Security: Crash in blink::NetworkResourcesData::EnsureFreeSpace()
Reported by
chromium...@gmail.com,
Feb 16 2018
|
||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 66.0.3349.0 Operating System: Mac and Linux REPRODUCTION CASE 1. Load the test case 2. Open dev tools 3. Click on "Start" Note: Unable to repro this on Windows. Received signal 11 SEGV_ACCERR 55555be24590 #0 0x5555592acd8c base::debug::StackTrace::StackTrace() #1 0x5555592ac8f1 base::debug::(anonymous namespace)::StackDumpSignalHandler() #2 0x7ffff7bcb390 <unknown> #3 0x55555c1169c1 blink::NetworkResourcesData::EnsureFreeSpace() #4 0x55555c1163de blink::NetworkResourcesData::PrepareToAddResourceData() #5 0x55555c11620f blink::NetworkResourcesData::ResourceCreated() #6 0x55555c0e6c85 blink::InspectorNetworkAgent::WillSendRequestInternal() #7 0x55555c0e936d blink::InspectorNetworkAgent::WillSendRequest() #8 0x55555c3ad04f blink::probe::willSendRequestImpl() #9 0x55555c2a6ff7 blink::FrameFetchContext::DispatchWillSendRequest() #10 0x555558ebc685 blink::ResourceFetcher::StartLoad() #11 0x555558ebba17 blink::ResourceFetcher::RequestResourceInternal() #12 0x555558ebb428 blink::ResourceFetcher::RequestResource() #13 0x555558eac8e0 blink::RawResource::Fetch() #14 0x55555c2a1ba6 blink::DocumentThreadableLoader::LoadRequestAsync() #15 0x55555c29fe94 blink::DocumentThreadableLoader::LoadRequest() #16 0x55555c29fbf8 blink::DocumentThreadableLoader::MakeCrossOriginAccessRequestBlinkCORS() #17 0x55555c29de3e blink::DocumentThreadableLoader::DispatchInitialRequestBlinkCORS() #18 0x55555c29dcc2 blink::DocumentThreadableLoader::StartBlinkCORS() #19 0x55555be2326d blink::FetchManager::Loader::PerformHTTPFetch() #20 0x55555be22733 blink::FetchManager::Loader::Start() #21 0x55555be23796 blink::FetchManager::Fetch() #22 0x55555be2086f blink::(anonymous namespace)::GlobalFetchImpl<>::Fetch() #23 0x55555be2031f blink::GlobalFetch::fetch() #24 0x55555bc30c0c blink::V8Window::fetchMethodCallback() #25 0x55555873504c v8::internal::FunctionCallbackArguments::Call() #26 0x5555587b3d5e v8::internal::(anonymous namespace)::HandleApiCallHelper<>() #27 0x5555587b3408 v8::internal::Builtin_Impl_HandleApiCall() #28 0x3bb8fd704b5d <unknown> r8: 00007fffffffa750 r9: 00001836a3200010 r10: 00001836a3200000 r11: 00007ffff1df7f90 r12: 000029b6345094e8 r13: 0000000000000000 r14: 000021bd5c854300 r15: 0000000000100000 di: 000055555be24590 si: 00007fffffffa550 bp: 00007fffffffa580 bx: 000029b6345094d0 dx: 00000000000000ff ax: 0000000000000000 cx: 000000000000005f sp: 00007fffffffa550 ip: 000055555c1169c1 efl: 0000000000010206 cgf: 002b000000000033 erf: 0000000000000007 trp: 000000000000000e msk: 0000000000000000 cr2: 000055555be24590
,
Feb 18 2018
,
Feb 19 2018
ASan stacktrace:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55e88cfd1e6a bp 0x7ffe3b918f70 sp 0x7ffe3b918f30 T0)
==1==The signal is caused by a READ memory access.
==1==Hint: address points to the zero page.
==1==WARNING: invalid path to external symbolizer!
==1==WARNING: Failed to use and restart external symbolizer!
#0 0x55e88cfd1e69 in HasHash /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/wtf/text/StringImpl.h:247:33
#1 0x55e88cfd1e69 in GetHash /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/wtf/text/StringImpl.h:255:0
#2 0x55e88cfd1e69 in GetHash /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/wtf/text/StringHash.h:70:0
#3 0x55e88cfd1e69 in GetHash<WTF::String> /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/wtf/HashTable.h:558:0
#4 0x55e88cfd1e69 in WTF::KeyValuePair<WTF::String, blink::Member<blink::NetworkResourcesData::ResourceData> > const* WTF::HashTable<WTF::String, WTF::KeyValuePair<WTF::String, blink::Member<blink::NetworkResourcesData::ResourceData> >, WTF::KeyValuePairKeyExtractor, WTF::StringHash, WTF::HashMapValueTraits<WTF::HashTraits<WTF::String>, WTF::HashTraits<blink::Member<blink::NetworkResourcesData::ResourceData> > >, WTF::HashTraits<WTF::String>, blink::HeapAllocator>::Lookup<WTF::IdentityHashTranslator<WTF::StringHash, WTF::HashMapValueTraits<WTF::HashTraits<WTF::String>, WTF::HashTraits<blink::Member<blink::NetworkResourcesData::ResourceData> > >, blink::HeapAllocator>, WTF::String const&>(WTF::String const& const&) const /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/wtf/HashTable.h:1055:0
#5 0x55e88cfcbbab in Lookup /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/wtf/HashTable.h:788:12
#6 0x55e88cfcbbab in at /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/wtf/HashMap.h:600:0
#7 0x55e88cfcbbab in ResourceDataForRequestId /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/inspector/NetworkResourcesData.cpp:428:0
#8 0x55e88cfcbbab in blink::NetworkResourcesData::EnsureFreeSpace(unsigned long) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/inspector/NetworkResourcesData.cpp:446:0
#9 0x55e88cfca6ba in blink::NetworkResourcesData::PrepareToAddResourceData(WTF::String const&, unsigned long) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/inspector/NetworkResourcesData.cpp:289:8
#10 0x55e88cfca07e in blink::NetworkResourcesData::ResourceCreated(blink::ExecutionContext*, WTF::String const&, WTF::String const&, blink::KURL const&, scoped_refptr<blink::EncodedFormData>) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/inspector/NetworkResourcesData.cpp:203:7
#11 0x55e88cf0d3cb in blink::InspectorNetworkAgent::WillSendRequestInternal(blink::ExecutionContext*, unsigned long, blink::DocumentLoader*, blink::ResourceRequest const&, blink::ResourceResponse const&, blink::FetchInitiatorInfo const&, blink::InspectorPageAgent::ResourceType) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/inspector/InspectorNetworkAgent.cpp:750:20
#12 0x55e88cf16d1d in blink::InspectorNetworkAgent::WillSendRequest(blink::ExecutionContext*, unsigned long, blink::DocumentLoader*, blink::ResourceRequest&, blink::ResourceResponse const&, blink::FetchInitiatorInfo const&, blink::Resource::Type) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/inspector/InspectorNetworkAgent.cpp:853:3
#13 0x55e88dad0941 in blink::probe::willSendRequestImpl(blink::ExecutionContext*, unsigned long, blink::DocumentLoader*, blink::ResourceRequest&, blink::ResourceResponse const&, blink::FetchInitiatorInfo const&, blink::Resource::Type) /usr/local/google/home/ochang/chromium/src/out/ASan/gen/blink/core/CoreProbesImpl.cpp:907:14
#14 0x55e88d67918a in willSendRequest /usr/local/google/home/ochang/chromium/src/out/ASan/gen/blink/core/CoreProbesInl.h:262:3
#15 0x55e88d67918a in blink::FrameFetchContext::DispatchWillSendRequest(unsigned long, blink::ResourceRequest&, blink::ResourceResponse const&, blink::Resource::Type, blink::FetchInitiatorInfo const&) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/loader/FrameFetchContext.cpp:499:0
#16 0x55e8816fcc6c in blink::ResourceFetcher::StartLoad(blink::Resource*) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp:1496:15
#17 0x55e8816f9f84 in blink::ResourceFetcher::RequestResourceInternal(blink::FetchParameters&, blink::ResourceFactory const&, blink::SubstituteData const&) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp:810:9
#18 0x55e8816f8d68 in blink::ResourceFetcher::RequestResource(blink::FetchParameters&, blink::ResourceFactory const&, blink::ResourceClient*, blink::SubstituteData const&) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp:676:7
#19 0x55e8816ca601 in blink::RawResource::Fetch(blink::FetchParameters&, blink::ResourceFetcher*, blink::RawResourceClient*) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/loader/fetch/RawResource.cpp:66:33
#20 0x55e88d664d51 in blink::DocumentThreadableLoader::LoadRequestAsync(blink::ResourceRequest const&, blink::ResourceLoaderOptions) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp:1189:5
#21 0x55e88d65dead in blink::DocumentThreadableLoader::LoadRequest(blink::ResourceRequest&, blink::ResourceLoaderOptions) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp:1296:5
#22 0x55e88d65cce2 in blink::DocumentThreadableLoader::MakeCrossOriginAccessRequestBlinkCORS(blink::ResourceRequest const&) /usr/local/google/home/ochang/chromium/src/out/ASan/../../buildtools/third_party/libc++/trunk/include/atomic:0:17
#23 0x55e88d656d7c in blink::DocumentThreadableLoader::DispatchInitialRequestBlinkCORS(blink::ResourceRequest&) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp:0:0
#24 0x55e88d655f87 in blink::DocumentThreadableLoader::StartBlinkCORS(blink::ResourceRequest const&) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp:338:5
#25 0x55e88c41f8b4 in blink::FetchManager::Loader::PerformHTTPFetch() /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/fetch/FetchManager.cpp:793:12
#26 0x55e88c41c969 in blink::FetchManager::Loader::Start() /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/fetch/FetchManager.cpp:639:3
#27 0x55e88c421470 in blink::FetchManager::Fetch(blink::ScriptState*, blink::FetchRequestData*) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/fetch/FetchManager.cpp:868:11
#28 0x55e88c415bf2 in blink::(anonymous namespace)::GlobalFetchImpl<blink::LocalDOMWindow>::Fetch(blink::ScriptState*, blink::RequestOrUSVString const&, blink::Dictionary const&, blink::ExceptionState&) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/fetch/GlobalFetch.cpp:60:28
#29 0x55e88c415143 in blink::GlobalFetch::fetch(blink::ScriptState*, blink::LocalDOMWindow&, blink::RequestOrUSVString const&, blink::Dictionary const&, blink::ExceptionState&) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/core/fetch/GlobalFetch.cpp:109:39
#30 0x55e88bb944b9 in fetchMethod /usr/local/google/home/ochang/chromium/src/out/ASan/gen/blink/bindings/core/v8/V8Window.cpp:5711:26
#31 0x55e88bb944b9 in blink::V8Window::fetchMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) /usr/local/google/home/ochang/chromium/src/out/ASan/gen/blink/bindings/core/v8/V8Window.cpp:10997:0
#32 0x55e87fb8bc92 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) /usr/local/google/home/ochang/chromium/src/out/ASan/../../v8/src/api-arguments.cc:29:3
#33 0x55e87fd344f9 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) /usr/local/google/home/ochang/chromium/src/out/ASan/../../v8/src/builtins/builtins-api.cc:107:36
#34 0x55e87fd32005 in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) /usr/local/google/home/ochang/chromium/src/out/ASan/../../v8/src/builtins/builtins-api.cc:137:5
#26 0x7ef1e018421c (<unknown module>)
#27 0x7ef1e0194596 (<unknown module>)
#28 0x7ef1e0194596 (<unknown module>)
#29 0x7ef1e01cb05f (<unknown module>)
#30 0x7ef1e01a8899 (<unknown module>)
#31 0x7ef1e018a4c0 (<unknown module>)
#35 0x55e88055ec89 in Call /usr/local/google/home/ochang/chromium/src/out/ASan/../../v8/src/simulator.h:110:12
#36 0x55e88055ec89 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) /usr/local/google/home/ochang/chromium/src/out/ASan/../../v8/src/execution.cc:153:0
#37 0x55e88055f41a in CallInternal /usr/local/google/home/ochang/chromium/src/out/ASan/../../v8/src/execution.cc:189:10
#38 0x55e88055f41a in v8::internal::Execution::TryCall(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Execution::MessageHandling, v8::internal::MaybeHandle<v8::internal::Object>*, v8::internal::Execution::Target) /usr/local/google/home/ochang/chromium/src/out/ASan/../../v8/src/execution.cc:239:0
#39 0x55e88055f723 in v8::internal::Execution::RunMicrotasks(v8::internal::Isolate*, v8::internal::Execution::MessageHandling, v8::internal::MaybeHandle<v8::internal::Object>*) /usr/local/google/home/ochang/chromium/src/out/ASan/../../v8/src/execution.cc:270:10
#40 0x55e88088d19c in v8::internal::Isolate::RunMicrotasks() /usr/local/google/home/ochang/chromium/src/out/ASan/../../v8/src/isolate.cc:3871:40
#41 0x55e88b15fc52 in blink::Microtask::PerformCheckpoint(v8::Isolate*) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/bindings/Microtask.cpp:41:3
#42 0x55e88e9def70 in blink::(anonymous namespace)::EndOfTaskRunner::DidProcessTask() /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/controller/BlinkInitializer.cpp:63:5
#43 0x55e8817b35f8 in blink::scheduler::TaskQueueManager::NotifyDidProcessTask(blink::scheduler::TaskQueueManager::ExecutingTask const&, blink::scheduler::LazyNow*) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:443:16
#44 0x55e8817b29bd in blink::scheduler::TaskQueueManager::DidRunTask() /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:309:3
#45 0x55e8817bc1ed in blink::scheduler::internal::ThreadControllerImpl::DoWork(blink::scheduler::internal::Sequence::WorkType) /usr/local/google/home/ochang/chromium/src/out/ASan/../../third_party/WebKit/Source/platform/scheduler/base/thread_controller_impl.cc:167:16
#46 0x55e88264616b in Run /usr/local/google/home/ochang/chromium/src/out/ASan/../../base/callback.h:65:12
#47 0x55e88264616b in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /usr/local/google/home/ochang/chromium/src/out/ASan/../../base/debug/task_annotator.cc:55:0
#48 0x55e8826a7245 in base::MessageLoop::RunTask(base::PendingTask*) /usr/local/google/home/ochang/chromium/src/out/ASan/../../base/message_loop/message_loop.cc:395:25
#49 0x55e8826a8554 in DeferOrRunPendingTask /usr/local/google/home/ochang/chromium/src/out/ASan/../../base/message_loop/message_loop.cc:407:5
#50 0x55e8826a8554 in base::MessageLoop::DoWork() /usr/local/google/home/ochang/chromium/src/out/ASan/../../base/message_loop/message_loop.cc:451:0
#51 0x55e8826afc6f in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /usr/local/google/home/ochang/chromium/src/out/ASan/../../base/message_loop/message_pump_default.cc:37:31
#52 0x55e882729f31 in base::RunLoop::Run() /usr/local/google/home/ochang/chromium/src/out/ASan/../../base/run_loop.cc:133:14
#53 0x55e88fb7cb7c in content::RendererMain(content::MainFunctionParams const&) /usr/local/google/home/ochang/chromium/src/out/ASan/../../content/renderer/renderer_main.cc:235:23
#54 0x55e881c3242f in content::RunZygote(content::ContentMainDelegate*) /usr/local/google/home/ochang/chromium/src/out/ASan/../../content/app/content_main_runner.cc:352:14
#55 0x55e881c35448 in content::ContentMainRunnerImpl::Run() /usr/local/google/home/ochang/chromium/src/out/ASan/../../content/app/content_main_runner.cc:713:12
#56 0x55e881c597af in service_manager::Main(service_manager::MainParams const&) /usr/local/google/home/ochang/chromium/src/out/ASan/../../services/service_manager/embedder/main.cc:456:29
#57 0x55e881c31c74 in content::ContentMain(content::ContentMainParams const&) /usr/local/google/home/ochang/chromium/src/out/ASan/../../content/app/content_main.cc:19:10
#58 0x55e87b8d3f35 in ChromeMain /usr/local/google/home/ochang/chromium/src/out/ASan/../../chrome/app/chrome_main.cc:144:12
#59 0x7f97b7bfb2b0 in __libc_start_main ??:0:0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/local/google/home/ochang/chromium/src/out/ASan/chrome+0x18c40e69)
==1==ABORTING
,
Feb 19 2018
dgozman, could you please take look, or help with assigning this to the right person? Thanks.
,
Feb 19 2018
On ASAN windows build doesn't hit Null deref crashes.
,
Feb 19 2018
=================================================================
==1460==ERROR: AddressSanitizer: access-violation on unknown address 0xffffffffffffffff (pc 0x07febe72f548 bp 0x0000002f5cc0
sp 0x0000002f5b70 T0)
==1460==The signal is caused by a READ memory access.
==1460==*** WARNING: Failed to initialize DbgHelp! ***
==1460==*** Most likely this means that the app is already ***
==1460==*** using DbgHelp, possibly with incompatible flags. ***
==1460==*** Due to technical reasons, symbolization might crash ***
==1460==*** or produce wrong results. ***
#0 0x7febe72f547 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18780f547)
#1 0x7fec35ccc08 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c6acc08)
#2 0x7fec35cb9a0 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c6ab9a0)
#3 0x7fec35cb3a0 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c6ab3a0)
#4 0x7fec34ee94f (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c5ce94f)
#5 0x7fec34f6a15 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c5d6a15)
#6 0x7febfacd358 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x188bad358)
#7 0x7febf7c51c2 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x1888a51c2)
#8 0x7feba99d114 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x183a7d114)
#9 0x7feba999f81 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x183a79f81)
#10 0x7feba998f56 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x183a78f56)
#11 0x7feba96e418 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x183a4e418)
#12 0x7fec366b959 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c74b959)
#13 0x7fec3665033 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c745033)
#14 0x7fec3663cf0 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c743cf0)
#15 0x7fec365dc0b (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c73dc0b)
#16 0x7fec365cb55 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c73cb55)
#17 0x7fec31f4cce (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c2d4cce)
#18 0x7fec31f25eb (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c2d25eb)
#19 0x7fec31f6aa4 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c2d6aa4)
#20 0x7fec31bdb58 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c29db58)
#21 0x7fec31bcf8f (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18c29cf8f)
#22 0x7fec206c377 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x18b14c377)
#23 0x7feb897ea6f (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x181a5ea6f)
#24 0x7feb8b9bffd (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x181c7bffd)
#25 0x7feb8b98f90 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x181c78f90)
#26 0x7feb8b982e6 (C:\Users\admin\Desktop\asan-win32-release_x64-537569\chrome_child.dll+0x181c782e6)
#27 0xb3847a0 (<unknown module>)
,
Feb 19 2018
,
Feb 20 2018
Shouldn't be higher than low severity?
,
Feb 20 2018
,
Feb 20 2018
,
Feb 20 2018
+awhalley@ (Security TPM)
,
Feb 20 2018
Applying milestone and Release block stable labels per duplicate bug 813484.
,
Feb 20 2018
Users experienced this crash on the following builds: Mac Canary 66.0.3350.0 - 0.40 CPM, 7 reports, 2 clients (signature blink::NetworkResourcesData::EnsureFreeSpace) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Feb 21 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c9a324bf2fb731f1f9ef94dc4068cdc77140a5d6 commit c9a324bf2fb731f1f9ef94dc4068cdc77140a5d6 Author: Eugene Ostroukhov <eostroukhov@chromium.org> Date: Wed Feb 21 01:25:10 2018 DevTools: fix bookkeeping when evicting POST data Due to the bug, free space size was not updated when the POST data was evicted, resulting in crash. Bug: 813187 Change-Id: I8c4a3762eaa2ecf6ce58fccc639846c24cc9d6c8 Reviewed-on: https://chromium-review.googlesource.com/927643 Commit-Queue: Eugene Ostroukhov <eostroukhov@chromium.org> Reviewed-by: Eugene Ostroukhov <eostroukhov@chromium.org> Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Cr-Commit-Position: refs/heads/master@{#537977} [modify] https://crrev.com/c9a324bf2fb731f1f9ef94dc4068cdc77140a5d6/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/get-request-post-data-expected.txt [modify] https://crrev.com/c9a324bf2fb731f1f9ef94dc4068cdc77140a5d6/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/get-request-post-data.js [modify] https://crrev.com/c9a324bf2fb731f1f9ef94dc4068cdc77140a5d6/third_party/WebKit/Source/core/inspector/NetworkResourcesData.cpp
,
Feb 21 2018
,
Feb 21 2018
Verified on 66.0.3351.0 on Mac, no more crashes. Fixed!
,
Feb 21 2018
,
Feb 21 2018
This bug requires manual review: We are only 12 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 21 2018
awhalley@, could you pls do M65 merge review?
,
Feb 21 2018
We can wait for 66 from a security point of view, eostroukhov@, is it worth getting into M65 because of stability?
,
Feb 21 2018
This will definitely be noticeable by our users. And it is a regression introduced in 65. I believe it would be better to merge.
,
Feb 22 2018
Thank you awhalley@ and eostroukhov@. eostroukhov@, pls verify and update the bug with canary result tomorrow.
,
Feb 22 2018
The NextAction date has arrived: 2018-02-22
,
Feb 22 2018
,
Feb 22 2018
I was not able to reproduce the issue using the latest Canary (66.0.3352.0). There had also been no crash reports on recent builds.
,
Feb 22 2018
Approving merge to M65 branch 3325 based on comments #21 and #25. Please merge ASAP. Also pls mark bug as fixed after M65 merge if nothing is pending. Thank you.
,
Feb 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/105ed77b12d431c3680af90275d30f0969814ec6 commit 105ed77b12d431c3680af90275d30f0969814ec6 Author: Eugene Ostroukhov <eostroukhov@chromium.org> Date: Thu Feb 22 18:25:46 2018 DevTools: fix bookkeeping when evicting POST data Due to the bug, free space size was not updated when the POST data was evicted, resulting in crash. TBR=eostroukhov@chromium.org (cherry picked from commit c9a324bf2fb731f1f9ef94dc4068cdc77140a5d6) Bug: 813187 Change-Id: I8c4a3762eaa2ecf6ce58fccc639846c24cc9d6c8 Reviewed-on: https://chromium-review.googlesource.com/927643 Commit-Queue: Eugene Ostroukhov <eostroukhov@chromium.org> Reviewed-by: Eugene Ostroukhov <eostroukhov@chromium.org> Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#537977} Reviewed-on: https://chromium-review.googlesource.com/932005 Cr-Commit-Position: refs/branch-heads/3325@{#550} Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369} [modify] https://crrev.com/105ed77b12d431c3680af90275d30f0969814ec6/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/get-request-post-data-expected.txt [modify] https://crrev.com/105ed77b12d431c3680af90275d30f0969814ec6/third_party/WebKit/LayoutTests/http/tests/inspector-protocol/network/get-request-post-data.js [modify] https://crrev.com/105ed77b12d431c3680af90275d30f0969814ec6/third_party/WebKit/Source/core/inspector/NetworkResourcesData.cpp
,
Feb 22 2018
Change had been merged.
,
Feb 23 2018
,
Feb 26 2018
,
Mar 6 2018
The VRP panel took a look and believe this is a null dereference with no security implications, sorry!
,
May 31 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||||
Comment 1 by chromium...@gmail.com
, Feb 16 20181.3 KB
1.3 KB View Download