Issue metadata
Sign in to add a comment
|
Container-overflow in content::AudioStreamMonitor::UpdateStreamAudibleStateOnUIThread |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6597335768629248 Fuzzer: phoglund_webrtc_peerconnection Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: Container-overflow WRITE 1 Crash Address: 0x60600099280c Crash State: content::AudioStreamMonitor::UpdateStreamAudibleStateOnUIThread base::MessageLoop::RunTask base::MessageLoop::DoWork Sanitizer: address (ASAN) Recommended Security Severity: Critical Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6597335768629248 Additional requirements: Requires HTTP Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information. Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
,
Dec 16 2017
,
Dec 16 2017
This is potentially memory corruption in the browser process, which is why clusterfuzz has marked this as criticial. Clusterfuzz shows this as not-reproducible, but that may be due to the media requirements (I'm not sure ClusterFuzz can set up webcams/microphones). I'm checking to see if I can reproduce it in a desktop ASAN chromium build. guidou@ It looks like you recently made substantial changes to content/browser/media/audio_stream_monitor.cc, where this crash appears to be happening. Could you please investigate this or assign this to someone who can? Also CCing the owners of content/browser/media in case they can help triage this further.
,
Dec 17 2017
,
Dec 18 2017
Will take a look today.
,
Dec 18 2017
Could not reproduce, but made a patch based on the stack trace. https://chromium-review.googlesource.com/c/chromium/src/+/832186
,
Dec 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/73481a5e48cd42d72d89beb6d1fca3847927cb53 commit 73481a5e48cd42d72d89beb6d1fca3847927cb53 Author: Guido Urdaneta <guidou@chromium.org> Date: Mon Dec 18 16:07:12 2017 Update AudioStreamMonitor to handle updates to nonexistent streams A crash has been reported where apparently it is possible for a state update to arrive for a stream after the stream has been removed. This CL makes AudioStreamMonitor handle this case instead of DCHECKing. Bug: 795501 Change-Id: Id43c3c4a846af5d8e7d1d387d36ed31e45724ad8 Reviewed-on: https://chromium-review.googlesource.com/832186 Reviewed-by: Olga Sharonova <olka@chromium.org> Commit-Queue: Guido Urdaneta <guidou@chromium.org> Cr-Commit-Position: refs/heads/master@{#524719} [modify] https://crrev.com/73481a5e48cd42d72d89beb6d1fca3847927cb53/content/browser/media/audio_stream_monitor.cc
,
Dec 18 2017
,
Dec 18 2017
guidou@ - thanks for the super fast fix! Do you suspect this bug exists in Stable?
,
Dec 19 2017
No. This is only in M65.
,
Dec 19 2017
,
Mar 27 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Dec 16 2017Labels: Test-Predator-Auto-Components