Null-dereference READ in blink::VideoFrameSubmitter::OnReceivedContextProvider |
||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4694366736875520 Fuzzer: inferno_canvas_wrecker Job Type: linux_msan_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::VideoFrameSubmitter::OnReceivedContextProvider base::internal::Invoker<base::internal::BindState<void base::internal::Invoker<base::internal::BindState<base::OnceCallback<void Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=587852:587853 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4694366736875520 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Aug 31
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Aug 31
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/a9f89577a99fc5ad84e5c0c54811179e16df7b55 ([BlinkGenPropertyTrees] Run more tests on BGPT bot). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Aug 31
Not a P1 for null reads. I don't see why this would be related to running more tests.
,
Aug 31
,
Aug 31
This crash occurs very frequently on mac platform and is likely preventing the fuzzer inferno_canvas_wrecker from making much progress. Fixing this will allow more bugs to be found. Marking this bug as a blocker for next Beta release. If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.
,
Aug 31
,
Aug 31
Issue 879518 has been merged into this issue.
,
Aug 31
#1 crash in windows canary- 70.0.3538.0, please revert ASAP. ------------------------------------------------------------------------------- Manual regression range finder link ------------------------------------------------------------------------------- https://crash.corp.google.com/browse?q=expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3AVideoFrameSubmitter%3A%3AOnReceivedContextProvider%27+AND+expanded_custom_data.ChromeCrashProto.ptype%3D%27renderer%27#-property-selector,-samplereports,+productname,+productversion:1000,+directory,-clientid,+operatingsystem,+url,+simplifiedurl,+extensions
,
Aug 31
,
Aug 31
lethalantidote@ has a candidate fix uploaded. Unfortunately, none of us was able to repro the issue locally. As soon as it lands, we will be able to see what ClusterFuzz says.
,
Aug 31
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2008c6b2b89dc96e70490259543c53b99e62b605 commit 2008c6b2b89dc96e70490259543c53b99e62b605 Author: CJ DiMeglio <lethalantidote@chromium.org> Date: Fri Aug 31 22:35:46 2018 Changes bool to and instead of or. We were moving onto to checking ContextGL if binding failed. This is bad, because we should not touch ContextGL if we haven't been bound. Bug: 879438 Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel Change-Id: I7898adf7af963216c388adaa35c5c2c287802fed Reviewed-on: https://chromium-review.googlesource.com/1200363 Reviewed-by: Kenneth Russell <kbr@chromium.org> Commit-Queue: CJ DiMeglio <lethalantidote@chromium.org> Cr-Commit-Position: refs/heads/master@{#588190} [modify] https://crrev.com/2008c6b2b89dc96e70490259543c53b99e62b605/third_party/blink/renderer/platform/graphics/video_frame_submitter.cc
,
Sep 1
ClusterFuzz testcase 4694366736875520 appears to be flaky, updating reproducibility label.
,
Sep 4
lethalantidote@'s CL is in Canary since 71.0.3541.0 which was released yesterday. There seems to be no crashes since but it might be a bit early to be certain it's fixed. Hopefully the overall crash rate will go down dramatically if this is correct.
,
Sep 4
Thanks for checking - please request a merge to M70 if it looks good.
,
Sep 5
,
Sep 5
We are not seeing any new crashes on canary builds starting #71.0.3451.0. We are good to go with the merge to M70 (Branch: 3538).
,
Sep 5
Approved - branch:3538
,
Sep 5
Here's a summary of the rules that were executed: - OnlyMergeApprovedChange: Rule Failed -- Revision ee2046e114189f99a54dccbc51c9ae72ed2a82aa was merged to refs/branch-heads/3538 branch with no merge approval from a TPM! Please explain why this change was merged to the branch!
,
Sep 5
,
Sep 5
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ee2046e114189f99a54dccbc51c9ae72ed2a82aa commit ee2046e114189f99a54dccbc51c9ae72ed2a82aa Author: CJ DiMeglio <lethalantidote@chromium.org> Date: Wed Sep 05 20:21:31 2018 Changes bool to and instead of or. We were moving onto to checking ContextGL if binding failed. This is bad, because we should not touch ContextGL if we haven't been bound. Bug: 879438 Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel Change-Id: I7898adf7af963216c388adaa35c5c2c287802fed Reviewed-on: https://chromium-review.googlesource.com/1200363 Reviewed-by: Kenneth Russell <kbr@chromium.org> Commit-Queue: CJ DiMeglio <lethalantidote@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#588190}(cherry picked from commit 2008c6b2b89dc96e70490259543c53b99e62b605) Reviewed-on: https://chromium-review.googlesource.com/1208133 Reviewed-by: Abdul Syed <abdulsyed@google.com> Cr-Commit-Position: refs/branch-heads/3538@{#65} Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811} [modify] https://crrev.com/ee2046e114189f99a54dccbc51c9ae72ed2a82aa/third_party/blink/renderer/platform/graphics/video_frame_submitter.cc
,
Sep 7
,
Sep 18
|
||||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||||
Comment 1 by ClusterFuzz
, Aug 31