CHECK failure: !CallbackFunction().IsEmpty() in v8_idle_request_callback.cc |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5047154125832192 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !CallbackFunction().IsEmpty() in v8_idle_request_callback.cc blink::V8IdleRequestCallback::Invoke blink::V8IdleRequestCallback::InvokeAndReportException Sanitizer: undefined (UBSAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5047154125832192 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 9
Running the clusterfuzz-provided testcase on fresh build of ToT, I get a crash in: #0 0x7f34d562fcfd base::debug::StackTrace::StackTrace() #1 0x7f34d53375ec base::debug::StackTrace::StackTrace() #2 0x7f34d53a6c2a logging::LogMessage::~LogMessage() #3 0x7f34d5603222 base::Value::Value() #4 0x7f34d5603289 base::Value::Value() #5 0x7f34d560ba1d base::DictionaryValue::SetString() #6 0x7f34cad90305 media::MediaLog::SetStringProperty() #7 0x7f34adb684b7 media::WebMediaPlayerImpl::WebMediaPlayerImpl() #8 0x7f34d0387f72 content::MediaFactory::CreateMediaPlayer() #9 0x7f34d05dd56b content::RenderFrameImpl::CreateMediaPlayer() #10 0x7f34d05dd5de content::RenderFrameImpl::CreateMediaPlayer() #11 0x7f34b53f49b3 blink::ModulesInitializer::CreateWebMediaPlayer() #12 0x7f34ba23abe5 blink::LocalFrameClientImpl::CreateWebMediaPlayer() #13 0x7f34ba61e892 blink::HTMLMediaElement::StartPlayerLoad() #14 0x7f34ba61c28d blink::HTMLMediaElement::LoadResource() #15 0x7f34ba61b857 blink::HTMLMediaElement::LoadSourceFromAttribute() #16 0x7f34ba61b1d4 blink::HTMLMediaElement::SelectMediaResource() #17 0x7f34ba619419 blink::HTMLMediaElement::LoadInternal() #18 0x7f34ba6160c1 blink::HTMLMediaElement::LoadTimerFired() #19 0x7f34b99835e1 blink::TaskRunnerTimer<>::Fired() #20 0x7f34b7770917 blink::TimerBase::RunInternal() #21 0x7f34b777154f _ZN4base8internal13FunctorTraitsIMN5blink9TimerBaseEFvvEvE6InvokeIS5_NS_7WeakPtrIS3_EEJEEEvT_OT0_DpOT1_ #22 0x7f34b77714ca _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIMN5blink9TimerBaseEFvvENS_7WeakPtrIS5_EEJEEEvOT_OT0_DpOT1_ #23 0x7f34b7771460 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9TimerBaseEFvvEJNS_7WeakPtrIS4_EEEEEFvvEE7RunImplIS6_NSt3__15tupleIJS8_EEEJLm0EEEEvOT_OT0_NSD_16integer_sequenceImJXspT1_EEEE #24 0x7f34b7771409 _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9TimerBaseEFvvEJNS_7WeakPtrIS4_EEEEEFvvEE7RunOnceEPNS0_13BindStateBaseE #25 0x7f34b72badce _ZNO4base12OnceCallbackIFvvEE3RunEv #26 0x7f34b743ef2d WTF::ThreadCheckingCallbackWrapper<>::RunInternal() #27 0x7f34b743e94d WTF::ThreadCheckingCallbackWrapper<>::Run() #28 0x7f34b743ef05 _ZN4base8internal13FunctorTraitsIMN3WTF29ThreadCheckingCallbackWrapperINS_12OnceCallbackIFvvEEES5_EEFvvEvE6InvokeIS9_NSt3__110unique_ptrIS7_NSC_14default_deleteIS7_EEEEJEEEvT_OT0_DpOT1_ #29 0x7f34b743ee64 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIMN3WTF29ThreadCheckingCallbackWrapperINS_12OnceCallbackIFvvEEES7_EEFvvEJNSt3__110unique_ptrIS9_NSC_14default_deleteIS9_EEEEEEEvOT_DpOT0_ #30 0x7f34b743ee10 _ZN4base8internal7InvokerINS0_9BindStateIMN3WTF29ThreadCheckingCallbackWrapperINS_12OnceCallbackIFvvEEES6_EEFvvEJNSt3__110unique_ptrIS8_NSB_14default_deleteIS8_EEEEEEES6_E7RunImplISA_NSB_5tupleIJSF_EEEJLm0EEEEvOT_OT0_NSB_16integer_sequenceImJXspT1_EEEE #31 0x7f34b743edb9 _ZN4base8internal7InvokerINS0_9BindStateIMN3WTF29ThreadCheckingCallbackWrapperINS_12OnceCallbackIFvvEEES6_EEFvvEJNSt3__110unique_ptrIS8_NSB_14default_deleteIS8_EEEEEEES6_E7RunOnceEPNS0_13BindStateBaseE #32 0x7f34d52e654e _ZNO4base12OnceCallbackIFvvEE3RunEv #33 0x7f34d5338ab2 base::debug::TaskAnnotator::RunTask() #34 0x7f34d5516939 base::sequence_manager::internal::ThreadControllerImpl::DoWork() #35 0x7f34d5519331 _ZN4base8internal13FunctorTraitsIMNS_16sequence_manager8internal20ThreadControllerImplEFvNS4_8WorkTypeEEvE6InvokeIS7_RKNS_7WeakPtrIS4_EEJRKS5_EEEvT_OT0_DpOT1_ This looks like an issue where the testcase has either an invalid URL or Title, since it crashes on checking that a string initializing the media player is a UTF-8 (when it appears it should be). As such, this does not appear to be a JS issue. Setting component and making it available.
,
Sep 11
ClusterFuzz has detected this issue as fixed in range 590191:590193. Detailed report: https://clusterfuzz.com/testcase?key=5047154125832192 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !CallbackFunction().IsEmpty() in v8_idle_request_callback.cc blink::V8IdleRequestCallback::Invoke blink::V8IdleRequestCallback::InvokeAndReportException Sanitizer: undefined (UBSAN) Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=590191:590193 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5047154125832192 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 11
ClusterFuzz testcase 5047154125832192 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by kkaluri@chromium.org
, Aug 3