Null-dereference READ in blink::ThreadState::FreePersistentNode |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4760437647474688 Fuzzer: inferno_twister Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000008 Crash State: blink::ThreadState::FreePersistentNode blink::PersistentBase<blink::Permissions,blink::WeaknessPersistentConfiguration: blink::PtrStorageImpl<blink::HistoryItem,blink::WebPrivatePtrDestruction::kWebPr Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=519268:519279 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4760437647474688 Additional requirements: Requires Gestures Additional requirements: Requires HTTP Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 27 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/27d21eb0af100f86a2dfca5bccecf60e2d71f70e (Unify SetRemoteDescription track and SRD resolve events in one callback.). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Nov 27 2017
Reported at the same time blaming the same CL: https://crbug.com/788809 . May be related, investigating there.
,
Nov 27 2017
,
Nov 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1aa2887ffca8e6ce3a74891e71720bc3e0ad809c commit 1aa2887ffca8e6ce3a74891e71720bc3e0ad809c Author: Henrik Boström <hbos@chromium.org> Date: Mon Nov 27 18:55:09 2017 WebRtcSetRemoteDescriptionObserverImpl: Reset WebRTCVoidRequest on main thread This prevents a race between the main thread and the webrtc signaling thread dictating on which thread the observer is destroyed, and by extension which thread destroys WebRTCVoidRequest. It is not safe to reset the request on the webrtc signaling thread, by explicitly calling Reset in the callback we ensure it has already been reset when the destructor runs. The referenced bugs are suspected to be caused by this bug. NOTRY=True TBR=guidou@chromium.org Bug: 788809 , 788802 Change-Id: Ie725fc9af85fbb4e925f1410f1c728da7173350e Reviewed-on: https://chromium-review.googlesource.com/791350 Commit-Queue: Henrik Boström <hbos@chromium.org> Reviewed-by: Henrik Boström <hbos@chromium.org> Cr-Commit-Position: refs/heads/master@{#519354} [modify] https://crrev.com/1aa2887ffca8e6ce3a74891e71720bc3e0ad809c/content/renderer/media/rtc_peer_connection_handler.cc
,
Nov 27 2017
Speculatively marking this as Fixed, without having been able to verify because I couldn't repro.
,
Nov 28 2017
ClusterFuzz has detected this issue as fixed in range 519344:519369. Detailed report: https://clusterfuzz.com/testcase?key=4760437647474688 Fuzzer: inferno_twister Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000008 Crash State: blink::ThreadState::FreePersistentNode blink::PersistentBase<blink::Permissions,blink::WeaknessPersistentConfiguration: blink::PtrStorageImpl<blink::HistoryItem,blink::WebPrivatePtrDestruction::kWebPr Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=519268:519279 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=519344:519369 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4760437647474688 Additional requirements: Requires Gestures Additional requirements: Requires HTTP See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 28 2017
ClusterFuzz testcase 4760437647474688 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 5 2017
,
Dec 5 2017
Issue 788760 has been merged into this issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Nov 27 2017Labels: Test-Predator-Auto-Components