New issue
Advanced search Search tips

Issue 902605 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Jan 12
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in GURL::spec

Project Member Reported by ClusterFuzz, Nov 7

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5093988954275840

Fuzzer: libFuzzer_appcache_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000028
Crash State:
  GURL::spec
  content::AppCacheHost::FinishCacheSelection
  content::AppCacheStorageImpl::LoadCache
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=605701:605713

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5093988954275840

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Nov 7

Components: Blink>Storage>AppCache
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Nov 7

Cc: mmoroz@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.
Project Member

Comment 3 by ClusterFuzz, Nov 7

Labels: Test-Predator-Auto-Owner
Owner: mmoroz@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/f83007304ba201e3a0ee9eaf198d369aa48f6090 (Add appcache_fuzzer).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Cc: nedwilli...@gmail.com jsb...@chromium.org
Owner: pwnall@chromium.org
CC'ing Ned (author of the fuzzer) and assigning to Victor (AppCache OWNER).
Project Member

Comment 5 by ClusterFuzz, Nov 8

Labels: OS-Windows
Project Member

Comment 6 by ClusterFuzz, Nov 8

Labels: OS-Mac
Project Member

Comment 7 by ClusterFuzz, Dec 1

Labels: -Reproducible Unreproducible
ClusterFuzz testcase 5093988954275840 appears to be flaky, updating reproducibility label.
Labels: -Unreproducible Reproducible
Please ignore the last comment about testcase being unreproducible. The testcase is still reproducible. This happened due to a code refactoring on ClusterFuzz side, and the underlying root cause is now fixed. Resetting the label back to Reproducible. Sorry about the inconvenience caused from these incorrect notifications.
Project Member

Comment 9 by ClusterFuzz, Dec 6

Labels: OS-Chrome
Project Member

Comment 10 by ClusterFuzz, Dec 25

Labels: M-73 Fuzz-Blocker ReleaseBlock-Beta
This crash occurs very frequently on windows platform and is likely preventing the fuzzer appcache_fuzzer from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.
Friendly ping for an update from pwnall@ as this is marked as Beta blocker.
Please take a look at this issue marked as M-73/Beta blocker and provide an update.
Is there any update on this? Please review the Beta blocker and adjust if this should not be blocking for M-73. 
Labels: -ReleaseBlock-Beta
Removing ReleaseBlock-Beta - this is reported by our fuzzing infrastructure, not necessarily seen in the wild. Also not new - just found by a new fuzzer. If we had crash reports from the field it'd be a different story.

(Needs a fix, and yay fuzzers, but not a blocker based on the data we have)
Cc: mek@chromium.org
Looks the same as  issue 917827  and issue 918233
Cc: -mek@chromium.org pwnall@chromium.org
Owner: mek@chromium.org
Project Member

Comment 17 by ClusterFuzz, Jan 12

ClusterFuzz has detected this issue as fixed in range 622247:622250.

Detailed report: https://clusterfuzz.com/testcase?key=5093988954275840

Fuzzer: libFuzzer_appcache_fuzzer
Fuzz target binary: appcache_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000028
Crash State:
  GURL::spec
  content::AppCacheHost::FinishCacheSelection
  content::AppCacheStorageImpl::LoadCache
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=605701:605713
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=622247:622250

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5093988954275840

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 18 by ClusterFuzz, Jan 12

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5093988954275840 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment