Issue metadata
Sign in to add a comment
|
Null-dereference READ in extensions::EventsEventRemoveRulesFunction::RunAsyncOnCorrectThread |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6394238770872320 Fuzzer: ipc_fuzzer_mut Job Type: linux_asan_chrome_ipc Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000198 Crash State: extensions::EventsEventRemoveRulesFunction::RunAsyncOnCorrectThread base::internal::Invoker<base::internal::BindState<std::__1::unique_ptr<Extension void base::internal::ReturnAsParamAdapter<std::__1::unique_ptr<ExtensionFunction Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=548504:548506 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6394238770872320 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Apr 9 2018
Thanks for the report, will look into it. From quick look it looks like ExtensionFunction::extension_id() is getting null deref from EventsEventRemoveRulesFunction::RunAsyncOnCorrectThread, |extension_| is null?
,
Apr 10 2018
This doesn't seem like a regression. I've verified that by manually reverting the CL locally, then running play_testcase.py fuzzer script. The crash happens before the CL mentioned in comment #1. However, this is bad regardless.
,
Apr 10 2018
@brajkumar, can you verify whether this was happening before the CL (does clusterfuzz allow that)? Not super important, but would be helpful. Thanks.
,
Oct 21
ClusterFuzz has detected this issue as fixed in range 601409:601411. Detailed report: https://clusterfuzz.com/testcase?key=6394238770872320 Fuzzer: ipc_fuzzer_mut Job Type: linux_asan_chrome_ipc Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000198 Crash State: extensions::EventsEventRemoveRulesFunction::RunAsyncOnCorrectThread base::internal::Invoker<base::internal::BindState<std::__1::unique_ptr<Extension void base::internal::ReturnAsParamAdapter<std::__1::unique_ptr<ExtensionFunction Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=548504:548506 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=601409:601411 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6394238770872320 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 21
ClusterFuzz testcase 6394238770872320 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by brajkumar@chromium.org
, Apr 9 2018Components: Platform>Extensions
Labels: -Type-Bug M-67 Test-Predator-Wrong Type-Bug-Regression
Owner: lazyboy@chromium.org
Status: Assigned (was: Untriaged)