+/a9d1517bf2534e188b7d5a754083943a0ba45f73/content/shell/test_runner/test_plugin.cc#181, which implies that Platform::CreateOffscreenGraphicsContext3DProvider() is returning nullptr. I don't know enough about the graphics stack to know whether that's likely to be a bug, a hardware failure, a timing issue, or what. kbr, would you mind triaging this?
,
Oct 12 2017
The code seems to mostly handle failure to create the context, so fixing the first dereference in https://chromium-review.googlesource.com/714399 .
,
Oct 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/75e1ece2dc50b024f743e61cf3889e2393be8355 commit 75e1ece2dc50b024f743e61cf3889e2393be8355 Author: Kenneth Russell <kbr@chromium.org> Date: Fri Oct 13 22:00:05 2017 Null-check result of CreateOffscreenGraphicsContext3DProvider. The TestPlugin seems to handle this being null or failing to initialize, so null-check the first use. BUG= 772753 Change-Id: Icac4e1c4d48ee508743c83da8fbfe793823e3019 Reviewed-on: https://chromium-review.googlesource.com/714399 Reviewed-by: Pavel Feldman <pfeldman@chromium.org> Commit-Queue: Kenneth Russell <kbr@chromium.org> Cr-Commit-Position: refs/heads/master@{#508831} [modify] https://crrev.com/75e1ece2dc50b024f743e61cf3889e2393be8355/content/shell/test_runner/test_plugin.cc
,
Oct 13 2017
Closing as Fixed. Please reopen if it isn't.
,
Nov 7 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Oct 8 2017Labels: Test-Predator-AutoComponents