New issue
Advanced search Search tips

Issue 856193 link

Starred by 1 user

Issue metadata

Status: Started
Owner:
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

signal 11 SEGV_MAPERR 000000000058 in operator blink::FrameClient * /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/heap/member.h:88:32

Reported by cdsrc2...@gmail.com, Jun 25 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36

Steps to reproduce the problem:
Version 69.0.3451.0 (Developer Build) (64-bit)
signal 11 SEGV_MAPERR 000000000058 in operator blink::FrameClient * /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/heap/member.h:88:32
1.Get new version chrome:
 a) Build source code 
    config args.gn file as below:
		use_sanitizer_coverage = true
		is_asan = true
		is_debug = false
		enable_nacl = false
		treat_warnings_as_errors = false
	ninja -j16 -C out/chrome_asan chrome
2.python3.5m -m http.server 8605

3. ./crhome http://127.0.0.1:8605 ./crash.html

What is the expected behavior?

What went wrong?
Received signal 11 SEGV_MAPERR 000000000058

    #0 0x56179236bc31 in __interceptor_backtrace /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:3980:13
    #1 0x561799b93d1e in base::debug::StackTrace::StackTrace(unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:808:41
    #2 0x561799b92c6d in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:334:3
    #3 0x7fd0a24da390 in __funlockfile ??:?
    #4 0x7fd0a24da390 in ?? ??:0
    #5 0x5617a42628f9 in operator blink::FrameClient * /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/heap/member.h:88:32
    #6 0x5617a42628f9 in Client /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/frame/frame.h:302:0
    #7 0x5617a42628f9 in blink::LocalFrame::Client() const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/frame/local_frame.cc:1210:0
    #8 0x5617a7eb4410 in blink::ThreadedWorkletMessagingProxy::Initialize(blink::WorkerClients*, blink::WorkletModuleResponsesMap*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/workers/threaded_worklet_messaging_proxy.cc:52:29
    #9 0x5617a7e661a2 in blink::AudioWorklet::CreateGlobalScope() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/modules/webaudio/audio_worklet.cc:82:10
    #10 0x5617a5d8bae9 in blink::Worklet::FetchAndInvokeScript(blink::KURL const&, blink::WorkletOptions const&, blink::WorkletPendingTasks*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/workers/worklet.cc:145:24
    #11 0x5617999a52d9 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
    #12 0x5617999a52d9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
    #13 0x5617988e9298 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:166:21
    #14 0x5617999a52d9 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:96:12
    #15 0x5617999a52d9 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
    #16 0x561799a04a13 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
    #17 0x561799a05c90 in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
    #18 0x561799a05c90 in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
    #19 0x561799a0e5f0 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
    #20 0x561799a7fdc1 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:102:14
    #21 0x5617a88eb636 in content::RendererMain(content::MainFunctionParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/renderer_main.cc:218:23
    #22 0x561798f41696 in content::RunZygote(content::ContentMainDelegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:567:14
    #23 0x561798f4518e in content::ContentMainRunnerImpl::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:969:10
    #24 0x561798f64c64 in service_manager::Main(service_manager::MainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../services/service_manager/embedder/main.cc:459:29
    #25 0x561798f3fca8 in content::ContentMain(content::ContentMainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main.cc:19:10
    #26 0x5617923f56f0 in ChromeMain /home/cowboy/chromium/src/out/chrome_asan_shared/../../chrome/app/chrome_main.cc:101:12
    #27 0x7fd09b73c830 in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291:0
    #28 0x56179231f02a in _start ??:0:0
  r8: 0000000000000000  r9: 00007fd090cf5245 r10: 00007ffd523e0000 r11: 0000000000000201
 r12: 00000ffa92237400 r13: 00000fd25e4844ec r14: 00007ee689b2db70 r15: 00007e92f2422760
  di: 00005617aacce334  si: 00000000000000f5  bp: 00007ffd52bdd650  bx: 0000000000000058
  dx: 00000fdcd138620f  ax: 000000000000000b  cx: 00007e92f2422550  sp: 00007ffd52bdd640
  ip: 00005617a42628f9 efl: 0000000000010246 cgf: 002b000000000033 erf: 0000000000000004
 trp: 000000000000000e msk: 0000000000000000 cr2: 0000000000000058
[end of stack trace]
Calling _exit(1). Core file will not be generated.

Did this work before? N/A 

Chrome version: Version 69.0.3451.0 (Developer Build) (64-bit)  Channel: dev
OS Version: Ubuntu16.04
Flash Version:
 
crash.html
879 bytes View Download
bit-crusher.js
1.5 KB View Download
1.xhtml
750 bytes View Download
f.wasm
76 bytes Download
symbolised.log
5.2 KB View Download

Comment 1 by cdsrc2...@gmail.com, Jun 25 2018

Do not use crash.html,use crash2.html instead.
crash2.html
788 bytes View Download
Project Member

Comment 2 by ClusterFuzz, Jun 26 2018

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5745321435725824.
Project Member

Comment 3 by ClusterFuzz, Jun 26 2018

Labels: Security_Impact-Head
Detailed report: https://clusterfuzz.com/testcase?key=5745321435725824

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000058
Crash State:
  blink::LocalFrame::Client
  blink::ThreadedWorkletMessagingProxy::Initialize
  blink::AudioWorklet::CreateGlobalScope
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5745321435725824

Additional requirements: Requires HTTP

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 4 by ClusterFuzz, Jun 26 2018

Components: Blink>Internals Blink>Workers
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 5 by och...@chromium.org, Jun 26 2018

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Impact-Head Type-Bug
Removing security labels, as this seems to only be a null deref.
Labels: Needs-Triage-M67

Comment 7 by bashi@chromium.org, Jun 29 2018

Owner: nhiroki@chromium.org
Status: Assigned (was: Unconfirmed)
nhiroki@: could you take a look?
Components: -Blink>Internals Blink>WebAudio
Status: Started (was: Assigned)
cc: hongchan@ and rtoy@ because this happens on audio worklets
Cc: rtoy@chromium.org hongchan@chromium.org
Cc: haraken@chromium.org
Apparently, LocalFrame::Client() returns nullptr even if ExecutionContext is still valid.

Worklet::FetchAndInvokeScript()  // "Worklet" class is ContextLifecycleObserver and checks if GetExecutionContext() returns a valid context.
  AudioWorklet::CreateGlobalScope()
    ThreadedWorkletMessagingProxy::Initialize()
      LocalFrame::Client()  // This crash happens here because of null Client access.

This looks strange because the client is nullified in LocalFrame::Detach() that is called almost immediately after ExecutionContext::ContextDestroyed().
I cannot reproduce this on my local env (Linux) using cluster-fuzz's reproduce tool...

Sign in to add a comment