New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Jan 12
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment
link

Issue 917827: CHECK failure: first_party_url_initialized_ in appcache_host.cc

Reported by ClusterFuzz, Dec 26 Project Member

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4593609204301824

Fuzzer: libFuzzer_appcache_fuzzer
Fuzz target binary: appcache_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  first_party_url_initialized_ in appcache_host.cc
  content::AppCacheHost::SelectCache
  content::AppCacheBackendImpl::SelectCache
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4593609204301824

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.
 

Comment 1 by ClusterFuzz, Dec 26

Project Member
Components: Blink>Storage>AppCache
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by ClusterFuzz, Dec 26

Project Member
Cc: mmoroz@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Comment 3 by mmoroz@chromium.org, Dec 26

Cc: nedwill@google.com jsb...@chromium.org
Owner: pwnall@chromium.org
Status: Assigned (was: Untriaged)

Comment 4 by mek@chromium.org, Jan 2

(for backgronud) this is the same as (some of) the clusterfuzz bugs that were merged into 843797; in that bug I fixed the non-clusterfuzz case that the bug started with, but I had no idea if that fix would also help for all the various clusterfuzz bugs that just happened to hit the same DCHECK. And I'm not surprised that apparently they didn't.

Comment 5 by pwnall@chromium.org, Jan 11

Cc: pwnall@chromium.org
Owner: mek@chromium.org
mek@: Can you please continue the investigation here?

Comment 6 by bugdroid1@chromium.org, Jan 12

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3cd9c072cec9cef3357ac2d7cf95010ef5bade24

commit 3cd9c072cec9cef3357ac2d7cf95010ef5bade24
Author: Marijn Kruisselbrink <mek@chromium.org>
Date: Sat Jan 12 01:24:26 2019

[AppCache] ReportBadMessage rather than DCHECK for first_party_url_ check.

If first_party_url_ hasn't been initialized when SelectCache is called it
means the renderer is somehow trying to select a Cache for a main resource
that was never actually fetched. That is only possible if the renderer is
misbehaving, so return false to trigger a mojo::ReportBadMessage.

Bug:  917827 
Change-Id: I9c02a6ea4ea328c736f24cf2b2666363192de03f
Reviewed-on: https://chromium-review.googlesource.com/c/1407910
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Reviewed-by: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#622250}
[modify] https://crrev.com/3cd9c072cec9cef3357ac2d7cf95010ef5bade24/content/browser/appcache/appcache_host.cc
[modify] https://crrev.com/3cd9c072cec9cef3357ac2d7cf95010ef5bade24/content/browser/appcache/appcache_host.h

Comment 7 by mek@chromium.org, Jan 12

Status: Fixed (was: Assigned)

Comment 8 by ClusterFuzz, Jan 12

Project Member
ClusterFuzz has detected this issue as fixed in range 621021:621022.

Detailed report: https://clusterfuzz.com/testcase?key=4593609204301824

Fuzzer: libFuzzer_appcache_fuzzer
Fuzz target binary: appcache_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  first_party_url_initialized_ in appcache_host.cc
  content::AppCacheHost::SelectCache
  content::AppCacheBackendImpl::SelectCache
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=621021:621022

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4593609204301824

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 9 by ClusterFuzz, Jan 12

Project Member
Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 4593609204301824 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment