New issue
Advanced search Search tips

Issue 862905 link

Starred by 1 user
Status: Duplicate
Merged: issue 862900
Owner:
pwnall@chromium.org
Closed: Jul 12
Cc:
ifratric@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: iteration_state_ & kAllowingRemoval in lifecycle_notifier.h

Project Member Reported by ClusterFuzz, Jul 12 
Detailed report: https://clusterfuzz.com/testcase?key=5898443462279168

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  iteration_state_ & kAllowingRemoval in lifecycle_notifier.h
  blink::LifecycleNotifier<>::RemoveObserver
  blink::LifecycleObserver<>::SetContext
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=574075:574076

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5898443462279168

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Jul 12

Components: Internals>Core
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jul 12

Labels: Test-Predator-Auto-Owner
Owner: pwnall@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e23e774ef4290cff9869417e25d46e5a099d1567 (Blink: Introduce LifecycleNotifier::ForEachObserver().).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by pwnall@chromium.org, Jul 12 

As far as I know, this DCHECK exposes an unsafe modification of LifecycleNotifier::obsevers_ (modification concurrently with iterating over the collection).

The CL referenced above added checks to more places that iterated over the collection, so reverting it would not fix the bug, it would merely mask it.

Comment 4 by pwnall@chromium.org, Jul 12

Labels: Test-Predator-Wrong-CLs
Adding Test-Predator-Wrong-CLs per instructions. I can definitely see why it'd point to my CL, though.

Comment 5 by pwnall@chromium.org, Jul 12 

Full stack trace:

#4 blink::LifecycleNotifier<blink::Document, blink::SynchronousMutationObserver>::RemoveObserver(blink::LifecycleObserverBase*) third_party/blink/renderer/platform/lifecycle_notifier.h:176:3
#5 blink::LifecycleObserver<blink::Document, blink::SynchronousMutationObserver>::SetContext(blink::Document*) third_party/blink/renderer/platform/lifecycle_observer.h:69:49
#6 blink::DocumentMarkerController::PossiblyHasMarkers(blink::DocumentMarker::MarkerTypes) third_party/blink/renderer/core/editing/markers/document_marker_controller.cc:144:5
#7 blink::DocumentMarkerController::DidUpdateCharacterData(blink::CharacterData*, unsigned int, unsigned int, unsigned int) third_party/blink/renderer/core/editing/markers/document_marker_controller.cc:894:8
#8 operator() third_party/blink/renderer/core/dom/synchronous_mutation_notifier.cc:50:15
#9 ForEachObserver<(lambda at ../../third_party/blink/renderer/core/dom/synchronous_mutation_notifier.cc:49:19)> third_party/blink/renderer/platform/lifecycle_notifier.h:80
#10 blink::SynchronousMutationNotifier::NotifyUpdateCharacterData(blink::CharacterData*, unsigned int, unsigned int, unsigned int) third_party/blink/renderer/core/dom/synchronous_mutation_notifier.cc:49
#11 blink::CharacterData::SetDataAndUpdate(WTF::String const&, unsigned int, unsigned int, unsigned int, blink::CharacterData::UpdateSource) third_party/blink/renderer/core/dom/character_data.cc:193:19
#12 blink::CharacterData::setData(WTF::String const&) third_party/blink/renderer/core/dom/character_data.cc:47:3
#13 blink::ReplaceChildrenWithText(blink::ContainerNode*, WTF::String const&, blink::ExceptionState&) third_party/blink/renderer/core/editing/serializers/serialization.cc:746:43
#14 blink::HTMLElement::setInnerText(WTF::String const&, blink::ExceptionState&) third_party/blink/renderer/core/html/html_element.cc
#15 blink::MediaControlTimeDisplayElement::SetCurrentValue(double) third_party/blink/renderer/modules/media_controls/elements/media_control_time_display_element.cc:19:3
#16 blink::MediaControlsImpl::OnTimeUpdate() third_party/blink/renderer/modules/media_controls/media_controls_impl.cc:1610:3
#17 blink::EventTarget::FireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1ul>&) third_party/blink/renderer/core/dom/events/event_target.cc:804:15
#18 blink::EventTarget::FireEventListeners(blink::Event*) third_party/blink/renderer/core/dom/events/event_target.cc:656:29
#19 blink::EventDispatcher::DispatchEventAtTarget() third_party/blink/renderer/core/dom/events/event_dispatcher.cc:241:29
#20 blink::EventDispatcher::Dispatch() third_party/blink/renderer/core/dom/events/event_dispatcher.cc:190:11
#21 blink::EventDispatcher::DispatchEvent(blink::Node&, blink::Event*) third_party/blink/renderer/core/dom/events/event_dispatcher.cc:59:17
#22 blink::EventQueue::DispatchEvent(blink::Event*) third_party/blink/renderer/core/dom/events/event_queue.cc:107:13
#23 base::OnceCallback<void ()>::Run() && base/callback.h:99:12
#24 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101:33
#25 base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) base/task/sequence_manager/thread_controller_impl.cc:166:21
#26 base::OnceCallback<void ()>::Run() && base/callback.h:99:12
#27 base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101:33
#28 base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:454:46
#29 base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:465:5
#30 base::MessageLoop::DoWork() base/message_loop/message_loop.cc:535:16
#31 base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31
#32 base::RunLoop::Run() base/run_loop.cc:102:14
#33 content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:200:23
#34 content::RunZygote(content::ContentMainDelegate*) content/app/content_main_runner_impl.cc:554:14
#35 content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:951:10
#36 service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:472:29
#37 content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#38 ChromeMain chrome/app/chrome_main.cc:101:12

Comment 6 by pwnall@chromium.org, Jul 12

Mergedinto: 862900
Status: Duplicate (was: Assigned)
Duplicating to  Issue 862900  because it's the same problem, and the other bug has a significantly smaller repro.
Project Member

Comment 7 by ClusterFuzz, Jul 17 

ClusterFuzz has detected this issue as fixed in range 575314:575315.

Detailed report: https://clusterfuzz.com/testcase?key=5898443462279168

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  iteration_state_ & kAllowingRemoval in lifecycle_notifier.h
  blink::LifecycleNotifier<>::RemoveObserver
  blink::LifecycleObserver<>::SetContext
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=574075:574076
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=575314:575315

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5898443462279168

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment