New issue
Advanced search Search tips

Issue 820773 link

Starred by 3 users
Status: Verified
Owner:
michaelbai@chromium.org
Closed: Mar 2018
Cc:
ifratric@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Chrome
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in autofill::AutofillAgent::GetAutofillDriver

Project Member Reported by ClusterFuzz, Mar 11 2018 
Detailed report: https://clusterfuzz.com/testcase?key=4716154724286464

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  autofill::AutofillAgent::GetAutofillDriver
  autofill::AutofillAgent::OnProvisionallySaveForm
  autofill::FormTracker::FormControlDidChangeImpl
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=540454:540455

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4716154724286464

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Mar 11 2018

Components: UI>Browser>Autofill
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Mar 11 2018

Labels: Test-Predator-Auto-Owner
Owner: michaelbai@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/8148326c1e81df720356a9eb7e40fe63b69fba52 (Get Select control change for autofill in browser side).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 13 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9b3bc29bcf2a6bd6bbc0b487fff175865b69d4b7

commit 9b3bc29bcf2a6bd6bbc0b487fff175865b69d4b7
Author: Tao Bai <michaelbai@chromium.org>
Date: Tue Mar 13 13:17:23 2018

Fix crash caused by nullptr returned by GetAutofillDriver

don't know why it only happens for select control.

Bug:  820773 
Change-Id: Id036a10c8fa33792fa50023444ba68dadadbf90f
Reviewed-on: https://chromium-review.googlesource.com/959447
Commit-Queue: Sebastien Seguin-Gagnon <sebsg@chromium.org>
Reviewed-by: Sebastien Seguin-Gagnon <sebsg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#542784}
[modify] https://crrev.com/9b3bc29bcf2a6bd6bbc0b487fff175865b69d4b7/components/autofill/content/renderer/autofill_agent.cc

Comment 4 by michaelbai@chromium.org, Mar 14 2018 

Issue 821781 has been merged into this issue.

Comment 5 by michaelbai@chromium.org, Mar 14 2018 

The fix in #3 was wrong, the crash actually happened in GetAutofillDriver, 
 render_frame() was null in crash;
Project Member

Comment 6 by bugdroid1@chromium.org, Mar 14 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ec24a4c2485eee13e1f66f59f67361fd7ba168bd

commit ec24a4c2485eee13e1f66f59f67361fd7ba168bd
Author: Tao Bai <michaelbai@chromium.org>
Date: Wed Mar 14 17:16:08 2018

Revert "Fix crash caused by nullptr returned by GetAutofillDriver"

This reverts commit 9b3bc29bcf2a6bd6bbc0b487fff175865b69d4b7.

Reason for revert: I interpreted the crash log wrongly, this isn't right fix.

Original change's description:
> Fix crash caused by nullptr returned by GetAutofillDriver
> 
> don't know why it only happens for select control.
> 
> Bug:  820773 
> Change-Id: Id036a10c8fa33792fa50023444ba68dadadbf90f
> Reviewed-on: https://chromium-review.googlesource.com/959447
> Commit-Queue: Sebastien Seguin-Gagnon <sebsg@chromium.org>
> Reviewed-by: Sebastien Seguin-Gagnon <sebsg@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#542784}

TBR=michaelbai@chromium.org,rogerm@chromium.org,sebsg@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  820773 
Change-Id: If8cdcff97af91fbc81c7409b835c8d87fbe4a16f
Reviewed-on: https://chromium-review.googlesource.com/962822
Reviewed-by: Tao Bai <michaelbai@chromium.org>
Commit-Queue: Tao Bai <michaelbai@chromium.org>
Cr-Commit-Position: refs/heads/master@{#543112}
[modify] https://crrev.com/ec24a4c2485eee13e1f66f59f67361fd7ba168bd/components/autofill/content/renderer/autofill_agent.cc
Project Member

Comment 7 by bugdroid1@chromium.org, Mar 14 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cf1d64f497dc3519ed222ae5a7ff663154cb7d58

commit cf1d64f497dc3519ed222ae5a7ff663154cb7d58
Author: Tao Bai <michaelbai@chromium.org>
Date: Wed Mar 14 19:26:32 2018

Fix crash caused by render frame was gone

FormTracker::FormControlDidChangeImpl is post task when render frame
could be gone.

Bug:  820773 
Change-Id: I234d4b44a27903ea2e4c4b9f83fab63ec9accb00
Reviewed-on: https://chromium-review.googlesource.com/962921
Commit-Queue: Sebastien Seguin-Gagnon <sebsg@chromium.org>
Reviewed-by: Sebastien Seguin-Gagnon <sebsg@chromium.org>
Cr-Commit-Position: refs/heads/master@{#543152}
[modify] https://crrev.com/cf1d64f497dc3519ed222ae5a7ff663154cb7d58/components/autofill/content/renderer/form_tracker.cc
Project Member

Comment 8 by ClusterFuzz, Mar 15 2018

Labels: OS-Chrome
Project Member

Comment 9 by ClusterFuzz, Mar 15 2018 

ClusterFuzz has detected this issue as fixed in range 543151:543153.

Detailed report: https://clusterfuzz.com/testcase?key=4716154724286464

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  autofill::AutofillAgent::GetAutofillDriver
  autofill::AutofillAgent::OnProvisionallySaveForm
  autofill::FormTracker::FormControlDidChangeImpl
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=540454:540455
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=543151:543153

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4716154724286464

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Mar 15 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4716154724286464 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment