New issue
Advanced search Search tips

Issue 842471 link

Starred by 5 users

Issue metadata

Status: Fixed
Owner:
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Null-dereference READ in cc::VideoResourceUpdater::CreateForSoftwarePlanes

Project Member Reported by ClusterFuzz, May 12 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5831366076530688

Fuzzer: ochang_media2
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000008
Crash State:
  cc::VideoResourceUpdater::CreateForSoftwarePlanes
  cc::VideoResourceUpdater::CreateExternalResourcesFromVideoFrame
  cc::VideoResourceUpdater::ObtainFrameResources
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=557982:558008

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5831366076530688

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, May 12 2018

Labels: OS-Linux
Project Member

Comment 2 by ClusterFuzz, May 12 2018

Components: Internals>Compositing
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 3 by ClusterFuzz, May 12 2018

Labels: Test-Predator-Auto-Owner
Owner: lethalantidote@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/df92bfed734a92c8f839af121218917ae599157d (cc::Surfaces for Video path handles null context_provider).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 4 by ClusterFuzz, May 13 2018

Labels: OS-Chrome
Mergedinto: 768565
Status: Duplicate (was: Assigned)

Comment 6 by ajha@chromium.org, May 21 2018

Cc: ajha@chromium.org
Labels: -Type-Bug M-68 ReleaseBlock-Beta OS-Windows Type-Bug-Regression
Status: Assigned (was: Duplicate)
Re-opening this as there are still crashes seen for 'cc::VideoResourceUpdater::CreateForSoftwarePlanes' on the latest Windows dev: 68.0.3432.3. 135 crashes from 117 clients so far.

Link to the list of the builds with crashes:
============================================
https://crash-procella.corp.google.com/browse?q=expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27cc%3A%3AVideoResourceUpdater%3A%3ACreateForSoftwarePlanes%27+AND+product.name%3D%27Chrome%27#productversion:1000,-magicsignature:50,-magicsignature2:50,-stablesignature:50,-magicsignaturesorted:50

lethalantidote@: Could you please take a look at these crashes.

Thank you!

Comment 7 by ajha@chromium.org, May 21 2018

Labels: OS-Android
Latest Android canary version: 68.0.3434.0 has reported 22 crashes from 20 clients so far.
Status: Started (was: Assigned)
Cc: lethalantidote@chromium.org
 Issue 843962  has been merged into this issue.
Your bug is tagged as Release block Beta and we are branching in 2 days.Please have a fix ASAP.
Labels: -ReleaseBlock-Beta
This is only turned on for a finch experiment. 
 Issue 845486  has been merged into this issue.
Project Member

Comment 13 by bugdroid1@chromium.org, May 24 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c86905ed58620a39ecc5bb972eb599dbb8e6609f

commit c86905ed58620a39ecc5bb972eb599dbb8e6609f
Author: CJ DiMeglio <lethalantidote@chromium.org>
Date: Thu May 24 00:41:08 2018

Prevents SubmitSingleFrame while VFRP is uninitialized.

Currently, we are able to initiate a SubmitSingleFrame at any time.
This ignores two edge cases, both of which have us accessing
VideoResourceUpdater and VideoResourceProvider while they are null (which
means we never intialized VideoFrameResourceProvider (VFRP)).

Case one occurs when we call SubmitSingleFrame before we were able to
initialize VFRP the first time. The second can occur while we are
re-intializing VFRP on context loss.

Because we cannot just check if we have a context_provider to prove that
we are safe from these cases (it might be null because we are in software
compositing mode), we instead just check for the initialization.

Bug:  842471 
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: If3b31ed83908668ec21fbd0d2abbd7d45d454e67
Reviewed-on: https://chromium-review.googlesource.com/1069843
Reviewed-by: Justin Novosad <junov@chromium.org>
Commit-Queue: CJ DiMeglio <lethalantidote@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561340}
[modify] https://crrev.com/c86905ed58620a39ecc5bb972eb599dbb8e6609f/third_party/blink/renderer/platform/graphics/video_frame_resource_provider.h
[modify] https://crrev.com/c86905ed58620a39ecc5bb972eb599dbb8e6609f/third_party/blink/renderer/platform/graphics/video_frame_submitter.cc

Status: Fixed (was: Started)
Project Member

Comment 15 by ClusterFuzz, May 24 2018

ClusterFuzz has detected this issue as fixed in range 561319:561343.

Detailed report: https://clusterfuzz.com/testcase?key=5831366076530688

Fuzzer: ochang_media2
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000008
Crash State:
  cc::VideoResourceUpdater::CreateForSoftwarePlanes
  cc::VideoResourceUpdater::CreateExternalResourcesFromVideoFrame
  cc::VideoResourceUpdater::ObtainFrameResources
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=557982:558008
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=561319:561343

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5831366076530688

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment