New issue
Advanced search Search tips

Issue 861646 link

Starred by 1 user
Status: Verified
Owner:
dgozman@chromium.org
Closed: Jul 13
Cc:
kinuko@chromium.org
kkaluri@chromium.org
dcheng@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::SecurityOrigin::ToUrlOrigin

Project Member Reported by ClusterFuzz, Jul 9 
Detailed report: https://clusterfuzz.com/testcase?key=5686287336734720

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000024
Crash State:
  blink::SecurityOrigin::ToUrlOrigin
  blink::WebSecurityOrigin::operator url::Origin
  content::RenderFrameImpl::BeginNavigation
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5686287336734720

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by kkaluri@chromium.org, Jul 12

Cc: kkaluri@chromium.org
Components: Blink>DOM
Labels: M-69 Test-Predator-Wrong
Owner: dcheng@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.

Using Code Search for the file, "security_origin.cc" suspecting the below Cl might have caused this issue

Suspect CL: https://chromium.googlesource.com/chromium/src/+/00107ca537f9125c45dc16f23cad6a0ed0347aa7

dcheng@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

Comment 2 by hayato@chromium.org, Jul 12

Components: -Blink>DOM Blink>Internals
That doesn't seem to related to DOM.

Comment 3 by dcheng@chromium.org, Jul 12

Cc: dcheng@chromium.org
Components: -Blink>Internals UI>Browser>Navigation
Owner: dgozman@chromium.org
I suspect, for some reason, the SecurityOrigin is null (there's a DCHECK in the previous line that this is true).

+dgozman, do you mind looking at this, since you've been doing some work in this area?

Comment 4 by dgozman@chromium.org, Jul 12

Cc: kinuko@chromium.org
Hmm... RenderFrameImpl::DidStartProvisionalLoad expects RequestorOrigin to be non-null, although nobody guarantees that. It might be null when someone calls WebLocalFrame::StartNavigation (like in this case), or WebLocalFrame::CommitNavigation, or various LoadFoo methods.

+kinuko, who introduced the assumption in [1]. Are we sure it should never be null?

Meanwhile, I have a patch to fix this particular layouttest-only problem [2].

[1] https://chromium.googlesource.com/chromium/src/+/74a7fb2fa4307c69812945586b39018ae4f231b2%5E%21/#F1
[2] https://chromium-review.googlesource.com/c/chromium/src/+/1135642
Project Member

Comment 5 by ClusterFuzz, Jul 13 

ClusterFuzz has detected this issue as fixed in range 574649:574651.

Detailed report: https://clusterfuzz.com/testcase?key=5686287336734720

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000024
Crash State:
  blink::SecurityOrigin::ToUrlOrigin
  blink::WebSecurityOrigin::operator url::Origin
  content::RenderFrameImpl::BeginNavigation
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=574649:574651

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5686287336734720

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Jul 13

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5686287336734720 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 7 by dgozman@chromium.org, Jul 13 

Looks like this was fixed by https://chromium-review.googlesource.com/1130223.

Sign in to add a comment