Null-dereference READ in mojo::ReportBadMessage |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5457587508871168 Fuzzer: mojo_fuzzer Job Type: linux_asan_chrome_mojo Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000008 Crash State: mojo::ReportBadMessage content::SessionStorageContextMojo::OpenSessionStorage base::internal::Invoker<base::internal::BindState<void Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=575052:575090 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5457587508871168 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jul 27
dmurph: in void SessionStorageContextMojo::OpenSessionStorage you sometimes delay actually doing the work, but if you want to asynchronously report a bad message you have to call GetBadMessageCallback() synchronously and call the resulting callback later, rather than trying to to call ReportBadMessage async.
,
Aug 2
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/27019c14427077a82f812e4ae7c1c7f153e96cf6 commit 27019c14427077a82f812e4ae7c1c7f153e96cf6 Author: Daniel Murphy <dmurph@chromium.org> Date: Thu Aug 02 16:46:08 2018 [SessionStorage] Fixed async BadMessage reporting R=mek@chromium.org Bug: 868578 Change-Id: I1c90f993f3e71d543b414c37a1b92bae5948b766 Reviewed-on: https://chromium-review.googlesource.com/1155483 Commit-Queue: Marijn Kruisselbrink <mek@chromium.org> Reviewed-by: John Abd-El-Malek <jam@chromium.org> Reviewed-by: Marijn Kruisselbrink <mek@chromium.org> Cr-Commit-Position: refs/heads/master@{#580214} [modify] https://crrev.com/27019c14427077a82f812e4ae7c1c7f153e96cf6/content/browser/dom_storage/dom_storage_context_wrapper.cc [modify] https://crrev.com/27019c14427077a82f812e4ae7c1c7f153e96cf6/content/browser/dom_storage/dom_storage_context_wrapper.h [modify] https://crrev.com/27019c14427077a82f812e4ae7c1c7f153e96cf6/content/browser/dom_storage/session_storage_context_mojo.cc [modify] https://crrev.com/27019c14427077a82f812e4ae7c1c7f153e96cf6/content/browser/dom_storage/session_storage_context_mojo.h [modify] https://crrev.com/27019c14427077a82f812e4ae7c1c7f153e96cf6/content/browser/dom_storage/session_storage_context_mojo_unittest.cc [modify] https://crrev.com/27019c14427077a82f812e4ae7c1c7f153e96cf6/content/browser/storage_partition_impl.cc
,
Aug 3
ClusterFuzz has detected this issue as fixed in range 580213:580214. Detailed report: https://clusterfuzz.com/testcase?key=5457587508871168 Fuzzer: mojo_fuzzer Job Type: linux_asan_chrome_mojo Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000008 Crash State: mojo::ReportBadMessage content::SessionStorageContextMojo::OpenSessionStorage base::internal::Invoker<base::internal::BindState<void Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=575052:575090 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=580213:580214 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5457587508871168 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 3
ClusterFuzz testcase 5457587508871168 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by ClusterFuzz
, Jul 27Labels: Test-Predator-Auto-Components