New issue
Advanced search Search tips

Issue 848313 link

Starred by 2 users

Issue metadata

Status: Verified
Owner: ----
Closed: Jun 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Direct-leak in blink::InteractiveDetector::OnLongTaskDetected

Project Member Reported by ClusterFuzz, May 31 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4593442764881920

Fuzzer: attekett_dom_fuzzer
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  blink::InteractiveDetector::OnLongTaskDetected
  blink::LongTaskDetector::DidProcessTask
  base::sequence_manager::TaskQueueManagerImpl::NotifyDidProcessTask
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=530370:530375

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4593442764881920

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, May 31 2018

Components: Blink>Loader Platform
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, May 31 2018

Labels: Test-Predator-Auto-Owner
Owner: jianli@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/a97e4b274530e17656f7d493f4eb950502311e08 (Encode Subject header correctly per RFC 2047).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by jianli@chromium.org, May 31 2018

Labels: Test-Predator-Wrong-CLs
Owner: ----
Status: Untriaged (was: Assigned)
My CL did not touch any files listed in the crash stack.
Cc: pnangunoori@chromium.org
Labels: M-67 Test-Predator-Wrong
Owner: npm@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.
Using the code search for the file, “long_task_detector.cc” assigning to concern owner from GIT blame.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/91c1b85524d974f3b9ca143f4da5695b5448f7a8

@npm -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.
Thank You.

Comment 5 by npm@chromium.org, Jun 1 2018

Cc: dproy@chromium.org
Components: Blink>PerformanceAPIs
Owner: ----
Status: Untriaged (was: Assigned)
This is not caused by my change but the stacktrace for the direct leak is strange... +dproy@ maybe has an idea on what could be going on.

Comment 6 by dproy@google.com, Jun 1 2018

Can TimeTicks be used with PODInterval? I'm guessing TimeTicks is not a POD, but I don't know if it satisfies the requirements of PODInterval. Talking about this line: https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/loader/interactive_detector.h?l=120&rcl=e1e8576ba346bf0aba99f860853e835975dffc06

Comment 7 by npm@chromium.org, Jun 1 2018

It does say this:

// *Note* that the destructors of type T and UserData will *not* be
// called by this class. They must not allocate any memory that is
// required to be cleaned up in their destructors.

TimeTicks does need to clean up after itself, so the vector destructor is probably just destroying the PODInterval but not the TimeTicks inside it.

Comment 8 by dproy@chromium.org, Jun 1 2018

That makes sense. Do you have time to take this on? I'm guessing the solution here is to either convert the TimeTicks to double, or write our own little interval class (we don't seem to have one in base.)

Comment 9 by npm@chromium.org, Jun 1 2018

Owner: npm@chromium.org
Status: Assigned (was: Untriaged)
Ok assigning to myself.

Comment 10 by npm@chromium.org, Jun 11 2018

Cc: npm@chromium.org
Owner: ----
Status: Untriaged (was: Assigned)
Actually I think PODInterval works because it has T members low_ and high_, so the destructors should be called (not sure why the comment). The latest stacktrace does not show OnLongTaskDetected. Could we get this triaged using the new stacktrace?
Project Member

Comment 11 by ClusterFuzz, Jun 12 2018

ClusterFuzz has detected this issue as fixed in range 566300:566302.

Detailed report: https://clusterfuzz.com/testcase?key=4593442764881920

Fuzzer: attekett_dom_fuzzer
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  blink::InteractiveDetector::OnLongTaskDetected
  blink::LongTaskDetector::DidProcessTask
  base::sequence_manager::TaskQueueManagerImpl::NotifyDidProcessTask
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=530370:530375
Fixed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=566300:566302

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4593442764881920

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by ClusterFuzz, Jun 12 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Untriaged)
ClusterFuzz testcase 4593442764881920 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment