New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 797656 link

Starred by 1 user
Status: WontFix
Owner:
clamy@chromium.org
Closed: Jan 2018
Cc:
creis@chromium.org
nasko@chromium.org
wfh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Abrt in content::NavigationControllerImpl::DiscardPendingEntry

Project Member Reported by ClusterFuzz, Dec 26 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5888872507768832

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Abrt
Crash Address: 0x03e90000416e
Crash State:
  content::NavigationControllerImpl::DiscardPendingEntry
  content::NavigatorImpl::DiscardPendingEntryIfNeeded
  content::RenderFrameHostManager::GetFrameHostForNavigation
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=522224:522253

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5888872507768832

Additional requirements: Requires Gestures

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Dec 26 2017

Components: Internals>Sandbox>SiteIsolation
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 26 2017

Labels: Test-Predator-Auto-Owner
Owner: clamy@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/372343377dfdc9736630ba80887bab27e047f4e6 (Fix for URL spoof caused by deletion of speculative RFH).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 3 by nasko@chromium.org, Jan 9 2018

Cc: creis@chromium.org nasko@chromium.org
ClusterFuzz usually files bugs that are reproducible locally, so it should be possible to investigate and understand the root case of this.

Comment 4 by clamy@chromium.org, Jan 9 2018 

I have a fix for it in review at https://chromium-review.googlesource.com/c/chromium/src/+/850877. However I could not reproduce locally using the ClusterFuzz test case, because the test case used user gestures to trigger the race condition involved in the issue, and would not reproduce on my machine.
Project Member

Comment 5 by ClusterFuzz, Jan 9 2018

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5888872507768832 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 6 by bugdroid1@chromium.org, Jan 11 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5cd363bc34f508c63b66e653bc41bd1783a4b711

commit 5cd363bc34f508c63b66e653bc41bd1783a4b711
Author: clamy <clamy@chromium.org>
Date: Thu Jan 11 13:12:44 2018

Fix issue with pending NavigationEntry being discarded incorrectly

This CL fixes an issue where we would attempt to discard a pending
NavigationEntry when a cross-process navigation to this NavigationEntry
is interrupted by another navigation to the same NavigationEntry.

BUG= 760342 , 797656 ,796135

Change-Id: I204deff1efd4d572dd2e0b20e492592d48d787d9
Reviewed-on: https://chromium-review.googlesource.com/850877
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Camille Lamy <clamy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#528611}
[modify] https://crrev.com/5cd363bc34f508c63b66e653bc41bd1783a4b711/content/browser/frame_host/render_frame_host_manager.cc
[modify] https://crrev.com/5cd363bc34f508c63b66e653bc41bd1783a4b711/content/browser/frame_host/render_frame_host_manager_browsertest.cc
Project Member

Comment 7 by bugdroid1@chromium.org, Jan 19 2018

Labels: merge-merged-3282
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a75ca76a3d13ba91d94a73bbf7fc04ffdd722a8c

commit a75ca76a3d13ba91d94a73bbf7fc04ffdd722a8c
Author: clamy <clamy@chromium.org>
Date: Fri Jan 19 15:46:20 2018

Fix issue with pending NavigationEntry being discarded incorrectly

This CL fixes an issue where we would attempt to discard a pending
NavigationEntry when a cross-process navigation to this NavigationEntry
is interrupted by another navigation to the same NavigationEntry.

BUG= 760342 , 797656 ,796135

Change-Id: I204deff1efd4d572dd2e0b20e492592d48d787d9
Reviewed-on: https://chromium-review.googlesource.com/850877
Reviewed-by: Charlie Reis <creis@chromium.org>
Commit-Queue: Camille Lamy <clamy@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#528611}(cherry picked from commit 5cd363bc34f508c63b66e653bc41bd1783a4b711)
Reviewed-on: https://chromium-review.googlesource.com/875944
Reviewed-by: Camille Lamy <clamy@chromium.org>
Cr-Commit-Position: refs/branch-heads/3282@{#548}
Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840}
[modify] https://crrev.com/a75ca76a3d13ba91d94a73bbf7fc04ffdd722a8c/content/browser/frame_host/render_frame_host_manager.cc
[modify] https://crrev.com/a75ca76a3d13ba91d94a73bbf7fc04ffdd722a8c/content/browser/frame_host/render_frame_host_manager_browsertest.cc

Sign in to add a comment