Null-dereference READ in views::TrayBubbleView::UpdateBubble |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4567045084807168 Fuzzer: inferno_webbot Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: views::TrayBubbleView::UpdateBubble ash::WebNotificationTray::AnchorUpdated views::Widget::OnNativeWidgetSizeChanged Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=528865:528866 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4567045084807168 Additional requirements: Requires Gestures Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 20 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/53b9235c9bdbc223db2bfe0f9a471be45e7c7886 (Do not close widget in TrayBubbleView for notification center.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jan 22 2018
Maybe there is a corner case in the follow-up CL of Issue 792583? Failed to reproduce locally with the following commands: /google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 4567045084807168 -i 10 or /google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 4567045084807168 --disable-xvfb
,
Jan 23 2018
,
Jan 25 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/75544a64bab095534833a1b2c502571b32c3df6a commit 75544a64bab095534833a1b2c502571b32c3df6a Author: Tetsui Ohkubo <tetsui@chromium.org> Date: Thu Jan 25 02:44:52 2018 Revert "Do not close widget in TrayBubbleView for notification center." This reverts commit 53b9235c9bdbc223db2bfe0f9a471be45e7c7886. Reason for revert: Clusterfuzz crash https://crbug.com/804108 Original change's description: > Do not close widget in TrayBubbleView for notification center. > > This is a follow-up CL of https://crrev.com/c/816778 . > > There were three code paths to close notification center: > * Only WebNotificationTray::HideMessageCenter is called. > (clicking on tray bell icon) > + TrayBubbleWrapper::OnWindowActivated is called in addition. > (pressing search button) > + TrayBubbleView::OnWidgetActivationChanged is called in addition. > (clicking on screenshot notification in notification center) > > On the last code path, Widget::Close() is called before > WebNotificationTray::HideMessageCenter(). > HideMessageCenter() assumed the widget is still open, thus the crash > https://crbug.com/792583#c14 was caused. > > The quick fix CL fixed HideMessageCenter(), but it is confusing that > the widget can be closed through multiple code paths. > This CL uses TrayBubbleView::InitParams::close_on_deactivate so that > the TrayBubbleView does not close the widget. > > TEST=manual > BUG=792583 > > Change-Id: Ibff47189719043d6ec6830f50888c8323e63f44a > Reviewed-on: https://chromium-review.googlesource.com/833429 > Reviewed-by: Mitsuru Oshima <oshima@chromium.org> > Commit-Queue: Tetsui Ohkubo <tetsui@chromium.org> > Cr-Commit-Position: refs/heads/master@{#528866} TBR=oshima@chromium.org,tetsui@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: 792583, 804108 Change-Id: I69ef7cd54a156e4de83ce04e0aa0b433ecf743c9 Reviewed-on: https://chromium-review.googlesource.com/885281 Reviewed-by: Tetsui Ohkubo <tetsui@chromium.org> Commit-Queue: Tetsui Ohkubo <tetsui@chromium.org> Cr-Commit-Position: refs/heads/master@{#531797} [modify] https://crrev.com/75544a64bab095534833a1b2c502571b32c3df6a/ash/system/web_notification/web_notification_tray.cc
,
Jan 25 2018
,
Jan 26 2018
This bug requires manual review: Reverts referenced in bugdroid comments after merge request. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 26 2018
Before we approve merge to M65, how is revert listed at comment #5 looking in canary?
,
Jan 29 2018
This is a merge request of the revert in #5. The CL is a refactoring change so it should not affect any behavior.
,
Jan 29 2018
Approving merge to M65 branch 3325 based on comment #9. Please merge ASAP so we can pick it up for next dev release. Thank you.
,
Jan 29 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/63945a61d57e397175f5c65d8506749ccb5d9cd6 commit 63945a61d57e397175f5c65d8506749ccb5d9cd6 Author: Tetsui Ohkubo <tetsui@chromium.org> Date: Mon Jan 29 02:34:39 2018 Revert "Do not close widget in TrayBubbleView for notification center." This reverts commit 53b9235c9bdbc223db2bfe0f9a471be45e7c7886. Reason for revert: Clusterfuzz crash https://crbug.com/804108 Original change's description: > Do not close widget in TrayBubbleView for notification center. > > This is a follow-up CL of https://crrev.com/c/816778 . > > There were three code paths to close notification center: > * Only WebNotificationTray::HideMessageCenter is called. > (clicking on tray bell icon) > + TrayBubbleWrapper::OnWindowActivated is called in addition. > (pressing search button) > + TrayBubbleView::OnWidgetActivationChanged is called in addition. > (clicking on screenshot notification in notification center) > > On the last code path, Widget::Close() is called before > WebNotificationTray::HideMessageCenter(). > HideMessageCenter() assumed the widget is still open, thus the crash > https://crbug.com/792583#c14 was caused. > > The quick fix CL fixed HideMessageCenter(), but it is confusing that > the widget can be closed through multiple code paths. > This CL uses TrayBubbleView::InitParams::close_on_deactivate so that > the TrayBubbleView does not close the widget. > > TEST=manual > BUG=792583 > > Change-Id: Ibff47189719043d6ec6830f50888c8323e63f44a > Reviewed-on: https://chromium-review.googlesource.com/833429 > Reviewed-by: Mitsuru Oshima <oshima@chromium.org> > Commit-Queue: Tetsui Ohkubo <tetsui@chromium.org> > Cr-Commit-Position: refs/heads/master@{#528866} TBR=oshima@chromium.org,tetsui@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: 792583, 804108 Change-Id: I69ef7cd54a156e4de83ce04e0aa0b433ecf743c9 Reviewed-on: https://chromium-review.googlesource.com/885281 Reviewed-by: Tetsui Ohkubo <tetsui@chromium.org> Commit-Queue: Tetsui Ohkubo <tetsui@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#531797}(cherry picked from commit 75544a64bab095534833a1b2c502571b32c3df6a) Reviewed-on: https://chromium-review.googlesource.com/890798 Cr-Commit-Position: refs/branch-heads/3325@{#130} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} [modify] https://crrev.com/63945a61d57e397175f5c65d8506749ccb5d9cd6/ash/system/web_notification/web_notification_tray.cc |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Jan 20 2018Labels: Test-Predator-Auto-Components