Null-dereference READ in content::FileSystemManagerImpl::Cancel |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5637718019932160 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000058 Crash State: content::FileSystemManagerImpl::Cancel content::FileSystemManagerImpl::FileSystemCancellableOperationImpl::Cancel blink::mojom::FileSystemCancellableOperationStubDispatch::AcceptWithResponder Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=602103:602140 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5637718019932160 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 26
adithyas: could you take a look at this? I haven't looked too deeply into this, but it looks like FileSystemManagerImpl::Cancel is called while operation_runner_ is null. One possibly way I can see that happening is if OnConnectionError was called which would then have reset operation_runner_. In OnConnectionError we check if bindings_ is empty, but don't do anything with for example cancellable_operations_, so those pipes will just remain open and could still attempt to call Cancel() even after the operation runner is set to null.
,
Oct 26
,
Oct 27
ClusterFuzz has detected this issue as fixed in range 603124:603150. Detailed report: https://clusterfuzz.com/testcase?key=5637718019932160 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_content_shell Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000058 Crash State: content::FileSystemManagerImpl::Cancel content::FileSystemManagerImpl::FileSystemCancellableOperationImpl::Cancel blink::mojom::FileSystemCancellableOperationStubDispatch::AcceptWithResponder Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=602103:602140 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=603124:603150 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5637718019932160 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 27
ClusterFuzz testcase 5637718019932160 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 6
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a35bc84e3c5d840c3e724076a2112946727af79a commit a35bc84e3c5d840c3e724076a2112946727af79a Author: Adithya Srinivasan <adithyas@chromium.org> Date: Tue Nov 06 22:26:00 2018 [FileSystem] Clear cancellable_operations after clearing operation_runner After resetting the operation runner, we should clean up any existing FileSystemCancellableOperation bindings as they all point to operations that no longer exist. Bug: 899146 Change-Id: I70cf4008f64534a1ac22c2ffe507d5b2a9d16208 Reviewed-on: https://chromium-review.googlesource.com/c/1301960 Reviewed-by: Marijn Kruisselbrink <mek@chromium.org> Commit-Queue: Marijn Kruisselbrink <mek@chromium.org> Cr-Commit-Position: refs/heads/master@{#605850} [modify] https://crrev.com/a35bc84e3c5d840c3e724076a2112946727af79a/content/browser/fileapi/file_system_manager_impl.cc |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Oct 26Labels: Test-Predator-Auto-Components