Null-dereference READ in blink::WindowPerformance::AddEventTiming |
||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5072948134936576 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x0000000004d0 Crash State: blink::WindowPerformance::AddEventTiming blink::EventTiming::DidDispatchEvent blink::EventDispatcher::Dispatch Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=556511:556513 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5072948134936576 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
May 8 2018
Predator and CL could not provide any possible suspects. Using Code Search for the file, "window_performance.cc" suspecting the below Cl might have caused this issue Suspect CL: https://chromium.googlesource.com/chromium/src/+/6bc702ce4e6080adf5fff8e998e5138de88f1f7c%5E%21/third_party/blink/renderer/core/timing/window_performance.cc maxlg@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Thanks!
,
May 8 2018
Yes, I confirm that this is caused by my change. Theoretically this crash could only be triggered when EventTiming flag is enabled.
,
May 8 2018
Things unclear to me is which pointer is the Null-dereference READ talking about( https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/timing/window_performance.cc?l=288): 1. if it's |loader|, then why it didn't crash at DCHECK(loader). 2. if it's |load_start|, then I believe it shouldn't crash, as it's not really a pointer
,
May 8 2018
+tdresser
,
May 8 2018
With clusterfuzz bugs, getting a local repro is normally pretty easy, and then you can point a debugger at it. See http://www.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs
,
May 8 2018
,
May 8 2018
Interestingly. I can see the crash by: prodaccess && /google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 5072948134936576 But I don't see the crash when I execute content_shell script manually: /usr/local/google/home/maxlg/Develop/gitRepo/chrome/chromium/src/out/clusterfuzz_5072948134936576/content_shell --run-layout-test --dump-render-tree --use-gl=swiftshader --enable-experimental-web-platform-features --disable-in-process-stack-traces --enable-logging=stderr --v=1 --user-data-dir=/tmp/clusterfuzz-user-data-dir /usr/local/google/home/maxlg/.clusterfuzz/cache/testcases/5072948134936576_testcase/fuzz-378-xhtml-synchronous-detach-crash.html
,
May 8 2018
,
May 9 2018
Actually I misread the log. I mistook the "original crashes" to be the crashes still happening. But for the crash happened in the cluster fuzz, i guess the real crash happened at dereferencing loader, which was guarded by a DCHECK but cluster fuzz doesn't have DCHECK enabled. As for why the LoadEventStart() is the crash place. My hypothesis is that, in a release mode, the codes were optimized in a way that some of the stack trace are not totally accurate.
,
May 9 2018
This sounds correct to me. Looks like other uses of DocumentLoader do a null check before usage.
,
May 9 2018
,
May 9 2018
,
May 16 2018
ClusterFuzz testcase 6231640251301888 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
May 16 2018
ClusterFuzz has detected this issue as fixed in range 558997:559000. Detailed report: https://clusterfuzz.com/testcase?key=5072948134936576 Fuzzer: ochang_domfuzzer Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x0000000004d0 Crash State: blink::WindowPerformance::AddEventTiming blink::EventTiming::DidDispatchEvent blink::EventDispatcher::Dispatch Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=556511:556513 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=558997:559000 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5072948134936576 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 22 2018
Issue 845120 has been merged into this issue.
,
May 22 2018
Issue 845004 has been merged into this issue.
,
May 22 2018
Issue 844370 has been merged into this issue.
,
May 22 2018
Issue 844005 has been merged into this issue.
,
May 22 2018
Once the CL is landed the issue should be gone: https://chromium-review.googlesource.com/c/chromium/src/+/1050953
,
May 23 2018
ClusterFuzz testcase 4523436341460992 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
May 25 2018
From #22 it seems that not all testcases from bugs merged into this one were fixed. PTAL
,
May 26 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bf9a8c37e2e3d447cbfbba77744b01cba170e3fb commit bf9a8c37e2e3d447cbfbba77744b01cba170e3fb Author: Liquan(Max) Gu <maxlg@chromium.org> Date: Sat May 26 16:54:32 2018 [EventTiming] Should buffer event timing when document loader is null Previously we assumed that document loader must be present when judging whether event timing should buffer entry, which is actually not always the case. Bug: 840730 Change-Id: Id297acf136a26298ccc1d8efe7f0b69c9b9b9db5 Reviewed-on: https://chromium-review.googlesource.com/1050953 Reviewed-by: Nate Chapin <japhet@chromium.org> Reviewed-by: Timothy Dresser <tdresser@chromium.org> Commit-Queue: Liquan (Max) Gǔ <maxlg@chromium.org> Cr-Commit-Position: refs/heads/master@{#562126} [modify] https://crrev.com/bf9a8c37e2e3d447cbfbba77744b01cba170e3fb/third_party/blink/renderer/core/timing/window_performance.cc [modify] https://crrev.com/bf9a8c37e2e3d447cbfbba77744b01cba170e3fb/third_party/blink/renderer/core/timing/window_performance_test.cc
,
Jun 22 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d749cb4862028b83aebfd9609dae66e33ddc03ac commit d749cb4862028b83aebfd9609dae66e33ddc03ac Author: Liquan(Max) Gu <maxlg@chromium.org> Date: Fri Jun 22 15:27:45 2018 [EventTiming] Should buffer event timing when document loader is null Previously we assumed that document loader must be present when judging whether event timing should buffer entry, which is actually not always the case. Bug: 840730 Change-Id: Id297acf136a26298ccc1d8efe7f0b69c9b9b9db5 Reviewed-on: https://chromium-review.googlesource.com/1050953 Reviewed-by: Nate Chapin <japhet@chromium.org> Reviewed-by: Timothy Dresser <tdresser@chromium.org> Commit-Queue: Liquan (Max) Gǔ <maxlg@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#562126}(cherry picked from commit bf9a8c37e2e3d447cbfbba77744b01cba170e3fb) Reviewed-on: https://chromium-review.googlesource.com/1112117 Reviewed-by: Nicolás Peña Moreno <npm@chromium.org> Cr-Commit-Position: refs/branch-heads/3440@{#484} Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733} [modify] https://crrev.com/d749cb4862028b83aebfd9609dae66e33ddc03ac/third_party/blink/renderer/core/timing/window_performance.cc [modify] https://crrev.com/d749cb4862028b83aebfd9609dae66e33ddc03ac/third_party/blink/renderer/core/timing/window_performance_test.cc
,
Jul 23
This appears fixed. |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by ClusterFuzz
, May 8 2018Labels: Test-Predator-Auto-Components