New issue
Advanced search Search tips

Issue 899459 link

Starred by 1 user
Status: Fixed
Owner:
sammiequon@chromium.org
Closed: Nov 7
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in ash::WindowSelectorItem::UpdateMaskAndShadow

Project Member Reported by ClusterFuzz, Oct 27 
Detailed report: https://clusterfuzz.com/testcase?key=5769336084758528

Fuzzer: attekett_webaudio_fuzzer
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x0000000000f0
Crash State:
  ash::WindowSelectorItem::UpdateMaskAndShadow
  ash::WindowSelector::UpdateMaskAndShadow
  ui::LayerAnimationObserver::DetachedFromSequence
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=603287:603288

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5769336084758528

Additional requirements: Requires Gestures

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Oct 27

Components: UI>Shell>WindowManager
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Oct 27

Labels: Test-Predator-Auto-Owner
Owner: sammiequon@google.com
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/c7fab70753074d8f48bdaa30c6058a78b3a277ea (overview: Apply mask after animations done.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by sammiequon@chromium.org, Oct 29

Owner: sammiequon@chromium.org
Project Member

Comment 4 by bugdroid1@chromium.org, Oct 31 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bc23ed2a4b3c2c87a704c5662734c214fb1287f1

commit bc23ed2a4b3c2c87a704c5662734c214fb1287f1
Author: Sammie Quon <sammiequon@google.com>
Date: Wed Oct 31 20:42:17 2018

overview: Speculative fix for clusterfuzz issue.

Could not repro the issue but based on the stack trace, looks like post
animation code is running after window is destroyed, so stop observing
animations when object is destroyed.

Test: none
Bug:  899459 
Change-Id: Ia1ec07057281c91aaa390ab90df28910fa74aaac
Reviewed-on: https://chromium-review.googlesource.com/c/1308610
Reviewed-by: Xiaoqian Dai <xdai@chromium.org>
Commit-Queue: Sammie Quon <sammiequon@chromium.org>
Cr-Commit-Position: refs/heads/master@{#604372}
[modify] https://crrev.com/bc23ed2a4b3c2c87a704c5662734c214fb1287f1/ash/wm/overview/scoped_transform_overview_window.cc
Project Member

Comment 5 by ClusterFuzz, Nov 1

Labels: -Reproducible Unreproducible
ClusterFuzz testcase 5769336084758528 appears to be flaky, updating reproducibility label.

Comment 6 by osh...@chromium.org, Nov 7

Status: Fixed (was: Assigned)
This must be fixed by my CL. CLosing

Sign in to add a comment