Crash in blink::PersistentBase<blink::DummyGCBase, |
||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5271362382594048 Fuzzer: inferno_layout_test_fuzzer Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7ed068a41938 Crash State: blink::PersistentBase<blink::DummyGCBase, blink::CrossThreadPersistentRegion::PrepareForThreadStateTermination blink::ThreadState::RunTerminationGC Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=558688:558690 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5271362382594048 Additional requirements: Requires HTTP Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 3 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/3ca5ccfe2fcd8de7061707a7db3a9005c1d91644 (Migrate cache_storage from content/renderer to blink.). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jun 3 2018
,
Jun 3 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 3 2018
,
Jun 4 2018
,
Jun 4 2018
,
Jun 5 2018
,
Jun 7 2018
ClusterFuzz has detected this issue as fixed in range 565143:565144. Detailed report: https://clusterfuzz.com/testcase?key=5271362382594048 Fuzzer: inferno_layout_test_fuzzer Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7ed068a41938 Crash State: blink::PersistentBase<blink::DummyGCBase, blink::CrossThreadPersistentRegion::PrepareForThreadStateTermination blink::ThreadState::RunTerminationGC Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=558688:558690 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=565143:565144 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5271362382594048 Additional requirements: Requires HTTP See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 7 2018
ClusterFuzz testcase 5271362382594048 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 7 2018
,
Jun 7 2018
This was fixed by r565144, but I'm still planning to land a fix that clears the persistents when the context is destroyed.
,
Jun 11 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0e4bb7a66015fe0e5ef253263a586546f18c966b commit 0e4bb7a66015fe0e5ef253263a586546f18c966b Author: Lucas Furukawa Gadani <lfg@chromium.org> Date: Mon Jun 11 21:52:28 2018 CacheStorage: Drop persistents when context is destroyed. This allows for graceful worker thread termination. Bug: 849073 Change-Id: If00d77e2409067d94ec50cb476aa0a722ffbb329 Reviewed-on: https://chromium-review.googlesource.com/1089385 Commit-Queue: Lucas Gadani <lfg@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Joshua Bell <jsbell@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#566160} [modify] https://crrev.com/0e4bb7a66015fe0e5ef253263a586546f18c966b/third_party/WebKit/LayoutTests/http/tests/cachestorage/serviceworker/worker-closer.js [modify] https://crrev.com/0e4bb7a66015fe0e5ef253263a586546f18c966b/third_party/WebKit/LayoutTests/http/tests/cachestorage/serviceworker/worker-closer2.js [modify] https://crrev.com/0e4bb7a66015fe0e5ef253263a586546f18c966b/third_party/WebKit/LayoutTests/http/tests/cachestorage/worker-deleted.html [modify] https://crrev.com/0e4bb7a66015fe0e5ef253263a586546f18c966b/third_party/blink/renderer/modules/cache_storage/cache_storage.cc [modify] https://crrev.com/0e4bb7a66015fe0e5ef253263a586546f18c966b/third_party/blink/renderer/modules/cache_storage/cache_storage.h [modify] https://crrev.com/0e4bb7a66015fe0e5ef253263a586546f18c966b/third_party/blink/renderer/modules/cache_storage/global_cache_storage.cc
,
Jun 12 2018
,
Jun 18 2018
,
Jun 18 2018
This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 18 2018
I didn't request a merge because the UaF was fixed by r565144, which I merged a few days ago. That said, it should still be safe to merge this one as well.
,
Jun 18 2018
Approving this merge for M68. Branch:3440
,
Jun 18 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/40b1d2e44ef870dc44f8a4b35f3140a27bfb316e commit 40b1d2e44ef870dc44f8a4b35f3140a27bfb316e Author: Lucas Furukawa Gadani <lfg@chromium.org> Date: Mon Jun 18 20:22:20 2018 CacheStorage: Drop persistents when context is destroyed. This allows for graceful worker thread termination. Bug: 849073 Change-Id: If00d77e2409067d94ec50cb476aa0a722ffbb329 Reviewed-on: https://chromium-review.googlesource.com/1089385 Commit-Queue: Lucas Gadani <lfg@chromium.org> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Reviewed-by: Joshua Bell <jsbell@chromium.org> Reviewed-by: Kentaro Hara <haraken@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#566160}(cherry picked from commit 0e4bb7a66015fe0e5ef253263a586546f18c966b) Reviewed-on: https://chromium-review.googlesource.com/1104763 Reviewed-by: Lucas Gadani <lfg@chromium.org> Cr-Commit-Position: refs/branch-heads/3440@{#413} Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733} [modify] https://crrev.com/40b1d2e44ef870dc44f8a4b35f3140a27bfb316e/third_party/WebKit/LayoutTests/http/tests/cachestorage/serviceworker/worker-closer.js [modify] https://crrev.com/40b1d2e44ef870dc44f8a4b35f3140a27bfb316e/third_party/WebKit/LayoutTests/http/tests/cachestorage/serviceworker/worker-closer2.js [modify] https://crrev.com/40b1d2e44ef870dc44f8a4b35f3140a27bfb316e/third_party/WebKit/LayoutTests/http/tests/cachestorage/worker-deleted.html [modify] https://crrev.com/40b1d2e44ef870dc44f8a4b35f3140a27bfb316e/third_party/blink/renderer/modules/cache_storage/cache_storage.cc [modify] https://crrev.com/40b1d2e44ef870dc44f8a4b35f3140a27bfb316e/third_party/blink/renderer/modules/cache_storage/cache_storage.h [modify] https://crrev.com/40b1d2e44ef870dc44f8a4b35f3140a27bfb316e/third_party/blink/renderer/modules/cache_storage/global_cache_storage.cc
,
Jun 20 2018
,
Sep 19
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 3 2018Labels: Test-Predator-Auto-Components