Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Arthur, can you please see if this is related to your r606036 for issue 609963, which landed close to when this was filed?

Maybe the problem is that if a renderer unexpectedly sends the detach IPC for a main frame, previously RFHI::OnDetach() was able to handle that gracefully (https://cs.chromium.org/chromium/src/content/browser/frame_host/frame_tree.cc?l=241&rcl=0197d39377877cf4ca694ce8473c64727c0c0724), but after r606036 the browser process crashes?

Okay, I will take a look.

I have some issues making the IPCFuzzer working for the moment. (see  bug 904773 )

I can reproduce. I am taking a look.

I verified, this is caused by r606036.


I don't really understand the stacktrace.

FYI The sequence of IPC is:

(renderer killed)

FrameHostMsg_DidFinishDocumentLoad
FrameHostMsg_DidFinishLoad
(renderer killed)

FrameHostMsg_DidFinishLoad
FrameHostMsg_DidChangeLoadProgress
FrameHostMsg_DidStopLoading
(renderer killed)

FrameHostMsg_Detach

Okay, it was straightforward. RFH::OnDetach is not called on the main frame, but the IPC fuzzer tried.

Pending CL:
https://chromium-review.googlesource.com/c/chromium/src/+/1348449/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ff08d3a3fe93a3508dbe6dda34f99fa3e639b833

commit ff08d3a3fe93a3508dbe6dda34f99fa3e639b833
Author: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Mon Nov 26 11:34:43 2018

Fix RenderFrameHostImpl::OnDetach() for IPC fuzzer.

RenderFrameHostImpl::OnDetach() is not expected to be called for the
main frame. |parent| was not checked. It used to be checked in
FrameTree::RemoveFrame, but this function is no more used in OnDetach.

Bug:  902964 
Change-Id: I8ec758dfcc7a382f3d3ec6554ea94ad857c5a6e3
Reviewed-on: https://chromium-review.googlesource.com/c/1348449
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#610816}
[modify] https://crrev.com/ff08d3a3fe93a3508dbe6dda34f99fa3e639b833/content/browser/bad_message.h
[modify] https://crrev.com/ff08d3a3fe93a3508dbe6dda34f99fa3e639b833/content/browser/frame_host/render_frame_host_impl.cc
[modify] https://crrev.com/ff08d3a3fe93a3508dbe6dda34f99fa3e639b833/tools/metrics/histograms/enums.xml

ClusterFuzz has detected this issue as fixed in range 610813:610819.

Detailed report: https://clusterfuzz.com/testcase?key=5184212912832512

Fuzzer: ipc_fuzzer_mut
Job Type: linux_asan_chrome_ipc
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000108
Crash State:
  bool IPC::MessageT<FrameHostMsg_Detach_Meta, std::__1::tuple<>, void>::Dispatch<
  content::RenderFrameHostImpl::OnMessageReceived
  IPC::ChannelProxy::Context::OnDispatchMessage
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=610813:610819

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5184212912832512

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5184212912832512 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.