Abrt in [vdso] |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6230757063524352 Fuzzer: ochang_domfuzzer Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: Abrt Crash Address: 0x00000001 Crash State: [vdso] blink::ReportFatalErrorInMainThread v8::V8::ToLocalEmpty Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=508795:508884 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6230757063524352 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 16 2017
Kentaro, can you take a look? It is reporting an API error, trying to create a wrapper for a DOM object, which indicates it's a Blink issue.
,
Oct 16 2017
This is crashing in CreateWrapper. yukishiino: Would you take a look? ==1==ERROR: AddressSanitizer: ABRT on unknown address 0x00000001 (pc 0xcff1a440 bp 0xffb8b738 sp 0xffb8b5d4 T0) SCARINESS: 10 (signal) #0 0xcff1a43f in [vdso] #1 0xda880694 in logging::LogMessage::~LogMessage() base/logging.cc:791:7 #2 0xebd9c2a6 in blink::ReportFatalErrorInMainThread(char const*, char const*) third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp:84:3 #3 0xd64aa774 in ReportApiFailure v8/src/api.cc:412:5 #4 0xd64aa774 in ApiCheck v8/src/api.h:124 #5 0xd64aa774 in v8::V8::ToLocalEmpty() v8/src/api.cc:1023 #6 0xe520eb99 in ToLocalChecked v8/include/v8.h:9276:37 #7 0xe520eb99 in blink::V8PerContextData::CreateWrapperFromCacheSlowCase(blink::WrapperTypeInfo const*) third_party/WebKit/Source/platform/bindings/V8PerContextData.cpp:83 #8 0xe520bcb8 in CreateWrapperFromCache third_party/WebKit/Source/platform/bindings/V8PerContextData.h:82:37 #9 0xe520bcb8 in blink::V8DOMWrapper::CreateWrapper(v8::Isolate*, v8::Local<v8::Object>, blink::WrapperTypeInfo const*) third_party/WebKit/Source/platform/bindings/V8DOMWrapper.cpp:56 #10 0xe51fe418 in blink::ScriptWrappable::Wrap(v8::Isolate*, v8::Local<v8::Object>) third_party/WebKit/Source/platform/bindings/ScriptWrappable.cpp:29:7 #11 0xebeb5fe0 in ToV8 third_party/WebKit/Source/platform/bindings/ToV8.h:34:19
,
Oct 18 2017
dcheng@, could you take a look? Seeing the stacktrace, it's recursively unloading the document; document's unload => onunload handler => author script invokes another navigation => document's unload => onunload handler => author script invokes yet another navigation => ... (infinitely) Then, it ran out the stack and crashed. I think that this is a problem of document unloading. Maybe a variation of Issue 773683, not sure though.
,
Oct 18 2017
,
Oct 23 2017
Issue 771806 has been merged into this issue.
,
Nov 7 2017
,
Apr 2 2018
Not reproducible anymore, lets wait on another repro.
,
Apr 9 2018
ClusterFuzz testcase 4869176127913984 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ClusterFuzz
, Oct 15 2017Labels: Test-Predator-AutoComponents