Issue metadata
Sign in to add a comment
|
Crash in base::NativeStackSamplerMac::GetInternalModule |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5768726692233216 Fuzzer: ifratric_pdf_generic Job Type: mac_asan_chrome Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x000138b915f8 Crash State: base::NativeStackSamplerMac::GetInternalModule bool base::NativeStackSamplerMac::WalkStackFromContext<base::NativeStackSamplerM base::NativeStackSamplerMac::RecordStackFrames Sanitizer: address (ASAN) Recommended Security Severity: Medium Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5768726692233216 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information. Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
,
Jul 6
,
Jul 9
Max or Oliver, is this report valid? This is a PDF fuzzer but there are no methods in the call stacks relating to PDF processing. I'm not clear on how to triage this.
,
Jul 9
Looks like this is a easy-to-reach Chrome crash that is being hit by many different fuzzers, and the pdf one just inadvertently happens to be one of them.
,
Jul 10
chengx@: It looks like you have been landing patches in the area where this crash is occurring. PTAL? It does not reproduce reliably but its frequency in Clusterfuzz reports suggests that we should see if we can get somewhere from the stack trace.
,
Jul 10
Mike, could you please take a look? I am OOO.
,
Jul 10
This is crashing trying to read from the Mach-O header of a dylib successfully returned from the OS by dladdr, so I'm not sure what could be going wrong here within the client code. We don't see any instances of this crash in the wild. Several questions: How does ASAN recognize newly-loaded dylibs as readable memory regions? Perhaps there is a race between that mechanism and the header reads done by the sampling profiler. Can we get a minidump for this crash? I'd like to understand which module (if any) we're trying to read the header from. When did we first start seeing these crashes in Clusterfuzz?
,
Jul 11
,
Jul 17
> How does ASAN recognize newly-loaded dylibs as readable memory regions? Perhaps there is a race between that mechanism and the header reads done by the sampling profiler. Kostya, can anyone on your team answer this question? Also, the top frame is "#0 0x10ab57ea2 in __sanitizer_cov_trace_pc_guard" which is a little weird. > Can we get a minidump for this crash? I'd like to understand which module (if any) we're trying to read the header from. Unfortunately no, we don't collect minidumps for mac. > When did we first start seeing these crashes in Clusterfuzz? Looks like these started happening around June 22/23.
,
Jul 17
Also, the issue doesn't seem to happen anymore since July 13th... I think we can WontFix this because that, but still interesting to know an answer for c#9.
,
Jul 23
WontFix, per comment 10.
,
Oct 30
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jul 6Labels: Test-Predator-Auto-Components