Issue metadata
Sign in to add a comment
|
Heap-use-after-free in base::debug::TaskAnnotator::RunTask |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6012314491551744 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x615000151b00 Crash State: base::debug::TaskAnnotator::RunTask base::ThreadFunc _pthread_body Sanitizer: address (ASAN) Recommended Security Severity: High Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6012314491551744 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Apr 26 2018
,
Apr 26 2018
,
May 2 2018
Assigning based on git blame of frame #6 at time of free. emircan@ - can you please take a look or re-assign as appropriate? Thanks!
,
May 3 2018
dcastagna@ can you PTAL? It happens during content::GpuVideoAcceleratorFactoriesImpl::ReleaseContextProvider() sequence added in https://chromium.googlesource.com/chromium/src/+/b0f69fcfb9dc32b5dd037dc6b99c968225d870d6%5E%21/content/renderer/media/gpu/gpu_video_accelerator_factories_impl.cc
,
May 3 2018
Did you try to repro it? What are we trying to access after it had been freed? Does this happen only on mac?
,
May 3 2018
I couldn't repro with the "Unminimized Testcase" provided using linux asan build. I didn't get a chance to try on mac. Still, the stack trace is pretty clear about a context loss and naked ptr issue. On media thread: GpuVideoAcceleratorFactoriesImpl releases |scoped_refptr<ui::ContextProviderCommandBuffer> context_provider_|. This is the last reference. #1 0x1272d77b5 in Release base/memory/scoped_refptr.h:280:8 #2 0x1272d77b5 in ~scoped_refptr base/memory/scoped_refptr.h:208 #3 0x1272d77b5 in ~scoped_refptr base/memory/scoped_refptr.h:201 #4 0x1272d77b5 in operator= base/memory/scoped_refptr.h:223 #5 0x1272d77b5 in content::GpuVideoAcceleratorFactoriesImpl::ReleaseContextProvider() content/renderer/media/gpu/gpu_video_accelerator_factories_impl.cc:394 #6 0x1272da611 in CheckContextLost content/renderer/media/gpu/gpu_video_accelerator_factories_impl.cc:124:7 #7 0x1272da611 in content::GpuVideoAcceleratorFactoriesImpl::ContextGL() content/renderer/media/gpu/gpu_video_accelerator_factories_impl.cc:332 #8 0x1100141f8 in media::GpuMemoryBufferVideoFramePool::PoolImpl::DeleteFrameResources(media::GpuVideoAcceleratorFactories*, media::GpuMemoryBufferVideoFramePool::PoolImpl::FrameResources*) media/video/gpu_memory_buffer_video_frame_pool.cc:1035:54 On |video_frame_compositor_task_runner| thread -probably compositor-: LayerTreeResourceProvider dtor tries to access |viz::ContextProvider* compositor_context_provider_| which is being freed. https://cs.chromium.org/chromium/src/content/renderer/media/media_factory.cc?type=cs&sq=package:chromium&l=283 #0 0x11a44ca94 in ContextGL cc/resources/layer_tree_resource_provider.cc:342:46 #1 0x11a44ca94 in cc::LayerTreeResourceProvider::~LayerTreeResourceProvider() cc/resources/layer_tree_resource_provider.cc:94 #2 0x122269bbe in std::__1::default_delete<cc::LayerTreeResourceProvider>::operator()(cc::LayerTreeResourceProvider*) const third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2321:5 #3 0x122269bbe in std::__1::unique_ptr<cc::LayerTreeResourceProvider, std::__1::default_delete<cc::LayerTreeResourceProvider> >::reset(cc::LayerTreeResourceProvider*) third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2634 #4 0x122269bbe in std::__1::unique_ptr<cc::LayerTreeResourceProvider, std::__1::default_delete<cc::LayerTreeResourceProvider> >::operator=(std::nullptr_t) third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2592 #5 0x122269bbe in blink::VideoFrameResourceProvider::~VideoFrameResourceProvider() third_party/blink/renderer/platform/graphics/video_frame_resource_provider.cc:31 #6 0x122269dac in blink::VideoFrameResourceProvider::~VideoFrameResourceProvider() third_party/blink/renderer/platform/graphics/video_frame_resource_provider.cc:28:59 #7 0x122269dac in blink::VideoFrameResourceProvider::~VideoFrameResourceProvider() third_party/blink/renderer/platform/graphics/video_frame_resource_provider.cc:28 #8 0x12226bc73 in std::__1::default_delete<blink::VideoFrameResourceProvider>::operator()(blink::VideoFrameResourceProvider*) const third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2321:5 #9 0x12226bc73 in std::__1::unique_ptr<blink::VideoFrameResourceProvider, std::__1::default_delete<blink::VideoFrameResourceProvider> >::reset(blink::VideoFrameResourceProvider*) third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2634 #10 0x12226bc73 in std::__1::unique_ptr<blink::VideoFrameResourceProvider, std::__1::default_delete<blink::VideoFrameResourceProvider> >::~unique_ptr() third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2588 #11 0x12226bc73 in std::__1::unique_ptr<blink::VideoFrameResourceProvider, std::__1::default_delete<blink::VideoFrameResourceProvider> >::~unique_ptr() third_party/llvm-build/Release+Asserts/include/c++/v1/memory:2588 #12 0x12226bc73 in blink::VideoFrameSubmitter::~VideoFrameSubmitter() third_party/blink/renderer/platform/graphics/video_frame_submitter.cc:31 #13 0x12226bc73 in blink::VideoFrameSubmitter::~VideoFrameSubmitter() third_party/blink/renderer/platform/graphics/video_frame_submitter.cc:31 #14 0x12226bc73 in blink::VideoFrameSubmitter::~VideoFrameSubmitter() third_party/blink/renderer/platform/graphics/video_frame_submitter.cc:31 Assigning back to dcastagn@ to take a look at the fuzz page and retriage. I am not too familiar with the hierarchy between these classes. lethalantidote@ seems to have some TODOs in the path as well, can you PTAL?
,
May 3 2018
We should not be accessing the media GL context provider from a thread that is not the media thread. lethalantidote@, are we currently doing that?
,
May 3 2018
I dont think we are. video_frame_compositor_task_runner is on the media thread.
,
May 13 2018
ClusterFuzz has detected this issue as fixed in range 558152:558153. Detailed report: https://clusterfuzz.com/testcase?key=6012314491551744 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: Heap-use-after-free READ 8 Crash Address: 0x615000151b00 Crash State: base::debug::TaskAnnotator::RunTask base::ThreadFunc _pthread_body Sanitizer: address (ASAN) Recommended Security Severity: High Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=558152:558153 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6012314491551744 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 13 2018
ClusterFuzz testcase 6012314491551744 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
May 13 2018
,
May 29 2018
,
Jun 8 2018
,
Jun 8 2018
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 8 2018
I don't see anything that should be merged here.
,
Aug 19
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Apr 26 2018Labels: Test-Predator-Auto-Components