New issue
Advanced search Search tips

Issue 876627 link

Starred by 2 users
Status: Fixed
Owner:
svil...@igalia.com
Closed: Aug 31
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in base::internal::Invoker<base::internal::BindState<void

Project Member Reported by ClusterFuzz, Aug 22 
Detailed report: https://clusterfuzz.com/testcase?key=5704233287155712

Fuzzer: inferno_flicker
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  base::internal::Invoker<base::internal::BindState<void
  network::SaveToStringBodyHandler::NotifyConsumerOfCompletion
  network::SimpleURLLoaderImpl::FinishWithResult
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=584876:584877

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5704233287155712

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Aug 22

Components: Internals>Core
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Aug 22

Labels: Test-Predator-Auto-Owner
Owner: svil...@igalia.com
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/5a1ed478415944ac54d326917f1cc4b5b594dba2 ([chromeos] Migrate timezone/ & geolocation/ to SimpleURLLoader).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 Deleted

Comment 4 by svil...@igalia.com, Aug 30 

Looks like the test case is empty...
Project Member

Comment 5 by bugdroid1@chromium.org, Aug 31 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bd5933732c1acc6b426cebfb8d16d32c7a0fc1b9

commit bd5933732c1acc6b426cebfb8d16d32c7a0fc1b9
Author: Sergio Villar Senin <svillar@igalia.com>
Date: Fri Aug 31 07:59:27 2018

[chromeos] Fix null-dereference in GetGeolocationFromResponse()

SimpleURLLoader does not return the response body by default for most
of error situations. The failing code was unconditionally
dereferencing the std::unique_ptr<std::string<>> holding the response
body and so, causing a crash.

Bots didn't complain when the CL landed because apparently log levels
greater than 0 are filtered out for unit tests (the line crashing was
a VLOG(1)). That's why an unit test is not provided.

Bug:  876627 
Change-Id: Ibbc87955343fbab069cbc90b926593ffe6568ecd
Reviewed-on: https://chromium-review.googlesource.com/1196888
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Alexander Alekseev <alemate@chromium.org>
Commit-Queue: Sergio Villar <svillar@igalia.com>
Cr-Commit-Position: refs/heads/master@{#587961}
[modify] https://crrev.com/bd5933732c1acc6b426cebfb8d16d32c7a0fc1b9/chromeos/geolocation/simple_geolocation_request.cc

Comment 6 by svil...@igalia.com, Aug 31

Status: Fixed (was: Assigned)
closing
Project Member

Comment 7 by ClusterFuzz, Sep 7

Labels: Needs-Feedback
ClusterFuzz testcase 5704233287155712 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Comment 8 by svil...@igalia.com, Sep 7 

The test case is empty, so I am not sure what the fuzzer is really testing.

Sign in to add a comment