Null-dereference READ in blink::ThreadState::FreePersistentNode |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6227020274204672 Fuzzer: lcamtuf_cross_fuzz Job Type: windows_asan_chrome Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000008 Crash State: blink::ThreadState::FreePersistentNode blink::PersistentBase<blink::ChromeClient,blink::WeaknessPersistentConfiguration base::internal::BindState<void Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=509492:509545 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6227020274204672 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 23 2017
Issue 776042 has been merged into this issue.
,
Oct 23 2017
Unable to provide possible suspect using Predator, CL and Code Search. Could someone please look into the issue. Thank You.
,
Oct 25 2017
leon.han@intel.com, can you please see if this is related to https://bugs.chromium.org/p/chromium/issues/detail?id=775395 ? Thank you!
,
Oct 25 2017
,
Oct 25 2017
CC vmpstr@ who is the owner of issue 776478 According from the call stack in the detailed report https://clusterfuzz.com/testcase?key=6227020274204672 I think this issue is related with issue 776478 (the same ProcessNextImageDecodeOnWorkerThread() call in the stack), which seems has already gotten some ideas about the root cause and fix solution. [3464:3568:1018/031913.180:INFO:CONSOLE(1)] "Uncaught SyntaxError: Unexpected identifier", source: file:///C:/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-crossfuzz-1414873139.html (1) #2 0x1be180cb in base::internal::BindState<void (blink::VRDisplay::*)(double) __attribute__((thiscall)),blink::WeakPersistent<blink::VRDisplay>,double>::Destroy base/bind_internal.h:472 #3 0x12bea902 in base::internal::CallbackBase::~CallbackBase base/callback_internal.cc:74 [3464:3568:1018/031913.183:INFO:CONSOLE(1)] "Uncaught SyntaxError: Unexpected identifier", source: file:///C:/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-crossfuzz-1414873139.html (1) [3464:3568:1018/031913.187:INFO:CONSOLE(1)] "Uncaught SyntaxError: Unexpected identifier", source: file:///C:/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-crossfuzz-1414873139.html (1) [3464:3568:1018/031913.191:INFO:CONSOLE(1)] "Uncaught SyntaxError: Unexpected identifier", source: file:///C:/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-crossfuzz-1414873139.html (1) [3464:3568:1018/031913.195:INFO:CONSOLE(1)] "Uncaught SyntaxError: Unexpected identifier", source: file:///C:/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-crossfuzz-1414873139.html (1) [3464:3568:1018/031913.198:INFO:CONSOLE(1)] "Uncaught SyntaxError: Unexpected identifier", source: file:///C:/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-crossfuzz-1414873139.html (1) #4 0x12d06441 in base::internal::BindState<void (*)(base::RepeatingCallback<void (const base::trace_event::MemoryDumpRequestArgs &)>, base::trace_event::MemoryDumpType, base::trace_event::MemoryDumpLevelOfDetail),base::RepeatingCallback<void (const base::trace_event::MemoryDumpRequestArgs &)>,base::trace_event::MemoryDumpType>::Destroy base/bind_internal.h:472 #5 0x12bea902 in base::internal::CallbackBase::~CallbackBase base/callback_internal.cc:74 #6 0x1830f4a1 in base::internal::BindState<void (*)(const media::VideoFrameMetadata *, const base::RepeatingCallback<void (double)> &),media::VideoFrameMetadata *,base::RepeatingCallback<void (double)> >::Destroy base/bind_internal.h:472 #7 0x12bea902 in base::internal::CallbackBase::~CallbackBase base/callback_internal.cc:74 #8 0x15735ba6 in cc::ImageController::ProcessNextImageDecodeOnWorkerThread cc/tiles/image_controller.cc:270 #9 0x12dee94c in base::debug::TaskAnnotator::RunTask base/debug/task_annotator.cc:55 #10 0x12e99864 in base::internal::TaskTracker::RunOrSkipTask base/task_scheduler/task_tracker.cc:411 #11 0x12e97ace in base::internal::TaskTracker::RunNextTask base/task_scheduler/task_tracker.cc:311
,
Oct 26 2017
ClusterFuzz has detected this issue as fixed in range 510178:511643. Detailed report: https://clusterfuzz.com/testcase?key=6227020274204672 Fuzzer: lcamtuf_cross_fuzz Job Type: windows_asan_chrome Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000008 Crash State: blink::ThreadState::FreePersistentNode blink::PersistentBase<blink::ChromeClient,blink::WeaknessPersistentConfiguration base::internal::BindState<void Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=509492:509545 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=510178:511643 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6227020274204672 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 26 2017
ClusterFuzz testcase 6227020274204672 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 7 2017
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Oct 19 2017Labels: Test-Predator-AutoComponents