New issue
Advanced search Search tips

Issue 861627 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jul 11
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::Frame::GetChromeClient

Project Member Reported by ClusterFuzz, Jul 9

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6461441868300288

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  blink::Frame::GetChromeClient
  blink::WindowPerformance::RegisterEventTiming
  blink::EventTiming::DidDispatchEvent
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6461441868300288

Additional requirements: Requires HTTP

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Cc: kkaluri@chromium.org
Components: Blink>HTML>Frame
Labels: M-68 Test-Predator-Wrong
Owner: npm@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.

Using Code Search for the file, "window_performance.cc" suspecting the below Cl might have caused this issue

Suspect CL: https://chromium.googlesource.com/chromium/src/+/05a8dcc9f9b94cbade61024e5d1c130737f666a7

npm@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

Components: Blink>PerformanceAPIs
Project Member

Comment 3 by bugdroid1@chromium.org, Jul 10

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3641b5fb4b522a40423e8eaaebdd0150d316f44b

commit 3641b5fb4b522a40423e8eaaebdd0150d316f44b
Author: Nicolas Pena <npm@chromium.org>
Date: Tue Jul 10 16:41:53 2018

Remove incorrect DCHECK from WindowPerformance::RegisterEventTiming

Clusterfuzz tells us that GetFrame() could be null when
WindowPerformance::RegisterEventTiming is called, so this CL removes
the DCHECK and bails out early instead.

Bug:  861627 
Change-Id: Ic109e8153a80832324d9c3cf27e1bed957d2b1c2
Reviewed-on: https://chromium-review.googlesource.com/1131226
Reviewed-by: Steve Kobes <skobes@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#573769}
[modify] https://crrev.com/3641b5fb4b522a40423e8eaaebdd0150d316f44b/third_party/blink/renderer/core/timing/window_performance.cc

Labels: Merge-Request-68
Requesting merge to M68 once the fix has been verified by ClusterFuzz. The change is just removing an incorrect DCHECK and replacing it with an early bail-out so it is very safe to merge. Also, the code changed is only executed when the EventTiming flag is on (and it's an origin trial).
Project Member

Comment 5 by sheriffbot@chromium.org, Jul 10

Labels: -Merge-Request-68 Hotlist-Merge-Review Merge-Review-68
This bug requires manual review: We are only 13 days from stable.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by ClusterFuzz, Jul 11

ClusterFuzz has detected this issue as fixed in range 573763:573769.

Detailed report: https://clusterfuzz.com/testcase?key=6461441868300288

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  blink::Frame::GetChromeClient
  blink::WindowPerformance::RegisterEventTiming
  blink::EventTiming::DidDispatchEvent
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=573763:573769

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6461441868300288

Additional requirements: Requires HTTP

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Jul 11

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6461441868300288 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Labels: -Merge-Review-68 Merge-Approved-68
Approved - branch:3440
Project Member

Comment 9 by bugdroid1@chromium.org, Jul 13

Labels: -merge-approved-68 merge-merged-3440
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cba63f8d9e4bc6def4dc8a4ca7b96bf3d87d1e55

commit cba63f8d9e4bc6def4dc8a4ca7b96bf3d87d1e55
Author: Nicolas Pena <npm@chromium.org>
Date: Fri Jul 13 18:27:15 2018

Remove incorrect DCHECK from WindowPerformance::RegisterEventTiming

Clusterfuzz tells us that GetFrame() could be null when
WindowPerformance::RegisterEventTiming is called, so this CL removes
the DCHECK and bails out early instead.

Bug:  861627 
Change-Id: Ic109e8153a80832324d9c3cf27e1bed957d2b1c2
Reviewed-on: https://chromium-review.googlesource.com/1131226
Reviewed-by: Steve Kobes <skobes@chromium.org>
Commit-Queue: Nicolás Peña Moreno <npm@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#573769}(cherry picked from commit 3641b5fb4b522a40423e8eaaebdd0150d316f44b)
Reviewed-on: https://chromium-review.googlesource.com/1136752
Reviewed-by: Nicolás Peña Moreno <npm@chromium.org>
Cr-Commit-Position: refs/branch-heads/3440@{#667}
Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733}
[modify] https://crrev.com/cba63f8d9e4bc6def4dc8a4ca7b96bf3d87d1e55/third_party/blink/renderer/core/timing/window_performance.cc

Sign in to add a comment