New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 828742 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Aug 22
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Null-dereference READ in content::ResourceDispatcherHostImpl::UpdateLoadStateOnUI

Project Member Reported by ClusterFuzz, Apr 4 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5767314172280832

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000008
Crash State:
  content::ResourceDispatcherHostImpl::UpdateLoadStateOnUI
  void base::internal::FunctorTraits<void
  base::internal::Invoker<base::internal::BindState<void
  
Sanitizer: thread (TSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=528051:528053

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5767314172280832

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Apr 4 2018

Components: Internals>Core
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Cc: brajkumar@chromium.org
Labels: -Type-Bug M-66 Test-Predator-Wrong Type-Bug-Regression
Owner: csharrison@chromium.org
Status: Assigned (was: Untriaged)
> Unable to find actual suspect through code search and also observing no related changes under regression range.

> By comparing the stack trace of this issue, it looks similar to  bug 829067  , hence assigning to the same owner for more updates.

> csharrison@ Could you please take a look in to this issue?

Thanks!
Cc: mbarbe...@chromium.org
Components: Internals>Network Services>Safebrowsing
+mbarbella, this is an example of a bug report with a confusing regression range in the past. According to the fuzzer this is not fixed, but it regressed 3 months ago.

It also looks like this report has a heap-use-after-free immediately before the crash. Possibly that is the culprit here.

There is probably the same root issue as  issue 829067 , but I'll hold off duping them for now since the reports are different.

Comment 4 by vakh@chromium.org, Apr 6 2018

Labels: SafeBrowsing-Triaged
Project Member

Comment 5 by ClusterFuzz, Aug 22

ClusterFuzz has detected this issue as fixed in range 584882:584885.

Detailed report: https://clusterfuzz.com/testcase?key=5767314172280832

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000008
Crash State:
  content::ResourceDispatcherHostImpl::UpdateLoadStateOnUI
  void base::internal::FunctorTraits<void
  base::internal::Invoker<base::internal::BindState<void
  
Sanitizer: thread (TSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=528051:528053
Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=584882:584885

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5767314172280832

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Aug 22

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5767314172280832 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment