New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 829240 link

Starred by 2 users
Status: Verified
Owner:
yamaguchi@chromium.org
Closed: May 2018
Cc:
tetsui@chromium.org
yoshiki@chromium.org
peter@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Null-dereference READ in message_center::NotificationViewMD::ToggleInlineSettings

Project Member Reported by ClusterFuzz, Apr 5 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5084201200910336

Fuzzer: lcamtuf_cross_fuzz
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000100
Crash State:
  message_center::NotificationViewMD::ToggleInlineSettings
  message_center::NotificationViewMD::OnMouseReleased
  ui::ScopedTargetHandler::OnEvent
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=453925:454041

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5084201200910336

Additional requirements: Requires Gestures

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Apr 5 2018

Components: UI>Notifications
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by peter@chromium.org, Apr 9 2018

Owner: tetsui@chromium.org
Status: Assigned (was: Untriaged)

Comment 3 by tetsui@chromium.org, Apr 25 2018

Cc: tetsui@chromium.org yoshiki@chromium.org
 Issue 833170  has been merged into this issue.

Comment 4 by yoshiki@chromium.org, May 7 2018 

Issue 838522 has been merged into this issue.

Comment 5 by yoshiki@chromium.org, May 7 2018

Owner: yamaguchi@chromium.org

Comment 6 by yamaguchi@chromium.org, May 9 2018

Status: Started (was: Assigned)

Comment 7 by tetsui@chromium.org, May 10 2018 

I think I found the step to repro.

1. Press Alt-Search or CapsLock, notification is shwon
2. Open notification center
3. Long press the notification
4. It crashes with the stack trace same as #0

Comment 8 by tetsui@chromium.org, May 11 2018

Labels: ReleaseBlock-Stable M-67

Comment 9 by tetsui@chromium.org, May 11 2018

Labels: -Type-Bug Type-Bug-Regression
Yamaguchi-san, thank you for taking a look at this.

Let me send a fix on behalf of you, as this issue turned out to be M67 regression which will be stable cut very soon and easily reproducible with reasonable user interaction.

https://crrev.com/c/1053933
Project Member

Comment 10 by bugdroid1@chromium.org, May 11 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b7c6d92241abb531fea5fd8ecae508d1c77befeb

commit b7c6d92241abb531fea5fd8ecae508d1c77befeb
Author: Tetsui Ohkubo <tetsui@chromium.org>
Date: Fri May 11 18:17:54 2018

Fix inline settings toggle crash.

ToggleInlineSettings assumed |settings_row_| to exist. However, it
wasn't always the case.

TEST=manual
BUG= 829240 

Change-Id: I0a95bf830f616fd7c380fdf19009da00f53ba3b3
Reviewed-on: https://chromium-review.googlesource.com/1053933
Reviewed-by: Evan Stade <estade@chromium.org>
Commit-Queue: Tetsui Ohkubo <tetsui@chromium.org>
Cr-Commit-Position: refs/heads/master@{#557941}
[modify] https://crrev.com/b7c6d92241abb531fea5fd8ecae508d1c77befeb/ui/message_center/views/notification_view_md.cc

Comment 11 by tetsui@chromium.org, May 14 2018

Labels: Merge-Request-67
Status: Verified (was: Started)
Verified on 68.0.3429.0.
Project Member

Comment 12 by sheriffbot@chromium.org, May 14 2018

Labels: -Merge-Request-67 Merge-Review-67 Hotlist-Merge-Review
This bug requires manual review: M67 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 13 by kbleicher@chromium.org, May 14 2018

Labels: -Merge-Review-67 Merge-Approved-67
Why is this a RBS in #8?  Seems like a fairly specific workflow.  Is that common?

Thanks for the comments in #9 and #11; helpful :-)

Approving merge to M67 Chrome OS.

Comment 14 by tetsui@chromium.org, May 14 2018 

#13: This bug applies to all the system notifications, not only the one mentioned in #7. Also, long pressing a notification is common in web notifications, so it's easy to confuse them.
Project Member

Comment 15 by bugdroid1@chromium.org, May 14 2018

Labels: -merge-approved-67 merge-merged-3396
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9c6a6a7f2c1ebae3176c1702a7c2d84c363332ec

commit 9c6a6a7f2c1ebae3176c1702a7c2d84c363332ec
Author: Tetsui Ohkubo <tetsui@chromium.org>
Date: Mon May 14 16:27:17 2018

Fix inline settings toggle crash.

ToggleInlineSettings assumed |settings_row_| to exist. However, it
wasn't always the case.

TEST=manual
BUG= 829240 
TBR=estade@chromium.org

Change-Id: I0a95bf830f616fd7c380fdf19009da00f53ba3b3
Reviewed-on: https://chromium-review.googlesource.com/1053933
Reviewed-by: Evan Stade <estade@chromium.org>
Commit-Queue: Tetsui Ohkubo <tetsui@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#557941}(cherry picked from commit b7c6d92241abb531fea5fd8ecae508d1c77befeb)
Reviewed-on: https://chromium-review.googlesource.com/1057847
Reviewed-by: Tetsui Ohkubo <tetsui@chromium.org>
Cr-Commit-Position: refs/branch-heads/3396@{#588}
Cr-Branched-From: 9ef2aa869bc7bc0c089e255d698cca6e47d6b038-refs/heads/master@{#550428}
[modify] https://crrev.com/9c6a6a7f2c1ebae3176c1702a7c2d84c363332ec/ui/message_center/views/notification_view_md.cc

Sign in to add a comment