Null-dereference READ in payments::PaymentRequest::Abort |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4864843149213696 Fuzzer: mojo_fuzzer Job Type: linux_asan_chrome_mojo Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000108 Crash State: payments::PaymentRequest::Abort payments::mojom::PaymentRequestStubDispatch::Accept mojo::InterfaceEndpointClient::HandleValidatedMessage Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=587406:587417 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4864843149213696 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 1
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/abbe7c9042d2f5eb43711f02db6f6a2253cb7ad8 ([OnionSoup] Move payment_{app,request}.mojom into blink/public/mojom/). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Sep 2
leon.han@: Can you tell which variable is null here?
,
Sep 3
I'm suspecting |state_| is nullptr in payments::PaymentRequest::Abort, which could happen if payments::PaymentRequest::Abort() got called before payments::PaymentRequest::Init() which create |state_|. I checked around the caller side blink::PaymentRequest, seems this scenario is possible: blink::PaymentRequest::PaymentRequest() failed to call Init() due to some exceptions happening before that, then blink::PaymentRequest::abort() called Abort()?
,
Sep 3
Thank you. I will add a null-check.
,
Dec 16
ClusterFuzz has detected this issue as fixed in range 616819:616829. Detailed report: https://clusterfuzz.com/testcase?key=4864843149213696 Fuzzer: mojo_fuzzer Job Type: linux_asan_chrome_mojo Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000108 Crash State: payments::PaymentRequest::Abort payments::mojom::PaymentRequestStubDispatch::Accept mojo::InterfaceEndpointClient::HandleValidatedMessage Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=587406:587417 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mojo&range=616819:616829 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4864843149213696 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 16
ClusterFuzz testcase 4864843149213696 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Sep 1Labels: Test-Predator-Auto-Components