Null-dereference in net::PartialData::IsLastRange |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4801669140578304 Fuzzer: inferno_webbot Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Null-dereference Crash Address: 0x000000000061 Crash State: net::PartialData::IsLastRange net::HttpCache::Transaction::DoUpdateCachedResponseComplete net::HttpCache::Transaction::DoLoop Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=512502:512508 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4801669140578304 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 31 2017
maxmorin, could your experiment [1] affect request timing in the network stack? I wonder if it is exposing existing race condition in the cache. [1]: https://chromium.googlesource.com/chromium/src/+/0e7899a13813cf957607296027b254feef630138%5E%21/#F0
,
Oct 31 2017
oops, +maxmorin for real this time, could you take a look at #2?
,
Oct 31 2017
No, the code is only in use when creating/controlling audio streams.
,
Oct 31 2017
That's a very not-self-contained "reduced" testcase... FWIW, it is reproducible, though; and I suspect the immediate cause for the crash is https://chromium-review.googlesource.com/c/chromium/src/+/684615/40/net/http/http_cache_transaction.cc#b1787 #0 0x00007fffd8eebc4a in net::PartialData::IsLastRange() const () at ../../net/http/partial_data.cc:180 #1 0x00007fffd8c27879 in DoUpdateCachedResponseComplete () at ../../net/http/http_cache_transaction.cc:1799 #2 0x00007fffd8bf7949 in net::HttpCache::Transaction::DoLoop(int) () at ../../net/http/http_cache_transaction.cc:905 #3 0x00007fffd8beddc8 in net::HttpCache::Transaction::OnIOComplete(int) () at ../../net/http/http_cache_transaction.cc:3348 #4 0x00007fffd8c4c90e in Invoke<base::WeakPtr<net::HttpCache::Transaction> const&, int> () at ../../base/bind_internal.h:194 #5 0x00007fffd8c4c542 in MakeItSo<void (net::HttpCache::Transaction::* const&)(int), base::WeakPtr<net::HttpCache::Transaction> const&, int> () at ../../base/bind_internal.h:297 #6 0x00007fffd8c4c2d7 in RunImpl<void (net::HttpCache::Transaction::* const&)(int), std::__1::tuple<base::WeakPtr<net::HttpCache::Transaction> > const&, 0> () at ../../base/bind_internal.h:349 #7 0x00007fffd8c4c1bb in Run () at ../../base/bind_internal.h:331 #8 0x00007fffd802c4fa in Run () at ../../base/callback.h:103 #9 0x00007fffd86470cd in disk_cache::InFlightBackendIO::OnOperationComplete(disk_cache::BackgroundIO*, bool) () at ../../net/disk_cache/blockfile/in_flight_backend_io.cc:550 #10 0x00007fffd864b21d in InvokeCallback () at ../../net/disk_cache/blockfile/in_flight_io.cc:103 #11 0x00007fffd864a4b7 in disk_cache::BackgroundIO::OnIOSignalled() () at ../../net/disk_cache/blockfile/in_flight_io.cc:25 warning: (Internal error: pc 0x7fffd864a4b6 in read in CU, but not in symtab.) #12 0x00007fffd865120d in void base::internal::FunctorTraits<void (disk_cache::BackgroundIO::*)(), void>::Invoke<scoped_refptr<disk_cache::BackgroundIO> const&>(void (disk_cache::BackgroundIO::*)(), scoped_refptr<disk_cache::BackgroundIO> const&) () at ../../base/bind_internal.h:194 #13 0x00007fffd8650ef9 in MakeItSo<void (disk_cache::BackgroundIO::* const&)(), scoped_refptr<disk_cache::BackgroundIO> const&> () at ../../base/bind_internal.h:277 #14 0x00007fffd8650cff in RunImpl<void (disk_cache::BackgroundIO::* const&)(), std::__1::tuple<scoped_refptr<disk_cache::BackgroundIO> > const&, 0> () at ../../base/bind_internal.h:349 #15 0x00007fffd8650c03 in base::internal::Invoker<base::internal::BindState<void (disk_cache::BackgroundIO::*)(), scoped_refptr<disk_cache::BackgroundIO> >, void ()>::Run(base::internal::BindStateBase*) () at ../../base/bind_internal.h:331 #16 0x00007fffe4bcdf70 in Run () at ../../base/callback.h:64 #17 0x00007fffe4ce6e67 in RunTask () at ../../base/debug/task_annotator.cc:57 #18 0x00007fffe4eed9fb in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) () at ../../base/message_loop/incoming_task_queue.cc:130 #19 0x00007fffe4f092e5 in base::MessageLoop::RunTask(base::PendingTask*) () at ../../base/message_loop/message_loop.cc:394 #20 0x00007fffe4f09c6f in DeferOrRunPendingTask () at ../../base/message_loop/message_loop.cc:406 #21 0x00007fffe4f0a5d1 in DoWork () at ../../base/message_loop/message_loop.cc:450 #22 0x00007fffe4f3713b in Run () at ../../base/message_loop/message_pump_libevent.cc:220 #23 0x00007fffe4f07831 in Run () at ../../base/message_loop/message_loop.cc:345 #24 0x00007fffe517c024 in Run () at ../../base/run_loop.cc:114 #25 0x00007fffe544495f in base::Thread::Run(base::RunLoop*) () at ../../base/threading/thread.cc:255 #26 0x00007fffec7befd2 in content::BrowserThreadImpl::IOThreadRun(base::RunLoop*) () at ../../content/browser/browser_thread_impl.cc:248 #27 0x00007fffec7bf97f in content::BrowserThreadImpl::Run(base::RunLoop*) () at ../../content/browser/browser_thread_impl.cc:283 #28 0x00007fffe5446c3f in ThreadMain () at ../../base/threading/thread.cc:338 #29 0x00007fffe53dd5d8 in ThreadFunc () at ../../base/threading/platform_thread_posix.cc:75 #30 0x00007fffa8783184 in start_thread (arg=0x7fff7b8a3700) at pthread_create.c:312 #31 0x00007fffa4c6dffd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
,
Oct 31 2017
Recording some more state, given testcase non-self-containment: The URL is http://customer3.videcom.com/ProflightZambia/VARS/Public/jsDeploy/2016.12.12.1/jqueryAll.min.js $ HEAD http://customer3.videcom.com/ProflightZambia/VARS/Public/jsDeploy/2016.12.12.1/jqueryAll.min.js 200 OK Cache-Control: no-cache Date: Tue, 31 Oct 2017 15:42:54 GMT Accept-Ranges: bytes ETag: "0906b9d9854d21:0" Server: Microsoft-IIS/7.5 Content-Length: 892922 Content-Type: application/x-javascript Last-Modified: Mon, 12 Dec 2016 16:56:00 GMT Client-Date: Tue, 31 Oct 2017 15:43:05 GMT Client-Peer: 194.128.159.165:80 Client-Response-Num: 1 X-Powered-By: ASP.NET partial_ is null, as expected. (gdb) print validation_cause_ $5 = net::HttpCache::Transaction::VALIDATION_CAUSE_ZERO_FRESHNESS (gdb) print cache_entry_status_ $6 = net::HttpResponseInfo::ENTRY_VALIDATED (gdb) print mode_ $9 = net::HttpCache::Transaction::READ_WRITE (gdb) print handling_206_ $10 = false effective_load_flags_ flags is 256, which is just LOAD_VERIFY_EV_CERT
,
Oct 31 2017
Looks like it's already being worked on under a different number --- that has a CL linked.
,
Nov 1 2017
ClusterFuzz has detected this issue as fixed in range 512823:512886. Detailed report: https://clusterfuzz.com/testcase?key=4801669140578304 Fuzzer: inferno_webbot Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Null-dereference Crash Address: 0x000000000061 Crash State: net::PartialData::IsLastRange net::HttpCache::Transaction::DoUpdateCachedResponseComplete net::HttpCache::Transaction::DoLoop Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=512502:512508 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=512823:512886 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4801669140578304 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by kkaluri@chromium.org
, Oct 31 2017Components: Internals>Network
Labels: M-64 Test-Predator-Wrong CF-NeedsTriage