Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/7f8dd1e122d3c6568768b42adc405cea866fdb11 (Optimize UDPSocketPosix::InternalRecvFrom()).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

I was able to reproduce the problem locally and found that it is not related directly to the new functionality added by the changelist mentioned in #2. It is related to the fact that the change added an extra call to data_provider.ConsumeBool(), which changed the subsequent random values.

To prove it, I rolled back the change and added a dummy call to "data_provider.ConsumeBool()":
 
  bool enable_token_binding = data_provider.ConsumeBool();
  data_provider.ConsumeBool(); // <== the dummy call

The test failed exactly the same way. Removing the dummy call makes the test pass.

I will do some more research.

Here is a way how to reproduce it without an extra data_provider.ConsumeBool().

1. Revert the changelist from #2.
   git revert 7f8dd1e122d3c6568768b42adc405cea866fdb11

2. In fuzzed_host_resolver.cc[1] specify set |num_ipv6_addresses| equal to 0 instead of reading the value from the data provider., i.e.
      //size_t num_ipv6_addresses = data_provider_->ConsumeUint8();
      size_t num_ipv6_addresses = 0;

3. In fuzzed_host_resolver.cc[2] specify set |num_ipv4_addresses| equal to 1 instead of reading the value from the data provider., i.e.
      //size_t num_ipv4_addresses = data_provider_->ConsumeUint8();
      size_t num_ipv4_addresses = 1;

4. Run the test with the data from "Reproducer Testcase". The test should crash with the original error:

[0126/170730.400751:FATAL:quic_stream.cc(97)] Check failed: !(read_side_closed_ && write_side_closed_). 
    #7 0x7f2dd3c96249 in net::QuicStream::OnStreamFrame(net::QuicStreamFrame const&) net/quic/core/quic_stream.cc:97:3
    #8 0x7f2dd3c918b4 in net::QuicSpdyStream::OnInitialHeadersComplete(bool, unsigned long, net::QuicHeaderList const&) net/quic/core/quic_spdy_stream.cc:183:5
    #9 0x7f2dd3778042 in net::QuicChromiumClientStream::OnInitialHeadersComplete(bool, unsigned long, net::QuicHeaderList const&) net/quic/chromium/quic_chromium_client_stream.cc:425:19
    #10 0x7f2dd3c91411 in net::QuicSpdyStream::OnStreamHeaderList(bool, unsigned long, net::QuicHeaderList const&) net/quic/core/quic_spdy_stream.cc:166:5
    #11 0x7f2dd3c6c22e in net::QuicSpdySession::OnStreamHeaderList(unsigned int, bool, unsigned long, net::QuicHeaderList const&) net/quic/core/quic_spdy_session.cc:385:11
    #12 0x7f2dd3c70ebd in net::QuicSpdySession::OnHeaderList(net::QuicHeaderList const&) net/quic/core/quic_spdy_session.cc:586:5
    #13 0x7f2dd3c7821a in net::QuicSpdySession::SpdyFramerVisitor::OnHeaderFrameEnd(unsigned int) net/quic/core/quic_spdy_session.cc:74:17
    #14 0x7f2dd3da0347 in net::QuicHttpDecoderAdapter::CommonHpackFragmentEnd() net/quic/http/decoder/quic_http_frame_decoder_adapter.cc:968:18
    #15 0x7f2dd3d9f689 in net::QuicHttpDecoderAdapter::OnHeadersEnd() net/quic/http/decoder/quic_http_frame_decoder_adapter.cc:370:3
    #16 0x7f2dd3d5bcb7 in net::QuicHttpHeadersQuicHttpPayloadDecoder::StartDecodingPayload(net::QuicHttpFrameDecoderState*, net::QuicHttpDecodeBuffer*) net/quic/http/decoder/payload_decoders/quic_http_headers_payload_decoder.cc:92:26
    #17 0x7f2dd3d8f13b in net::QuicHttpFrameDecoder::StartDecodingHeadersPayload(net::QuicHttpDecodeBuffer*) net/quic/http/decoder/quic_http_frame_decoder.cc:320:35
    #18 0x7f2dd3d8d9be in net::QuicHttpFrameDecoder::StartDecodingPayload(net::QuicHttpDecodeBuffer*) net/quic/http/decoder/quic_http_frame_decoder.cc:121:16
    #19 0x7f2dd3d8cc5a in net::QuicHttpFrameDecoder::DecodeFrame(net::QuicHttpDecodeBuffer*) net/quic/http/decoder/quic_http_frame_decoder.cc:56:16
    #20 0x7f2dd3d96e54 in net::QuicHttpDecoderAdapter::ProcessInputFrame(char const*, unsigned long) net/quic/http/decoder/quic_http_frame_decoder_adapter.cc:667:49
    #21 0x7f2dd3d964c1 in net::QuicHttpDecoderAdapter::ProcessInput(char const*, unsigned long) net/quic/http/decoder/quic_http_frame_decoder_adapter.cc:176:30
    #22 0x7f2dd3c6c834 in net::QuicSpdySession::ProcessHeaderData(iovec const&, net::QuicTime) net/quic/core/quic_spdy_session.cc:392:42
    #23 0x7f2dd3b8972b in net::QuicHeadersStream::OnDataAvailable() net/quic/core/quic_headers_stream.cc:47:24
    #24 0x7f2dd3cb7a1e in net::QuicStreamSequencer::OnStreamFrame(net::QuicStreamFrame const&) net/quic/core/quic_stream_sequencer.cc:86:16
    #25 0x7f2dd3c97404 in net::QuicStream::OnStreamFrame(net::QuicStreamFrame const&) net/quic/core/quic_stream.cc:147:14
    #26 0x7f2dd3bfe0c9 in net::QuicSession::OnStreamFrame(net::QuicStreamFrame const&) net/quic/core/quic_session.cc:126:11
    #27 0x7f2dd3720ad2 in net::QuicChromiumClientSession::OnStreamFrame(net::QuicStreamFrame const&) net/quic/chromium/quic_chromium_client_session.cc:926:27
    #28 0x7f2dd3a8c948 in net::QuicConnection::OnStreamFrame(net::QuicStreamFrame const&) net/quic/core/quic_connection.cc:729:13
    #29 0x7f2dd3b5f06f in net::QuicFramer::ProcessFrameData(net::QuicDataReader*, net::QuicPacketHeader const&) net/quic/core/quic_framer.cc:1065:24
    #30 0x7f2dd3b5b377 in net::QuicFramer::ProcessDataPacket(net::QuicDataReader*, net::QuicPacketHeader*, net::QuicEncryptedPacket const&, char*, unsigned long) net/quic/core/quic_framer.cc:692:8
    #31 0x7f2dd3b577fb in net::QuicFramer::ProcessPacket(net::QuicEncryptedPacket const&) net/quic/core/quic_framer.cc:617:10
    #32 0x7f2dd3a9fe2a in net::QuicConnection::ProcessUdpPacket(net::QuicSocketAddress const&, net::QuicSocketAddress const&, net::QuicReceivedPacket const&) net/quic/core/quic_connection.cc:1357:16
    #33 0x7f2dd3c0472e in net::QuicSession::ProcessUdpPacket(net::QuicSocketAddress const&, net::QuicSocketAddress const&, net::QuicReceivedPacket const&) net/quic/core/quic_session.cc:370:16
    #34 0x7f2dd374a2fc in net::QuicChromiumClientSession::OnPacket(net::QuicReceivedPacket const&, net::QuicSocketAddress const&, net::QuicSocketAddress const&) net/quic/chromium/quic_chromium_client_session.cc:2388:3
    #35 0x7f2dd378703d in net::QuicChromiumPacketReader::ProcessReadResult(int) net/quic/chromium/quic_chromium_packet_reader.cc:93:20
    #36 0x7f2dd37867eb in net::QuicChromiumPacketReader::OnReadComplete(int) net/quic/chromium/quic_chromium_packet_reader.cc:99:7
    #37 0x7f2dd37889d6 in void base::internal::FunctorTraits<void (net::QuicChromiumPacketReader::*)(int), void>::Invoke<base::WeakPtr<net::QuicChromiumPacketReader> const&, int>(void (net::QuicChromiumPacketReader::*)(int), base::WeakPtr<net::QuicChromiumPacketReader> const&, int&&) base/bind_internal.h:211:12
    #38 0x7f2dd37885f2 in void base::internal::InvokeHelper<true, void>::MakeItSo<void (net::QuicChromiumPacketReader::* const&)(int), base::WeakPtr<net::QuicChromiumPacketReader> const&, int>(void (net::QuicChromiumPacketReader::* const&)(int), base::WeakPtr<net::QuicChromiumPacketReader> const&, int&&) base/bind_internal.h:314:5
    #39 0x7f2dd3788386 in void base::internal::Invoker<base::internal::BindState<void (net::QuicChromiumPacketReader::*)(int), base::WeakPtr<net::QuicChromiumPacketReader> >, void (int)>::RunImpl<void (net::QuicChromiumPacketReader::* const&)(int), std::__1::tuple<base::WeakPtr<net::QuicChromiumPacketReader> > const&, 0ul>(void (net::QuicChromiumPacketReader::* const&)(int), std::__1::tuple<base::WeakPtr<net::QuicChromiumPacketReader> > const&, std::__1::integer_sequence<unsigned long, 0ul>, int&&) base/bind_internal.h:368:12
    #40 0x7f2dd3788212 in base::internal::Invoker<base::internal::BindState<void (net::QuicChromiumPacketReader::*)(int), base::WeakPtr<net::QuicChromiumPacketReader> >, void (int)>::Run(base::internal::BindStateBase*, int) base/bind_internal.h:350:12
    #41 0x4c4164 in base::RepeatingCallback<void (int)>::Run(int) const & base/callback.h:94:12
    #42 0x4c9be1 in net::FuzzedDatagramClientSocket::OnReadComplete(base::RepeatingCallback<void (int)> const&, int) net/socket/fuzzed_datagram_client_socket.cc:191:12
    #43 0x4ccb71 in void base::internal::FunctorTraits<void (net::FuzzedDatagramClientSocket::*)(base::RepeatingCallback<void (int)> const&, int), void>::Invoke<base::WeakPtr<net::FuzzedDatagramClientSocket> const&, base::RepeatingCallback<void (int)> const&, int const&>(void (net::FuzzedDatagramClientSocket::*)(base::RepeatingCallback<void (int)> const&, int), base::WeakPtr<net::FuzzedDatagramClientSocket> const&, base::RepeatingCallback<void (int)> const&, int const&) base/bind_internal.h:211:12

My guess is that the crash is related to data provided by fuzzed_datagram_client_socket.cc. Somebody, from the QUIC team should take a look what exactly is going on.


[1] https://cs.chromium.org/chromium/src/net/dns/fuzzed_host_resolver.cc?type=cs&q=%22size_t+num_ipv6_addresses+%3D+data_provider_-%3EConsumeUint8();%22&sq=package:chromium
[2] https://cs.chromium.org/chromium/src/net/dns/fuzzed_host_resolver.cc?type=cs&q=%22size_t+num_ipv4_addresses+%3D+data_provider_-%3EConsumeUint8();%22&sq=package:chromium

I'm not seeing why you think this is an issue in fuzzed_datagram_client_socket.cc?  It just returns random data (i.e., not validated in any way), and QUIC code should not DCHECK, no matter what it reads, as long as the socket behaves like a real socket.  It's possible a bug in fuzzed_datagram_client_socket.cc is causing it to behave incorrectly (returning data after close or something), but is there any evidence of this?

Sorry, I didn't mean to say that the issue is in fuzzed_datagram_client_socket.cc. What I meant is that it is possible that the random data provided by fuzzed_datagram_client_socket.cc somehow triggers DCHECK in quic_stream.cc, which maybe a right thing to do to in the debug build.

I tired to understand the condition when DCHECK fails by analysing the values returned by the data provider. I found that if data in the socket is reshuffled then the crash doesn't happen. There may be some other. It is also possible that the problem is somewhere else.

Ryan, could you please take a look at this issue? I see that you have handled the same DCHECK failure recently in  Issue 789893 ,  Issue 787469 .

Btw, are there any changes associated with the previous fixes? I am just curious how these kind of issues are handled.

ClusterFuzz has detected this issue as fixed in range 535537:535552.

Detailed report: https://clusterfuzz.com/testcase?key=5674164777385984

Fuzzer: libFuzzer_net_quic_stream_factory_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !(read_side_closed_ && write_side_closed_) in quic_stream.cc
  net::QuicStream::OnStreamFrame
  net::QuicSpdyStream::OnInitialHeadersComplete
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=531452:531461
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=535537:535552

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5674164777385984

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5674164777385984 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.