Null-dereference READ in /usr/lib/libc++.1.dylib:x86_64 |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5689843520372736 Fuzzer: inferno_twister_c Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: /usr/lib/libc++.1.dylib:x86_64 /usr/lib/libc++.1.dylib:x86_64 base::StringAppendV Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=599442:599463 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5689843520372736 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
,
Jan 8
Unable to provide possible suspect using Predator, CL and Code Search. Could someone please look into the issue. Thank You...
,
Jan 11
Stack trace:
==65498==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000100c262c0 bp 0x7fff5f0bc1a0 sp 0x7fff5f0bc130 T0)
==65498==The signal is caused by a READ memory access.
==65498==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
#0 0x100c262bf in __sanitizer_cov_pcs_init
#1 0x100c2619b in __sanitizer_cov_pcs_init
#2 0x100baa74c in libclang_rt.asan_osx_dynamic.dylib:x86_64
#3 0x100baaefd in libclang_rt.asan_osx_dynamic.dylib:x86_64
#4 0x100c1283c in __sanitizer_finish_switch_fiber
#5 0x10ecd6cac in base::SequenceLocalStorageSlot<mojo::internal::MessageDispatchContext*, std::__1::default_delete<mojo::internal::MessageDispatchContext*> >::Set(mojo::internal::MessageDispatchContext*) base/threading/sequence_local_storage_slot.h:86:20
#6 0x10ecd6cac in mojo::internal::MessageDispatchContext::MessageDispatchContext(mojo::Message*) mojo/public/cpp/bindings/lib/message.cc:528
#7 0x1053aebf0 in chrome::mojom::RendererConfigurationStubDispatch::Accept(chrome::mojom::RendererConfiguration*, mojo::Message*) gen/chrome/common/renderer_configuration.mojom.cc:345:46
#8 0x10ec9d007 in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:423:32
#9 0x1104663ef in IPC::(anonymous namespace)::ChannelAssociatedGroupController::AcceptOnProxyThread(mojo::Message) ipc/ipc_mojo_bootstrap.cc:877:24
#10 0x11045eeef in void base::internal::FunctorTraits<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message), void>::Invoke<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController> const&, mojo::Message>(void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController> const&, mojo::Message&&) base/bind_internal.h:516:12
#11 0x11045eeef in void base::internal::InvokeHelper<false, void>::MakeItSo<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::* const&)(mojo::Message), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController> const&, mojo::Message>(void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::* const&)(mojo::Message), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController> const&, mojo::Message&&) base/bind_internal.h:616
#12 0x11045eeef in void base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, base::internal::PassedWrapper<mojo::Message> >, void ()>::RunImpl<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::* const&)(mojo::Message), std::__1::tuple<scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, base::internal::PassedWrapper<mojo::Message> > const&, 0ul, 1ul>(void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::* const&)(mojo::Message), std::__1::tuple<scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, base::internal::PassedWrapper<mojo::Message> > const&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) base/bind_internal.h:689
#13 0x11045eeef in base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, base::internal::PassedWrapper<mojo::Message> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:671
#14 0x10e887d03 in base::OnceCallback<void ()>::Run() && base/callback.h:99:12
#15 0x10e887d03 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:99
#16 0x10ea3e3f0 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::TimeTicks*) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:255:21
#17 0x10e8ffd1b in base::MessagePumpCFRunLoopBase::RunWork() base/message_loop/message_pump_mac.mm:487:30
#18 0x10e8ca7d9 in base::mac::CallWithEHFrame(void () block_pointer)
#19 0x10e8fdf00 in base::MessagePumpCFRunLoopBase::RunWorkSource(void*) base/message_loop/message_pump_mac.mm:461:3
#20 0x7fff9e1de880 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
#21 0x7fff9e1bdfbb in __CFRunLoopDoSources0
#22 0x7fff9e1bd4de in __CFRunLoopRun
#23 0x7fff9e1bced7 in CFRunLoopRunSpecific
#24 0x7fff8afd0ed8 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]
#25 0x10e9019ca in base::MessagePumpNSRunLoop::DoRun(base::MessagePump::Delegate*) base/message_loop/message_pump_mac.mm:765:5
#26 0x10e8fc55a in base::MessagePumpCFRunLoopBase::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_mac.mm:185:3
#27 0x10ea3fc96 in base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:353:12
#28 0x10ea3fc96 in non-virtual thunk to base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::Run(bool) base/task/sequence_manager/thread_controller_with_message_pump_impl.cc:0
#29 0x10e99384f in base::RunLoop::Run() base/run_loop.cc:150:14
#30 0x120b7f88e in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:233:16
#31 0x10d7abd4c in content::ContentMainRunnerImpl::Run(bool) content/app/content_main_runner_impl.cc:871:10
#32 0x117213fa2 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:461:29
#33 0x10d7a9253 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#34 0x104725ade in ChromeMain chrome/app/chrome_main.cc:102:12
#35 0x100b40406 in main chrome/app/chrome_exe_main_mac.cc:101:8
#36 0x7fff9a6a25ac in start
,
Jan 11
This stack trace is hard to understand but it looks like something going wrong inside mojo's MessageDispatchContext::MessageDispatchContext?
,
Yesterday
(38 hours ago)
ClusterFuzz has detected this issue as fixed in range 624528:624533. Detailed report: https://clusterfuzz.com/testcase?key=5689843520372736 Fuzzer: inferno_twister_c Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: /usr/lib/libc++.1.dylib:x86_64 /usr/lib/libc++.1.dylib:x86_64 base::StringAppendV Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=599442:599463 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=624528:624533 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5689843520372736 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Yesterday
(38 hours ago)
ClusterFuzz testcase 5689843520372736 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Dec 20Labels: Test-Predator-Auto-Components