UserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0
Steps to reproduce the problem:
While fuzzing Chrome 71.0.3578.98 (x64) with Domato, this null pointer dereference and crash was caught. I've attached the report generated during the crash which contains stack and register information, plus the testcases that were created by Domato.
What is the expected behavior?
No crash.
What went wrong?
chrome.dll!base::win::`anonymous namespace'::ForceCrashOnSigAbort (id: 4a0) [[C:\b\c\b\win64_clang\src\base\win\win_util.cc @ 87]]
chrome.dll!raise + 0x22B (id: 090) [[C:\b\c\b\win64_clang\src\out\Release_x64\minkernel\crts\ucrt\src\appcrt\misc\signal.cpp @ 547]]
chrome.dll!abort + 0x18 [[C:\b\c\b\win64_clang\src\out\Release_x64\minkernel\crts\ucrt\src\appcrt\startup\abort.cpp @ 71]]
chrome.dll!sk_abort_no_print + 0x15 [[C:\b\c\b\win64_clang\src\skia\ext\SkMemory_new_handler.cpp @ 41]]
chrome.dll!viz::SoftwareRenderer::AllocateRenderPassResourceIfNeeded + 0x170 [[C:\b\c\b\win64_clang\src\components\viz\service\display\software_renderer.cc @ 828]]
chrome.dll!viz::DirectRenderer::UseRenderPass + 0x141 [[C:\b\c\b\win64_clang\src\components\viz\service\display\direct_renderer.cc @ 705]]
chrome.dll!viz::DirectRenderer::DrawRenderPass + 0x8D [[C:\b\c\b\win64_clang\src\components\viz\service\display\direct_renderer.cc @ 550]]
chrome.dll!viz::DirectRenderer::DrawRenderPassAndExecuteCopyRequests + 0xCB [[C:\b\c\b\win64_clang\src\components\viz\service\display\direct_renderer.cc @ 526]]
chrome.dll!viz::DirectRenderer::DrawFrame + 0x6B0 [[C:\b\c\b\win64_clang\src\components\viz\service\display\direct_renderer.cc @ 356]]
chrome.dll!viz::Display::DrawAndSwap + 0x5FA [[C:\b\c\b\win64_clang\src\components\viz\service\display\display.cc @ 402]]
chrome.dll!viz::DisplayScheduler::AttemptDrawAndSwap + ? (the exact offset is not known) [[C:\b\c\b\win64_clang\src\components\viz\service\display\display_scheduler.cc @ 213]]
chrome.dll!viz::DisplayScheduler::OnBeginFrameDeadline + 0x46 [[C:\b\c\b\win64_clang\src\components\viz\service\display\display_scheduler.cc @ 502]]
chrome.dll!base::debug::TaskAnnotator::RunTask + 0x120 [[C:\b\c\b\win64_clang\src\base\debug\task_annotator.cc @ 99]]
chrome.dll!base::MessageLoop::RunTask + 0xDF [[C:\b\c\b\win64_clang\src\base\message_loop\message_loop.cc @ 436]]
chrome.dll!base::MessageLoop::DoWork + 0x185 [[C:\b\c\b\win64_clang\src\base\message_loop\message_loop.cc @ 517]]
chrome.dll!base::MessagePumpForUI::DoRunLoop + 0xA9 [[C:\b\c\b\win64_clang\src\base\message_loop\message_pump_win.cc @ 180]]
chrome.dll!base::MessagePumpWin::Run + 0x4E [[C:\b\c\b\win64_clang\src\base\message_loop\message_pump_win.cc @ 54]]
chrome.dll!base::RunLoop::Run + 0x31 [[C:\b\c\b\win64_clang\src\base\run_loop.cc @ 108]]
chrome.dll!ChromeBrowserMainParts::MainMessageLoopRun + 0x84 [[C:\b\c\b\win64_clang\src\chrome\browser\chrome_browser_main.cc @ 1907]]
chrome.dll!content::BrowserMainLoop::RunMainMessageLoopParts + 0x48 [[C:\b\c\b\win64_clang\src\content\browser\browser_main_loop.cc @ 1000]]
chrome.dll!content::BrowserMainRunnerImpl::Run + 0x11 [[C:\b\c\b\win64_clang\src\content\browser\browser_main_runner_impl.cc @ 166]]
chrome.dll!content::BrowserMain + 0xC6 [[C:\b\c\b\win64_clang\src\content\browser\browser_main.cc @ 47]]
chrome.dll!content::RunBrowserProcessMain + 0x6F [[C:\b\c\b\win64_clang\src\content\app\content_main_runner_impl.cc @ 535]]
chrome.dll!content::ContentMainRunnerImpl::Run + 0x2F0 [[C:\b\c\b\win64_clang\src\content\app\content_main_runner_impl.cc @ 0]]
chrome.dll!service_manager::Main + 0x333 [[C:\b\c\b\win64_clang\src\services\service_manager\embedder\main.cc @ 472]]
chrome.dll!content::ContentMain + 0x3E [[C:\b\c\b\win64_clang\src\content\app\content_main.cc @ 19]]
chrome.dll!ChromeMain + 0x118 [[C:\b\c\b\win64_clang\src\chrome\app\chrome_main.cc @ 0]]
chrome.exe!MainDllLoader::Launch + 0x26C [[C:\b\c\b\win64_clang\src\chrome\app\main_dll_loader_win.cc @ 201]]
chrome.exe!wWinMain + 0x5F0 [[C:\b\c\b\win64_clang\src\chrome\app\chrome_exe_main_win.cc @ 229]]
chrome.exe!__scrt_common_main_seh + 0x106 [[f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 283]]
KERNEL32.DLL!BaseThreadInitThunk + 0x14
ntdll.dll!RtlUserThreadStart + 0x21
Crashed report ID: N/A
How much crashed? Whole browser
Is it a problem with a plugin? No
Did this work before? Yes Don't know.
Chrome version: 71.0.3578.98 (x64) Channel: stable
OS Version: Enterprise 10 (Build 17134.rs4_release.180410-1804)
Flash Version: N/A
Command line arguments:
'--enable-experimental-accessibility-features', '--enable-experimental-canvas-features', '--enable-experimental-input-view-features', '--enable-experimental-web-platform-features', '--enable-logging=stdout', '--enable-usermedia-screen-capturing', '--enable-viewport', '--enable-webgl-draft-extensions', '--enable-webvr', '--expose-internals-for-testing', '--disable-popup-blocking', '--disable-prompt-on-repost', '--force-renderer-accessibility', '--javascript-harmony', '--js-flags="--expose-gc"', '--no-sandbox', 'file://C:\\Fuzzing\\Tests\\index.html'
|
Deleted:
_____AVW_____NUL.zip
2.1 MB
|
Comment 1 by rbasuvula@google.com
, Jan 3Labels: Needs-Triage-M71 Needs-Feedback