UserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0
Steps to reproduce the problem:
While fuzzing Chrome 71.0.3578.98 (x64) with Domato, this null pointer dereference and crash was caught. I've attached the report generated during the crash which contains stack and register information, plus the testcases that were created by Domato.
What is the expected behavior?
No crash.
What went wrong?
chrome_child.dll!net::HostCache::max_entries (id: d6a) [[C:\b\c\b\win64_clang\src\net\dns\host_cache.cc @ 420]]
chrome_child.dll!blink::WebLocalFrameImpl::LocalRootFrameWidget + 0x14 (id: 6f2) [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\frame\web_local_frame_impl.cc @ 2521]]
chrome_child.dll!blink::LocalFrameView::ScheduleVisualUpdateForPaintInvalidationIfNeeded + ? (the exact offset is not known) [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\page\chrome_client_impl.cc @ 413]]
chrome_child.dll!blink::LayoutObject::SetShouldCheckForPaintInvalidationWithoutGeometryChange + 0x42 [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\layout\layout_object.cc @ 3901]]
chrome_child.dll!blink::LayoutObject::SetShouldCheckForPaintInvalidation + 0xD [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\layout\layout_object.cc @ 3893]]
chrome_child.dll!blink::LayoutObject::SetSubtreeShouldCheckForPaintInvalidation + 0x13 [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\layout\layout_object.cc @ 3915]]
chrome_child.dll!blink::ValidationMessageOverlayDelegate::UpdateFrameViewState + 0x96 [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\page\validation_message_overlay_delegate.cc @ 123]]
chrome_child.dll!blink::ValidationMessageOverlayDelegate::PaintPageOverlay + 0x34 [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\page\validation_message_overlay_delegate.cc @ 103]]
chrome_child.dll!blink::PageOverlay::PaintContents + 0x33 [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\page\page_overlay.cc @ 120]]
chrome_child.dll!blink::GraphicsLayer::PaintWithoutCommit + 0x155 [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\platform\graphics\graphics_layer.cc @ 377]]
chrome_child.dll!blink::GraphicsLayer::Paint + 0x2E [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\platform\graphics\graphics_layer.cc @ 308]]
chrome_child.dll!blink::ValidationMessageClientImpl::PaintOverlay + 0x1B [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\page\validation_message_client_impl.cc @ 179]]
chrome_child.dll!blink::LocalFrameView::PaintTree + 0x291 [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\frame\local_frame_view.cc @ 2852]]
chrome_child.dll!blink::LocalFrameView::RunPaintLifecyclePhase + 0x4A [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\frame\local_frame_view.cc @ 2591]]
chrome_child.dll!blink::LocalFrameView::UpdateLifecyclePhasesInternal + 0xC2 [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\frame\local_frame_view.cc @ 2451]]
chrome_child.dll!blink::LocalFrameView::UpdateAllLifecyclePhases + ? (the exact offset is not known) [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\frame\local_frame_view.cc @ 2403]]
chrome_child.dll!blink::PageWidgetDelegate::UpdateLifecycle + ? (the exact offset is not known) [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\page\page_animator.cc @ 111]]
chrome_child.dll!blink::WebViewImpl::UpdateLifecycle + 0xEE [[C:\b\c\b\win64_clang\src\third_party\blink\renderer\core\exported\web_view_impl.cc @ 1587]]
chrome_child.dll!cc::LayerTreeHost::RequestMainFrameUpdate + ? (the exact offset is not known) [[C:\b\c\b\win64_clang\src\content\renderer\render_widget.cc @ 1049]]
chrome_child.dll!cc::ProxyMain::BeginMainFrame + 0x216 [[C:\b\c\b\win64_clang\src\cc\trees\proxy_main.cc @ 226]]
chrome_child.dll!base::internal::Invoker<base::internal::BindState<void (cc::ProxyMain::*)(std::unique_ptr<cc::BeginMainFrameAndCommitState,std::default_delete<cc::BeginMainFrameAndCommitState> >),base::WeakPtr<cc::ProxyMain>,base::internal::PassedWrapper<std::unique_ptr<cc::BeginMainFrameAndCommitState,std::default_delete<cc::BeginMainFrameAndCommitState> > > >,void ()>::RunOnce + 0xA6 [[C:\b\c\b\win64_clang\src\base\bind_internal.h @ 662]]
chrome_child.dll!base::debug::TaskAnnotator::RunTask + 0x120 [[C:\b\c\b\win64_clang\src\base\debug\task_annotator.cc @ 99]]
chrome_child.dll!base::sequence_manager::internal::ThreadControllerImpl::DoWork + 0x1C2 [[C:\b\c\b\win64_clang\src\base\task\sequence_manager\thread_controller_impl.cc @ 197]]
chrome_child.dll!base::debug::TaskAnnotator::RunTask + 0x120 [[C:\b\c\b\win64_clang\src\base\debug\task_annotator.cc @ 99]]
chrome_child.dll!base::MessageLoop::RunTask + 0xDF [[C:\b\c\b\win64_clang\src\base\message_loop\message_loop.cc @ 436]]
chrome_child.dll!base::MessageLoop::DoDelayedWork + 0x153 [[C:\b\c\b\win64_clang\src\base\message_loop\message_loop.cc @ 558]]
chrome_child.dll!base::MessagePumpDefault::Run + 0x4C [[C:\b\c\b\win64_clang\src\base\message_loop\message_pump_default.cc @ 42]]
chrome_child.dll!base::RunLoop::Run + 0x31 [[C:\b\c\b\win64_clang\src\base\run_loop.cc @ 108]]
chrome_child.dll!content::RunOtherNamedProcessTypeMain + ? (the exact offset is not known) [[C:\b\c\b\win64_clang\src\content\renderer\renderer_main.cc @ 203]]
chrome_child.dll!content::ContentMainRunnerImpl::Run + 0x171 [[C:\b\c\b\win64_clang\src\content\app\content_main_runner_impl.cc @ 904]]
chrome_child.dll!service_manager::Main + 0x333 [[C:\b\c\b\win64_clang\src\services\service_manager\embedder\main.cc @ 472]]
chrome_child.dll!content::ContentMain + 0x3E [[C:\b\c\b\win64_clang\src\content\app\content_main.cc @ 19]]
chrome_child.dll!ChromeMain + 0x118 [[C:\b\c\b\win64_clang\src\chrome\app\chrome_main.cc @ 0]]
chrome.exe!MainDllLoader::Launch + 0x26C [[C:\b\c\b\win64_clang\src\chrome\app\main_dll_loader_win.cc @ 201]]
chrome.exe!wWinMain + 0x5F0 [[C:\b\c\b\win64_clang\src\chrome\app\chrome_exe_main_win.cc @ 229]]
chrome.exe!__scrt_common_main_seh + 0x106 [[f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 283]]
KERNEL32.DLL!BaseThreadInitThunk + 0x14
ntdll.dll!RtlUserThreadStart + 0x21
Crashed report ID: N/A
How much crashed? Whole browser
Is it a problem with a plugin? No
Did this work before? N/A
Chrome version: 71.0.3578.98 (x64) Channel: stable
OS Version: Enterprise 10 (Build 17134.rs4_release.180410-1804)
Flash Version: N/A
Command line flags:
'--enable-experimental-accessibility-features', '--enable-experimental-canvas-features', '--enable-experimental-input-view-features', '--enable-experimental-web-platform-features', '--enable-logging=stdout', '--enable-usermedia-screen-capturing', '--enable-viewport', '--enable-webgl-draft-extensions', '--enable-webvr', '--expose-internals-for-testing', '--disable-popup-blocking', '--disable-prompt-on-repost', '--force-renderer-accessibility', '--javascript-harmony', '--js-flags="--expose-gc"', '--no-sandbox', 'file://C:\\Fuzzing\\Tests\\index.html'
|
Deleted:
AVR.NULL+0x1.zip
2.1 MB
|
Comment 1 by rbasuvula@google.com
, Jan 3Labels: Needs-Triage-M71 Needs-Feedback