Null-dereference READ in blink::WebViewImpl::GetURLForDebugTrace |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5691395681288192 Fuzzer: puzzor Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::WebViewImpl::GetURLForDebugTrace blink::WebViewImpl::GetURLForDebugTrace content::RenderWidget::DoRequestNewLayerTreeFrameSink Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=616468:616501 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5691395681288192 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 14
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Dec 14
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/f51754379ee4b2d22db968d0c8ea21754b300246 (Remove conditional check to avoid crash when main frame is detached). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Dec 14
,
Dec 17
,
Dec 17
For reference, the very long repro command I'm currently using: ASAN_OPTIONS="print_summary=1:handle_sigill=1:print_suppressions=0:strict_memcmp=0:allow_user_segv_handler=0:replace_intrin=1:allocator_may_return_null=1:use_sigaltstack=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=1:alloc_dealloc_mismatch=0:detect_leaks=0:print_scariness=1:max_uar_stack_size_log=16:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=0:detect_odr_violation=0:symbolize=0:handle_segv=1:fast_unwind_on_fatal=1" testing/xvfb.py out/cf/chrome --user-data-dir=/b/tmp/user_profile_0 --enable-logging=stderr --v=1 --disable-in-process-stack-traces --ignore-gpu-blacklist --allow-file-access-from-files --disable-gesture-requirement-for-media-playback --disable-click-to-play --disable-hang-monitor --dns-prefetch-disable --disable-default-apps --disable-component-update --safebrowsing-disable-auto-update --metrics-recording-only --disable-gpu-watchdog --disable-metrics --disable-popup-blocking --disable-prompt-on-repost --enable-experimental-extension-apis --enable-extension-apps --js-flags="--expose-gc --verify-heap" --new-window --no-default-browser-check --no-first-run --no-process-singleton-dialog --enable-shadow-dom --enable-media-stream --use-fake-device-for-media-stream --use-fake-ui-for-media-stream --disable-breakpad --use-gl=any testcases/clusterfuzz-testcase-5691395681288192/fuzz-308.html
,
Dec 17
,
Dec 18
OK so after a bunch of logging, it looks like this is what's happening: 1. Navigation to a cross-process frame is in progress. We create a speculative RFH. 2. The speculative renderer commits and swaps in the RFH and notifies the browser of swap in. 3. *Before* the browser hears about the swap in message, we begin another navigation in the current RFH. 4. Since the navigation uses the current RFH, we discard the speculative RFH. However, since the speculative RFH has already swapped in in the renderer... The ideal solution would be to have CommitNavigation() update the navigation state immediately in the browser, rather than waiting to hear back from the renderer, but that is not easy...
,
Dec 28
ClusterFuzz testcase 5691395681288192 appears to be flaky, updating reproducibility label. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ClusterFuzz
, Dec 14