Issue metadata
Sign in to add a comment
|
SEGV_MAPERR 000000000038 in in operator* /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/scoped_refptr.h:215:13
Reported by
cdsrc2...@gmail.com,
Jun 25 2018
|
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36
Steps to reproduce the problem:
Version 69.0.3451.0 (Developer Build) (64-bit)
Version 67.0.3396.87(Windows Release)(32-bit)
SEGV_MAPERR 000000000038 in in operator* /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/scoped_refptr.h:215:13
1.Get new version chrome:
a) Build source code
config args.gn file as below:
use_sanitizer_coverage = true
is_asan = true
is_debug = false
enable_nacl = false
treat_warnings_as_errors = false
ninja -j16 -C out/chrome_asan chrome
2.python3.5m -m http.server 8605
3
a) ./crhome http://127.0.0.1:8605
b) Click crash.html in webpage.
c) Repeatedly click on goback and goforward several times(repro about 5~10 times in my test).
What is the expected behavior?
What went wrong?
Received signal 11 SEGV_MAPERR 000000000038
#0 0x55b3d8fa6c31 in __interceptor_backtrace /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3980:13
#1 0x55b3e07ced1e in base::debug::StackTrace::StackTrace(unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:808:41
#2 0x55b3e07cdc6d in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:334:3
#3 0x7fe888364390 in __funlockfile ??:?
#4 0x7fe888364390 in ?? ??:0
#5 0x55b3ee9e43b9 in operator* /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/scoped_refptr.h:215:13
#6 0x55b3ee9e43b9 in blink::AudioNode::Handler() const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_node.cc:629:0
#7 0x55b3eea3d6fd in blink::AudioDestinationNode::GetAudioDestinationHandler() const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_destination_node.cc:124:48
#8 0x55b3eea0e75c in blink::BaseAudioContext::NotifyWorkletIsReady() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/base_audio_context.cc:1042:20
#9 0x55b3eeaa0e40 in blink::AudioWorklet::NotifyGlobalScopeIsUpdated() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet.cc:40:15
#10 0x55b3eeaa3469 in blink::AudioWorkletMessagingProxy::SynchronizeWorkletProcessorInfoList(std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator> > >) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet_messaging_proxy.cc:66:13
#11 0x55b3eeaedadb in Invoke<void (blink::AudioWorkletMessagingProxy::*)(std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator> > >), blink::CrossThreadPersistent<blink::AudioWorkletMessagingProxy>, std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator> > > > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:507:12
#12 0x55b3eeaedadb in MakeItSo<void (blink::AudioWorkletMessagingProxy::*const &)(std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator> > >), blink::CrossThreadPersistent<blink::AudioWorkletMessagingProxy>, std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator> > > > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:627:0
#13 0x55b3eeaedadb in void base::internal::Invoker<base::internal::BindState<void (blink::AudioWorkletMessagingProxy::*)(std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator> > >), blink::CrossThreadWeakPersistent<blink::AudioWorkletMessagingProxy>, WTF::PassedWrapper<std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator> > > > >, void ()>::RunImpl<void (blink::AudioWorkletMessagingProxy::* const&)(std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator> > >), std::__1::tuple<blink::CrossThreadWeakPersistent<blink::AudioWorkletMessagingProxy>, WTF::PassedWrapper<std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator> > > > > const&, 0ul, 1ul>(void (blink::AudioWorkletMessagingProxy::* const&&&)(std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator> > >), std::__1::tuple<blink::CrossThreadWeakPersistent<blink::AudioWorkletMessagingProxy>, WTF::PassedWrapper<std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator> > > > > const&&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:681:0
#14 0x55b3e91f5da6 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:136:12
#15 0x55b3e91f5da6 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/wtf/functional.h:320:0
#16 0x55b3e91f5da6 in blink::(anonymous namespace)::RunCrossThreadClosure(WTF::CrossThreadFunction<void ()>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/web_task_runner.cc:15:0
#17 0x55b3e91f6c2e in Invoke<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:407:12
#18 0x55b3e91f6c2e in MakeItSo<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:607:0
#19 0x55b3e91f6c2e in RunImpl<void (*)(WTF::CrossThreadFunction<void ()>), std::__1::tuple<WTF::CrossThreadFunction<void ()> >, 0> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:681:0
#20 0x55b3e91f6c2e in base::internal::Invoker<base::internal::BindState<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> >, void ()>::RunOnce(base::internal::BindStateBase*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:649:0
#21 0x55b3e05e02d9 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#22 0x55b3e05e02d9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#23 0x55b3df524298 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:166:21
#24 0x55b3e05e02d9 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
#25 0x55b3e05e02d9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#26 0x55b3e063fa13 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
#27 0x55b3e0640c90 in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
#28 0x55b3e0640c90 in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
#29 0x55b3e06495f0 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
#30 0x55b3e06badc1 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:102:14
#31 0x55b3ef526636 in content::RendererMain(content::MainFunctionParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/renderer_main.cc:218:23
#32 0x55b3dfb7c696 in content::RunZygote(content::ContentMainDelegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:567:14
#33 0x55b3dfb8018e in content::ContentMainRunnerImpl::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:969:10
#34 0x55b3dfb9fc64 in service_manager::Main(service_manager::MainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../services/service_manager/embedder/main.cc:459:29
#35 0x55b3dfb7aca8 in content::ContentMain(content::ContentMainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main.cc:19:10
#36 0x55b3d90306f0 in ChromeMain /home/cowboy/chromium/src/out/chrome_asan_shared/../../chrome/app/chrome_main.cc:101:12
#37 0x7fe8815c6830 in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291:0
#38 0x55b3d8f5a02a in _start ??:0:0
r8: 0000000000000000 r9: 00007fe876b7f0c6 r10: 00007ffd7fb4a000 r11: 0000000000000001
r12: 00007fe876bc9360 r13: 00007fe876bc9340 r14: 00000ffd0ed79268 r15: 00007e9c94c314f8
di: 000055b3f1953e8c si: 0000000000000000 bp: 00007ffd80346a30 bx: 0000000000000038
dx: 000061200027c5a8 ax: 0000000000000007 cx: 0000000000000001 sp: 00007ffd80346a20
ip: 000055b3ee9e43b9 efl: 0000000000010246 cgf: 002b000000000033 erf: 0000000000000004
trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000038
[end of stack trace]
Calling _exit(1). Core file will not be generated.
Did this work before? N/A
Chrome version: Version 69.0.3451.0 (Developer Build) (64-bit) Channel: dev
OS Version: Ubuntu 16.04
Flash Version:
,
Jun 26 2018
CF can't reproduce this because of the "Repeatedly click on goback and goforward several times(repro about 5~10 times in my test)." step. Either way, this doesn't appear to be a security vulnerability as it's just a null deref.
,
Jun 29 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 26 2018