Issue metadata
Sign in to add a comment
|
get SEGV_MAPERR 000000000008 in polymorphic_invoke
Reported by
cdsrc2...@gmail.com,
May 14 2018
|
||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.170 Safari/537.36
Steps to reproduce the problem:
Version 68.0.3430.0 (Developer Build) (64-bit)
ubuntu version: 16.04
get SEGV_MAPERR 000000000008 in polymorphic_invoke
1.Get new version chrome:
a) Build source code
config args.gn file as below:
use_sanitizer_coverage = true
is_asan = true
is_debug = false
enable_nacl = false
treat_warnings_as_errors = false
ninja -j16 -C out/chrome_asan chrome
2. ./crhome minimize.html
or
./chrome original.html
3. Close the browser immediately.
4. get sig11 000000000008
What is the expected behavior?
What went wrong?
minimized poc:
<video controls="controls">
<source src="zzz" type="video/mp4">
</video>
Minimized poc is less stable than the original sample. And can repro. locally, so ignore the access resource files.
crash log:
Received signal 11 SEGV_MAPERR 000000000008
#0 0x562863d66671 in __interceptor_backtrace /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3980:13
#1 0x56286b3b314e in base::debug::StackTrace::StackTrace(unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:808:41
#2 0x56286b3b209d in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:334:3
#3 0x7fc8c173b390 in __funlockfile ??:?
#4 0x7fc8c173b390 in ?? ??:0
#5 0x562877f560a7 in polymorphic_invoke /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback_internal.h:144:25
#6 0x562877f560a7 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:124:0
#7 0x562877f560a7 in blink::VideoFrameSubmitter::OnContextLost() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/graphics/video_frame_submitter.cc:238:0
#8 0x562865c6ac15 in ui::ContextProviderCommandBuffer::OnLostContext() /home/cowboy/chromium/src/out/chrome_asan_shared/../../services/ui/public/cpp/gpu/context_provider_command_buffer.cc:499:14
#9 0x56286e280aa7 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#10 0x56286e280aa7 in OnGpuControlLostContext /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/client/gles2_implementation.cc:324:0
#11 0x56286e280aa7 in non-virtual thunk to gpu::gles2::GLES2Implementation::OnGpuControlLostContext() /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/command_buffer/client/gles2_implementation.cc:0:0
#12 0x562865838de9 in OnGpuAsyncMessageError /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/ipc/client/command_buffer_proxy_impl.cc:867:3
#13 0x562865838de9 in gpu::CommandBufferProxyImpl::OnChannelError() /home/cowboy/chromium/src/out/chrome_asan_shared/../../gpu/ipc/client/command_buffer_proxy_impl.cc:190:0
#14 0x56286b1b1d19 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#15 0x56286b1b1d19 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#16 0x56286b2121d3 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
#17 0x56286b213450 in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
#18 0x56286b213450 in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
#19 0x56286b21bbc0 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
#20 0x56286b28c7a1 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:131:14
#21 0x56286b30fd01 in base::Thread::ThreadMain() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/thread.cc:337:3
#22 0x56286b3e1a21 in base::(anonymous namespace)::ThreadFunc(void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/threading/platform_thread_posix.cc:76:13
#23 0x7fc8c17316ba in start_thread ??:0:0
#24 0x7fc8baa8241d in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109:0
r8: 00007fc896946000 r9: 00007fc896944fbd r10: 0000000000000070 r11: 0000000000000001
r12: 00007fc896c41d00 r13: 00006110002528c0 r14: 00007fc896c41d00 r15: 00000ff912d883a0
di: 0000000000000000 si: ffffffffffffffff bp: 00007fc897c455b0 bx: 00007fc897c45520
dx: 0000562877f56071 ax: 0000000000000008 cx: 0000000000000001 sp: 00007fc897c45520
ip: 0000562877f560a7 efl: 0000000000010246 cgf: 002b000000000033 erf: 0000000000000004
trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000008
[end of stack trace]
Calling _exit(1). Core file will not be generated.
Did this work before? N/A
Chrome version: Version 68.0.3430.0 (Developer Build) (64-bit) Channel: dev
OS Version: Ubuntu 16.04
Flash Version:
,
May 14 2018
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4813778668224512.
,
May 14 2018
Thank you for the report. This is just a null dereference (no security implications), and it was caught by Clusterfuzz before. |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by cdsrc2...@gmail.com
, May 14 2018