Suspected Null-dereference READ in (anonymous namespace)::ObtainAndSetContextProvider |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5665371831664640 Fuzzer: marty_html_twiddler Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::HTMLElement::offsetWidthForBinding offsetWidthAttributeGetter blink::V8HTMLElement::offsetWidthAttributeGetterCallback Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=524271:524272 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5665371831664640 Additional requirements: Requires Gestures Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
May 1 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/2d0c4b351fb580604ce6809291290f211892ceb6 (Disable ProcessMemoryMetricsEmitterTest browser_tests). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
May 2 2018
My CL disabled a test in Chrome.
,
May 2 2018
Predator and CL could not provide any possible suspects. Using the code search for the file, “html_element.cc” assigning to concern owner from GIT blame. Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/383d1bb3f30b49fcdf3918cefc588637aa678ec0 @smcgruer -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes. Thank You.
,
May 2 2018
I believe clusterfuzz is blaming the wrong thread. If one expands the entire stack, we see that the thread that contains blink::HTMLElement::offsetWidthForBinding is actually crashing in: [15039:15039:0100/000000.908240:FATAL:font_cache.cc(401)] Check failed: false. #0 0x7ffbe0c50427 in gsignal /build/glibc-Cl5G7W/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54 #1 0x561099e05bed in logging::LogMessage::~LogMessage() base/logging.cc:855:7 #2 0x5610a3e8823e in blink::FontCache::CrashWithFontInfo(blink::FontDescription const*) third_party/blink/renderer/platform/fonts/font_cache.cc:401:3 #3 0x5610a3ea4039 in blink::FontFallbackIterator::Next(WTF::Vector<int, 0ul, WTF::PartitionAllocator> const&) third_party/blink/renderer/platform/fonts/font_fallback_iterator.cc:121:7 ...#84 0x5610a68a9ad6 in blink::HTMLElement::offsetWidthForBinding() third_party/blink/renderer/core/html/html_element.cc:1284:17 #85 0x5610a525c6ce in offsetWidthAttributeGetter gen/third_party/blink/renderer/bindings/core/v8/v8_html_element.cc:525:35 #86 0x5610a525c6ce in blink::V8HTMLElement::offsetWidthAttributeGetterCallback(v8::FunctionCallbackInfo<v8::Value> const&) gen/third_party/blink/render AT THE SAME TIME, a second thread has a stack trace, and I suspect that is the one that actually NULL de-referenced: #0 0x5610a8b2b1d1 in (anonymous namespace)::ObtainAndSetContextProvider(base::OnceCallback<void (viz::ContextProvider*)>, media::GpuVideoAcceleratorFactories*) content/renderer/media/media_factory.cc:107:55 #1 0x5610a8b2bb15 in Invoke<void (*)(base::OnceCallback<void (viz::ContextProvider *)>, media::GpuVideoAcceleratorFactories *), base::OnceCallback<void (viz::ContextProvider *)>, media::GpuVideoAcceleratorFactories *> base/bind_internal.h:402:12 #2 0x5610a8b2bb15 in MakeItSo<void (*)(base::OnceCallback<void (viz::ContextProvider *)>, media::GpuVideoAcceleratorFactories *), base::OnceCallback<void (viz::ContextProvider *)>, media::GpuVideoAcceleratorFactories *> base/bind_internal.h:547 ... Note that the PC here (0x5610a8b2b1d1) is *very* close to the PC in the SEGV report: ==15041==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5610a8b2b1d2 bp 0x7ffbca0be470 sp 0x7ffbca0be400 T12) Assigning lethalantidote@ as the most recent one to touch that line of code, and cc-ing the viz team as this appears to be viz-y code. My guess is that the |factories| parameter is nullptr. It seems to come from content::RenderThreadImpl::current()->GetGpuFactories() (not sure if that's called pre or post the task being posted).
,
May 2 2018
It was (correctly) pointed out to me that we don't really care about crashes in thread B, if thread A has already crashed. (Fail fast, yo). So really this is about the FontCache failure, which is apparently issue 561873 Apologies for the spam lethalantidote@
,
Jun 12 2018
ClusterFuzz has detected this issue as fixed in range 565929:565932. Detailed report: https://clusterfuzz.com/testcase?key=5665371831664640 Fuzzer: marty_html_twiddler Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::HTMLElement::offsetWidthForBinding offsetWidthAttributeGetter blink::V8HTMLElement::offsetWidthAttributeGetterCallback Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=524271:524272 Fixed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=565929:565932 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5665371831664640 Additional requirements: Requires Gestures See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, May 1 2018Labels: Test-Predator-Auto-Components