New issue
Advanced search Search tips

Issue 856167 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 850003
Owner: ----
Closed: Jun 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

SEGV_MAPERR 000000000038 in in operator* /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/scoped_refptr.h:215:13

Reported by cdsrc2...@gmail.com, Jun 25 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Steps to reproduce the problem:
Version 69.0.3451.0 (Developer Build) (64-bit)
Version 67.0.3396.87(Windows Release)(32-bit)
SEGV_MAPERR 000000000038 in in operator* /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/scoped_refptr.h:215:13
1.Get new version chrome:
 a) Build source code 
    config args.gn file as below:
		use_sanitizer_coverage = true
		is_asan = true
		is_debug = false
		enable_nacl = false
		treat_warnings_as_errors = false
	ninja -j16 -C out/chrome_asan chrome
2.python3.5m -m http.server 8605

3 
	a) ./crhome http://127.0.0.1:8605 
	b) Click crash.html in webpage.
	c) Repeatedly click on goback and goforward several times(repro about 5~10 times in my test).

What is the expected behavior?

What went wrong?
Received signal 11 SEGV_MAPERR 000000000038
    #0 0x55b3d8fa6c31 in __interceptor_backtrace /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3980:13
    #1 0x55b3e07ced1e in base::debug::StackTrace::StackTrace(unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:808:41
    #2 0x55b3e07cdc6d in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:334:3
    #3 0x7fe888364390 in __funlockfile ??:?
    #4 0x7fe888364390 in ?? ??:0
    #5 0x55b3ee9e43b9 in operator* /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/memory/scoped_refptr.h:215:13
    #6 0x55b3ee9e43b9 in blink::AudioNode::Handler() const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_node.cc:629:0
    #7 0x55b3eea3d6fd in blink::AudioDestinationNode::GetAudioDestinationHandler() const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_destination_node.cc:124:48
    #8 0x55b3eea0e75c in blink::BaseAudioContext::NotifyWorkletIsReady() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/base_audio_context.cc:1042:20
    #9 0x55b3eeaa0e40 in blink::AudioWorklet::NotifyGlobalScopeIsUpdated() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet.cc:40:15
    #10 0x55b3eeaa3469 in blink::AudioWorkletMessagingProxy::SynchronizeWorkletProcessorInfoList(std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator> > >) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet_messaging_proxy.cc:66:13
    #11 0x55b3eeaedadb in Invoke<void (blink::AudioWorkletMessagingProxy::*)(std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator> > >), blink::CrossThreadPersistent<blink::AudioWorkletMessagingProxy>, std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator> > > > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:507:12
    #12 0x55b3eeaedadb in MakeItSo<void (blink::AudioWorkletMessagingProxy::*const &)(std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator> > >), blink::CrossThreadPersistent<blink::AudioWorkletMessagingProxy>, std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0, WTF::PartitionAllocator> > > > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:627:0
    #13 0x55b3eeaedadb in void base::internal::Invoker<base::internal::BindState<void (blink::AudioWorkletMessagingProxy::*)(std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator> > >), blink::CrossThreadWeakPersistent<blink::AudioWorkletMessagingProxy>, WTF::PassedWrapper<std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator> > > > >, void ()>::RunImpl<void (blink::AudioWorkletMessagingProxy::* const&)(std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator> > >), std::__1::tuple<blink::CrossThreadWeakPersistent<blink::AudioWorkletMessagingProxy>, WTF::PassedWrapper<std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator> > > > > const&, 0ul, 1ul>(void (blink::AudioWorkletMessagingProxy::* const&&&)(std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator> > >), std::__1::tuple<blink::CrossThreadWeakPersistent<blink::AudioWorkletMessagingProxy>, WTF::PassedWrapper<std::__1::unique_ptr<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator>, std::__1::default_delete<WTF::Vector<blink::CrossThreadAudioWorkletProcessorInfo, 0ul, WTF::PartitionAllocator> > > > > const&&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:681:0
    #14 0x55b3e91f5da6 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:136:12
    #15 0x55b3e91f5da6 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/wtf/functional.h:320:0
    #16 0x55b3e91f5da6 in blink::(anonymous namespace)::RunCrossThreadClosure(WTF::CrossThreadFunction<void ()>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/web_task_runner.cc:15:0
    #17 0x55b3e91f6c2e in Invoke<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:407:12
    #18 0x55b3e91f6c2e in MakeItSo<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:607:0
    #19 0x55b3e91f6c2e in RunImpl<void (*)(WTF::CrossThreadFunction<void ()>), std::__1::tuple<WTF::CrossThreadFunction<void ()> >, 0> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:681:0
    #20 0x55b3e91f6c2e in base::internal::Invoker<base::internal::BindState<void (*)(WTF::CrossThreadFunction<void ()>), WTF::CrossThreadFunction<void ()> >, void ()>::RunOnce(base::internal::BindStateBase*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/bind_internal.h:649:0
    #21 0x55b3e05e02d9 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
    #22 0x55b3e05e02d9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
    #23 0x55b3df524298 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:166:21
    #24 0x55b3e05e02d9 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
    #25 0x55b3e05e02d9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
    #26 0x55b3e063fa13 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
    #27 0x55b3e0640c90 in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
    #28 0x55b3e0640c90 in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
    #29 0x55b3e06495f0 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
    #30 0x55b3e06badc1 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:102:14
    #31 0x55b3ef526636 in content::RendererMain(content::MainFunctionParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/renderer_main.cc:218:23
    #32 0x55b3dfb7c696 in content::RunZygote(content::ContentMainDelegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:567:14
    #33 0x55b3dfb8018e in content::ContentMainRunnerImpl::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:969:10
    #34 0x55b3dfb9fc64 in service_manager::Main(service_manager::MainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../services/service_manager/embedder/main.cc:459:29
    #35 0x55b3dfb7aca8 in content::ContentMain(content::ContentMainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main.cc:19:10
    #36 0x55b3d90306f0 in ChromeMain /home/cowboy/chromium/src/out/chrome_asan_shared/../../chrome/app/chrome_main.cc:101:12
    #37 0x7fe8815c6830 in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291:0
    #38 0x55b3d8f5a02a in _start ??:0:0
  r8: 0000000000000000  r9: 00007fe876b7f0c6 r10: 00007ffd7fb4a000 r11: 0000000000000001
 r12: 00007fe876bc9360 r13: 00007fe876bc9340 r14: 00000ffd0ed79268 r15: 00007e9c94c314f8
  di: 000055b3f1953e8c  si: 0000000000000000  bp: 00007ffd80346a30  bx: 0000000000000038
  dx: 000061200027c5a8  ax: 0000000000000007  cx: 0000000000000001  sp: 00007ffd80346a20
  ip: 000055b3ee9e43b9 efl: 0000000000010246 cgf: 002b000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000038
[end of stack trace]
Calling _exit(1). Core file will not be generated.

Did this work before? N/A 

Chrome version: Version 69.0.3451.0 (Developer Build) (64-bit)  Channel: dev
OS Version: Ubuntu 16.04
Flash Version:
 
crash.html
297 bytes View Download
bit-crusher.js
1.5 KB View Download
symbolised.log
10.1 KB View Download
repro.mp4
5.3 MB View Download
Project Member

Comment 1 by ClusterFuzz, Jun 26 2018

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4813861409259520.

Comment 2 by och...@chromium.org, Jun 26 2018

Components: Blink>WebAudio
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: (was: Unconfirmed)
CF can't reproduce this because of the "Repeatedly click on goback and goforward several times(repro about 5~10 times in my test)." step. Either way, this doesn't appear to be a security vulnerability as it's just a null deref. 
Mergedinto: 850003
Status: Duplicate
This has the same stack trace with 850003.

Comment 4 Deleted

Sign in to add a comment