CHECK failure: !in_navigate_to_pending_entry_ || delegate_->IsBeingDestroyed() in navigation_co |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4670172728918016 Fuzzer: ochang_domfuzzer Job Type: windows_asan_content_shell Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: !in_navigate_to_pending_entry_ || delegate_->IsBeingDestroyed() in navigation_co content::NavigationControllerImpl::DiscardPendingEntry content::NavigatorImpl::DiscardPendingEntryIfNeeded Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=531299:531319 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4670172728918016 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Apr 10 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/5d58446477738bdea980f343ba439719208e189e (Convert URLLoaderFactoryBundle to implement SharedURLLoaderFactory interface.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Apr 11 2018
estark@: Can you help triage this? This looks like it's due to your https://codereview.chromium.org/2909513002, which made a OnRequestFailed call from NavigationRequest::BeginNavigation due to CSP. That's causing the pending NavigationEntry to be deleted while we're still inside NavigateToPendingEntry, which is an unavoidable use-after-free. We have a CHECK in place to catch it, which it looks like Clusterfuzz found a repro for. Thanks!
,
Apr 11 2018
(Oh, and typical fixes for this sort of issue have involved posting a task, though I haven't thought carefully about whether that would work in this case.)
,
Apr 11 2018
,
Apr 12 2018
,
Apr 17 2018
Oddly I can only reproduce this with --disable-web-security; otherwise the repro runs afoul of cross-origin checks whe trying to pushState on an error frame. Posting a task doesn't work out of the box because it seems to run afoul of some other DCHECKS, but I don't fully understand why yet -- will continue investigating this week. Also note that there's at least one other instance of this bug, presumably: https://cs.chromium.org/chromium/src/content/browser/frame_host/navigation_request.cc?sq=package:chromium&l=541
,
Apr 24 2018
,
May 17 2018
ClusterFuzz testcase 4670172728918016 appears to be flaky, updating reproducibility label.
,
Dec 1
ClusterFuzz has detected this issue as fixed in range 558997:558998. Detailed report: https://clusterfuzz.com/testcase?key=4670172728918016 Fuzzer: ochang_domfuzzer Job Type: windows_asan_content_shell Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: !in_navigate_to_pending_entry_ || delegate_->IsBeingDestroyed() in navigation_co content::NavigationControllerImpl::DiscardPendingEntry content::NavigatorImpl::DiscardPendingEntryIfNeeded Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=531299:531319 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=558997:558998 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4670172728918016 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 1
ClusterFuzz testcase 4670172728918016 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Apr 10 2018Labels: Test-Predator-Auto-Components