New issue
Advanced search Search tips

Issue 873055 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner: ----
Closed: Sep 4
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Abrt in blink::ReportFatalErrorInMainThread

Reported by cdsrc2...@gmail.com, Aug 10

Issue description

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Steps to reproduce the problem:
1. Build source code 
    config args.gn file as below:
		use_sanitizer_coverage = true
		is_asan = true
		is_debug = false
		enable_nacl = false
		treat_warnings_as_errors = false
	ninja -j4 -C out/chrome_asan chrome
2. Build a mini web server.
	I used python twisted module to build the webserver.
	1) copy js source files and crash.html into the htm dirctory 
	2) run python web.py
3. ./chrome http://127.0.0.1:8605/crash.html

What is the expected behavior?

What went wrong?
stable get signal 6 crash

Did this work before? N/A 

Chrome version: 70.0.3518.0  Channel: n/a
OS Version: 16.04
Flash Version:
 
crash.html
224 bytes View Download
signal_6
4.3 KB View Download
Project Member

Comment 1 by ClusterFuzz, Aug 10

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4761241407717376.
Components: Blink>JavaScript Blink>Bindings Blink>Network>StreamsAPI
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Via-Wizard-Security Stability-Crash Type-Bug
Cc: ricea@chromium.org
Components: -Blink>Network>StreamsAPI
It's not streams-related, even if the involvement of a full stack is similar to many streams-related crashes.

It's a stack-space exhaustion issue. func() fills up the stack, and then causes the creation of a new WindowProxy, which calls v8::Context::FromSnapshot(), which fails with a full stack.

It's a controlled crash, so we could in principle turn it into an exception and recover. The state of the iframe might not be good if we did that.
Project Member

Comment 4 by ClusterFuzz, Aug 10

Labels: Security_Impact-Stable
Summary: Abrt in blink::ReportFatalErrorInMainThread (was: crash in blink::ReportFatalErrorInMainThread)
Detailed report: https://clusterfuzz.com/testcase?key=4761241407717376

Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Abrt
Crash Address: 0x053900000001
Crash State:
  blink::ReportFatalErrorInMainThread
  v8::V8::ToLocalEmpty
  blink::V8ContextSnapshot::CreateContextFromSnapshot
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=500820:500829

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4761241407717376

See https://github.com/google/clusterfuzz-tools for more information.
Labels: -Security_Impact-Stable
Status: WontFix (was: Unconfirmed)
As mentioned in c#3, this is a stack exhaustion, crashing the renderer is a reasonable thing to do in this situation.

 Issue 881821  has been merged into this issue.
Project Member

Comment 8 by ClusterFuzz, Sep 11

Labels: Needs-Feedback
ClusterFuzz testcase 4761241407717376 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Sign in to add a comment