New issue
Advanced search Search tips

Issue 791452 link

Starred by 2 users

Issue metadata

Status: Duplicate
Merged: issue 774925
Owner: ----
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in content::WebContentsImpl::GetInnerWebContents

Project Member Reported by ClusterFuzz, Dec 4 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5897331731070976

Fuzzer: ipc_fuzzer_mut
Job Type: linux_asan_chrome_ipc
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  content::WebContentsImpl::GetInnerWebContents
  content::WebContentsImpl::GetWebContentsAndAllInner
  content::WebContentsImpl::GetOrCreateFindRequestManager
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=508786:508862

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5897331731070976

Additional requirements: Requires Gestures

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Dec 4 2017

Components: Internals>Core
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 4 2017

Cc: iclelland@google.com elawrence@chromium.org
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

Use FramePolicy in FrameReplicationState and FrameTreeNode by iclelland@google.com - https://chromium.googlesource.com/chromium/src/+/cdc4f31606eb3d1b1546df94fe32897e62cfd69d

Move HTTPBad flags into SSLStatus user data by elawrence@chromium.org - https://chromium.googlesource.com/chromium/src/+/a0e7e264d58308ef1aa5de7dd5165cc715fd702f

If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
Historically, this appeared to be a flake, last filed with the same test case and regression range as  crbug.com/774925 . 

If it's a real bug, my first guess would be that this is a race condition in the Find-on-Page code.
Cc: kkaluri@chromium.org
iclelland@ Could you please update your observations on this issue.
iclelland@ Could you please provide your observations regarding this issue.
Sorry, kkaluri -- I've investigated, and can't find any connection to my CL.

I haven't been able to reproduce locally at all, and clusterfuzz folks have informed me that there's no way currently to reliably reproduce this with the test data that can be downloaded (Linux ASAN/IPC replay/Gestures are all required, and some combination of that isn't supported for local replay)
Mergedinto: 774925
Status: Duplicate (was: Untriaged)
This looks similar to  Issue 774925 , hence merging into it.
Please undo it if it not the case.
 Issue 809969  has been merged into this issue.

Sign in to add a comment