CHECK failure: metadata_set.IsEmpty() in SubresourceIntegrity.cpp |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4748691886571520 Fuzzer: libFuzzer_html_preload_scanner_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: metadata_set.IsEmpty() in SubresourceIntegrity.cpp void blink::TokenPreloadScanner::StartTagScanner::ProcessScriptAttribute<WTF::At void blink::TokenPreloadScanner::StartTagScanner::ProcessAttribute<WTF::AtomicSt Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=540517:540525 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4748691886571520 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Mar 3 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/def6084e9b4a72781bbf47b7eb819084af96c5d2 (Implement Origin Trial for signature-based SRI.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Mar 5 2018
The DCHECK checks that noone tries to parse two integrity arguments, because that wouldn't make sense. It turns out that HTMLPreloadScanner was written to be simple & fast, and doesn't bother to check for duplicate attributes, and hence runs into this (with the "right" malformed input). I'll probably fix this by having a separate API entry point for the preload scanner. Also, downgrading the bug, because it's technically harmless.
,
Mar 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ff1c866d26f0cfca5898b8f49e1f44474b816d2b commit ff1c866d26f0cfca5898b8f49e1f44474b816d2b Author: Daniel Vogelheim <vogelheim@chromium.org> Date: Tue Mar 13 20:08:03 2018 Tolerate multiple ParseIntegrityAttribute calls for HTMLPreloadScanner. HTMLPreloadScanner is written to be simple and fast. SubresourceIntegrity::ParseIntegrtiyAttribute assumes that the caller does error checking, and won't call it twice for the same element. Reconcile the two by adding a relaxed version, TryParseIntegrityAttribute. Bug: 818385 Change-Id: I722fb80c283249941e8db14a8efc9af392bc1cbc Reviewed-on: https://chromium-review.googlesource.com/948848 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Yoav Weiss <yoav@yoav.ws> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#542891} [modify] https://crrev.com/ff1c866d26f0cfca5898b8f49e1f44474b816d2b/third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp [modify] https://crrev.com/ff1c866d26f0cfca5898b8f49e1f44474b816d2b/third_party/WebKit/Source/core/html/parser/HTMLPreloadScannerTest.cpp [modify] https://crrev.com/ff1c866d26f0cfca5898b8f49e1f44474b816d2b/third_party/WebKit/Source/core/html/parser/PreloadRequest.h
,
Mar 14 2018
ClusterFuzz has detected this issue as fixed in range 542888:542891. Detailed report: https://clusterfuzz.com/testcase?key=4748691886571520 Fuzzer: libFuzzer_html_preload_scanner_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: metadata_set.IsEmpty() in SubresourceIntegrity.cpp void blink::TokenPreloadScanner::StartTagScanner::ProcessScriptAttribute<WTF::At void blink::TokenPreloadScanner::StartTagScanner::ProcessAttribute<WTF::AtomicSt Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=540517:540525 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=542888:542891 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4748691886571520 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 14 2018
ClusterFuzz testcase 4748691886571520 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Mar 3 2018Labels: Test-Predator-Auto-Components