Null-dereference READ in content::SessionStorageContextMojo::OpenSessionStorage |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6715691970068480 Fuzzer: mojo_fuzzer Job Type: linux_asan_chrome_mojo Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: content::SessionStorageContextMojo::OpenSessionStorage base::internal::Invoker<base::internal::BindState<void base::debug::TaskAnnotator::RunTask Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=563168:563169 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6715691970068480 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 4 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/1bd58466eab023e8c734d1e63bd997daed4b3e30 ([SessionStorageS13N] Enabling mojo SessionStorage by default). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jun 5 2018
ClusterFuzz has detected this issue as fixed in range 563678:563692. Detailed report: https://clusterfuzz.com/testcase?key=6715691970068480 Fuzzer: mojo_fuzzer Job Type: linux_asan_chrome_mojo Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: content::SessionStorageContextMojo::OpenSessionStorage base::internal::Invoker<base::internal::BindState<void base::debug::TaskAnnotator::RunTask Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=563168:563169 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=563678:563692 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6715691970068480 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 5 2018
ClusterFuzz testcase 6715691970068480 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 5 2018
Not so much clusterfuzz being wrong, but the only reason it thinks it is fixed is because the feature got disabled. The actual null-dereference should still be fixed before turning the flag back on.
,
Jun 15 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e08dfef2a3de2369a90cea01ff014d0170d19bab commit e08dfef2a3de2369a90cea01ff014d0170d19bab Author: Daniel Murphy <dmurph@chromium.org> Date: Fri Jun 15 21:56:36 2018 [SessionStorageS13N] Fixed purging and cloning. Purging will no longer infinitely loop when there are areas & namespaces that are still bound, and cloning a session storage namespace from browser commands will clone immediately and not wait for a 'clone' from the renderer (which never comes). Opening areas after purging also re-opens the correct storage area, instead of opening a new storage area. Bug: 848694, 848980 , 849400 Change-Id: I63790d26efe9fad871e9127ef129c772848e7e56 Reviewed-on: https://chromium-review.googlesource.com/1098154 Reviewed-by: John Abd-El-Malek <jam@chromium.org> Reviewed-by: Marijn Kruisselbrink <mek@chromium.org> Commit-Queue: Daniel Murphy <dmurph@chromium.org> Cr-Commit-Position: refs/heads/master@{#567805} [modify] https://crrev.com/e08dfef2a3de2369a90cea01ff014d0170d19bab/content/browser/dom_storage/session_storage_context_mojo.cc [modify] https://crrev.com/e08dfef2a3de2369a90cea01ff014d0170d19bab/content/browser/dom_storage/session_storage_context_mojo.h [modify] https://crrev.com/e08dfef2a3de2369a90cea01ff014d0170d19bab/content/browser/dom_storage/session_storage_context_mojo_unittest.cc [modify] https://crrev.com/e08dfef2a3de2369a90cea01ff014d0170d19bab/content/browser/dom_storage/session_storage_metadata.cc [modify] https://crrev.com/e08dfef2a3de2369a90cea01ff014d0170d19bab/content/browser/dom_storage/session_storage_namespace_impl.cc [modify] https://crrev.com/e08dfef2a3de2369a90cea01ff014d0170d19bab/content/browser/dom_storage/session_storage_namespace_impl.h [modify] https://crrev.com/e08dfef2a3de2369a90cea01ff014d0170d19bab/content/browser/dom_storage/session_storage_namespace_impl_mojo.cc [modify] https://crrev.com/e08dfef2a3de2369a90cea01ff014d0170d19bab/content/browser/dom_storage/session_storage_namespace_impl_mojo.h [modify] https://crrev.com/e08dfef2a3de2369a90cea01ff014d0170d19bab/content/browser/frame_host/render_frame_host_impl.cc [modify] https://crrev.com/e08dfef2a3de2369a90cea01ff014d0170d19bab/third_party/WebKit/LayoutTests/FlagExpectations/site-per-process
,
Jul 3
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Jun 4 2018Labels: Test-Predator-Auto-Components