Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Dec 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Global-buffer-overflow in D_Clear_BitmapXferProc
Project Member Reported by infe...@chromium.org, Jun 13 2012 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=59287761

Fuzzer: Inferno_twister

Crash Type: Global-buffer-overflow WRITE 1
Crash Address: 0x00000517931b
Crash State:
  - crash stack -
  D_Clear_BitmapXferProc
  SkDraw::drawPaint
  SkCanvas::internalDrawPaint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=141783:141792

Minimized Testcase (1.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97uD_ZG2Naa9vI7UKxo7eRBWoWZ6ImV7Ic9kMC_u2xCtSnzyReYqW3npU-dWdiwGguyID4f3kB-smKFzwQtsgxRZ3-vK2_1YZTQJmxwR6dDHiAhUPFKe7mVdiuiTPMmSGi8T_MeEZ91Sk3hzDbA1d7y0QYkV0og8mUhLmZDVp1a7NgWg7E
 
Cc: reed@chromium.org
Labels: Internals-Skia
Owner: epoger@chromium.org
Status: Assigned
note that CF will show as Fixed since the skia roll was reverted. however, the revert was reverted again. So, it should affect trunk.

141788 13.06.2012 01:41:07, by cpu@chromium.org
Revert 141760 - Revert 141741 - Roll Skia DEPS to 4234 (inc changes to skia.gyp)

https://chromiumcodereview.appspot.com/10548003/

Review URL: https://chromiumcodereview.appspot.com/10533109

TBR=robertphillips@google.com
Review URL: https://chromiumcodereview.appspot.com/10543126

TBR=cpu@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10536133
M /trunk/src/DEPS 
M /trunk/src/skia/skia.gyp 
Labels: ReleaseBlock-Stable
Mike, Elliot, with such a narrow regression range - r4229:r4234, can you please see what regressed it.
Project Member Comment 4 by clusterf...@chromium.org, Jun 20 2012
ClusterFuzz has detected this issue as fixed in range 141792:141821.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=59287761

Fuzzer: Inferno_twister

Crash Type: Global-buffer-overflow WRITE 1
Crash Address: 0x00000517931b
Crash State:
  - crash stack -
  D_Clear_BitmapXferProc
  SkDraw::drawPaint
  SkCanvas::internalDrawPaint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=141783:141792
Fixed: https://cluster-fuzz.appspot.com/revisions?range=141792:141821

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97uD_ZG2Naa9vI7UKxo7eRBWoWZ6ImV7Ic9kMC_u2xCtSnzyReYqW3npU-dWdiwGguyID4f3kB-smKFzwQtsgxRZ3-vK2_1YZTQJmxwR6dDHiAhUPFKe7mVdiuiTPMmSGi8T_MeEZ91Sk3hzDbA1d7y0QYkV0og8mUhLmZDVp1a7NgWg7E

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Comment 5 by epoger@chromium.org, Jun 20 2012
Status: WontFix
ClusterFuzz reports that this is fixed as of https://cluster-fuzz.appspot.com/revisions?range=141792:141821 ... so we can ignore this, right?  (I assume ClusterFuzz will update this bug if the problem shows up again?)
Comment 6 by epoger@chromium.org, Jun 20 2012
Cc: epoger@google.com
Project Member Comment 7 by clusterf...@chromium.org, Jun 21 2012
ClusterFuzz has detected this issue as fixed in range 142128:142136.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=59287761

Fuzzer: Inferno_twister

Crash Type: Global-buffer-overflow WRITE 1
Crash Address: 0x00000517931b
Crash State:
  - crash stack -
  D_Clear_BitmapXferProc
  SkDraw::drawPaint
  SkCanvas::internalDrawPaint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=141783:141792
Fixed: https://cluster-fuzz.appspot.com/revisions?range=142128:142136

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97uD_ZG2Naa9vI7UKxo7eRBWoWZ6ImV7Ic9kMC_u2xCtSnzyReYqW3npU-dWdiwGguyID4f3kB-smKFzwQtsgxRZ3-vK2_1YZTQJmxwR6dDHiAhUPFKe7mVdiuiTPMmSGi8T_MeEZ91Sk3hzDbA1d7y0QYkV0og8mUhLmZDVp1a7NgWg7E

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Status: Assigned
Have a new repro. reopening.
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=65457468

Fuzzer: Bj_doc_fuzzer

Crash Type: Global-buffer-overflow WRITE 1
Crash Address: 0x0000067110cf
Crash State:
  - crash stack -
  D_Clear_BitmapXferProc
  SkDraw::drawPaint
  SkCanvas::internalDrawPaint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=142299:142312

Minimized Testcase (0.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97vsfXU6YO4jOzRF4gKTFay4_OeEF_AUx90wwG3T8mZOzU16-x3AyvCbQVXMaisl_NmesG8WANIJH7EqrRC1VwWNj2FsXRlj-dVhhqD9EctS_R8l0qsDMqc_X4dNqB7fyc2ZshSZ-H6MNpTlKrnrusVDdiQcsb4o2siVS44Le32XJgvO2g
Comment 10 by reed@chromium.org, Jun 21 2012
A possible explanation is:

SVG asked us to allocate an image (which we also want to wrap a SkCanvas around)
We asked PlatformCanvas to create it
On linux, this asks cairo to create a surface
... I think the surface came back with no memory allocated for its pixels
... that NULL pixel-address was passed down to skia, which crash trying to write to it.

Comment 11 by palmer@google.com, Jun 21 2012
Labels: -Area-WebKit Area-Internals
Project Member Comment 12 by clusterf...@chromium.org, Jun 22 2012
ClusterFuzz has detected this issue as fixed in range 143396:143433.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=65457468

Fuzzer: Bj_doc_fuzzer

Crash Type: Global-buffer-overflow WRITE 1
Crash Address: 0x0000067110cf
Crash State:
  - crash stack -
  D_Clear_BitmapXferProc
  SkDraw::drawPaint
  SkCanvas::internalDrawPaint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=142299:142312
Fixed: https://cluster-fuzz.appspot.com/revisions?range=143396:143433

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97vsfXU6YO4jOzRF4gKTFay4_OeEF_AUx90wwG3T8mZOzU16-x3AyvCbQVXMaisl_NmesG8WANIJH7EqrRC1VwWNj2FsXRlj-dVhhqD9EctS_R8l0qsDMqc_X4dNqB7fyc2ZshSZ-H6MNpTlKrnrusVDdiQcsb4o2siVS44Le32XJgvO2g

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
I think the repro is flaky, ignore the ClusterFuzz fixed message.
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=69004125

Fuzzer: Inferno_twister

Crash Type: Global-buffer-overflow WRITE 1
Crash Address: 0x00000675110f
Crash State:
  - crash stack -
  D_Clear_BitmapXferProc
  SkDraw::drawPaint
  SkCanvas::internalDrawPaint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=141671:141688

Minimized Testcase (1.58 Kb): https://cluster-fuzz.appspot.com/download/AMIfv973bQ4kJiHvF4Ps11JA_gMvltUotStr527PJ2xNsalryZTfmdXJfXjWT-PLOBMVW-2UrX9Zs8wXft64OCcMqY4sUMI7k0dBfMI6ICvleqeh1jpfNWfTOhZObS-Gm-XWuj_nn87DlDQskqWG_XzHaU3X6A64-xLMeY672Tgtmt_TJ1IB2y4
Project Member Comment 15 by clusterf...@chromium.org, Jun 27 2012
ClusterFuzz has detected this issue as fixed in range 144163:144169.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=69004125

Fuzzer: Inferno_twister

Crash Type: Global-buffer-overflow WRITE 1
Crash Address: 0x00000675110f
Crash State:
  - crash stack -
  D_Clear_BitmapXferProc
  SkDraw::drawPaint
  SkCanvas::internalDrawPaint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=141671:141688
Fixed: https://cluster-fuzz.appspot.com/revisions?range=144163:144169

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv973bQ4kJiHvF4Ps11JA_gMvltUotStr527PJ2xNsalryZTfmdXJfXjWT-PLOBMVW-2UrX9Zs8wXft64OCcMqY4sUMI7k0dBfMI6ICvleqeh1jpfNWfTOhZObS-Gm-XWuj_nn87DlDQskqWG_XzHaU3X6A64-xLMeY672Tgtmt_TJ1IB2y4

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Labels: -SecImpacts-None SecImpacts-Beta
Bulk edit: updating impacts for target release.
Bulk Edit: High and critical severity regressions block the release of m21.
Comment 18 by epoger@google.com, Jul 2 2012
I am currently checking out a new asan-debug Chrome tree; once it's checked out, I will build it and see if I can reproduce this bug locally.  Then maybe I can track it down in the debugger...
Comment 19 by kareng@google.com, Jul 9 2012
Cc: mikelawther@chromium.org
friendly ping Elliot.
Cc: bsalomon@chromium.org
When I open the attached test case (from the ClusterFuzz issue) in this debug chromium build, running on my Linux desktop via NX:

Chromium	22.0.1209.0 (Developer Build 146887)
OS	Linux
WebKit	537.1 (trunk/Source/WebCore/Configurations@121656)
JavaScript	V8 3.12.11
Flash	11.2 r202
User Agent	Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1209.0 Safari/537.1
Command Line	 out/Debug/chrome --flag-switches-begin --flag-switches-end
Executable Path	/usr/local/google/home/epoger/src/chrome/asan-debug/src/out/Debug/chrome
Profile Path	/home/epoger/.config/chromium/Default


I get the following error:

[18557:18557:1531472930915:INFO:CONSOLE(2)] "Uncaught ReferenceError: runRepaintTest is not defined", source: file:///home/epoger/bugs/crbug132398-cf-minimized.html (2)
ERROR: !(isInBounds(value))
third_party/WebKit/Source/WebCore/platform/FractionalLayoutUnit.h(75) : WebCore::FractionalLayoutUnit::FractionalLayoutUnit(int)
ERROR: !(isInBounds(value))
third_party/WebKit/Source/WebCore/platform/FractionalLayoutUnit.h(75) : WebCore::FractionalLayoutUnit::FractionalLayoutUnit(int)
ERROR: !(isInBounds(value))
third_party/WebKit/Source/WebCore/platform/FractionalLayoutUnit.h(75) : WebCore::FractionalLayoutUnit::FractionalLayoutUnit(int)
ERROR: !(isInBounds(value))
third_party/WebKit/Source/WebCore/platform/FractionalLayoutUnit.h(75) : WebCore::FractionalLayoutUnit::FractionalLayoutUnit(int)
ERROR: !(isInBounds(value))
third_party/WebKit/Source/WebCore/platform/FractionalLayoutUnit.h(75) : WebCore::FractionalLayoutUnit::FractionalLayoutUnit(int)
ERROR: !(isInBounds(value))
third_party/WebKit/Source/WebCore/platform/FractionalLayoutUnit.h(75) : WebCore::FractionalLayoutUnit::FractionalLayoutUnit(int)
ERROR: !(isInBounds(value))
third_party/WebKit/Source/WebCore/platform/FractionalLayoutUnit.h(75) : WebCore::FractionalLayoutUnit::FractionalLayoutUnit(int)
ERROR: !(isInBounds(value))
third_party/WebKit/Source/WebCore/platform/FractionalLayoutUnit.h(75) : WebCore::FractionalLayoutUnit::FractionalLayoutUnit(int)
ERROR: !(isInBounds(value))
third_party/WebKit/Source/WebCore/platform/FractionalLayoutUnit.h(75) : WebCore::FractionalLayoutUnit::FractionalLayoutUnit(int)
[18589:18589:1531472961224:FATAL:SkBitmap.cpp(1520)] third_party/skia/src/core/SkBitmap.cpp:1520: failed assertion "fRowBytes >= (unsigned)ComputeRowBytes((Config)fConfig, fWidth)"

Backtrace:
	base::debug::StackTrace::StackTrace() [0x7f6c890b6a04]
	logging::LogMessage::~LogMessage() [0x7f6c892227ed]
	SkDebugf_FileLine() [0x7f6c905acbe4]
	SkBitmap::validate() [0x7f6c9001a113]
	SkBitmap::setConfig() [0x7f6c9001ecaa]
	skia::BitmapPlatformDevice::Create() [0x7f6c909159e8]
	skia::BitmapPlatformDevice::Create() [0x7f6c909170f9]
	skia::PlatformCanvas::initialize() [0x7f6c905db02f]
	skia::TryCreateBitmapCanvas() [0x7f6c905d74b7]
	WebCore::ImageBuffer::ImageBuffer() [0x7f6c94a6fdbe]
	WebCore::ImageBuffer::create() [0x7f6c918f6721]
	WebCore::GraphicsContext::createCompatibleBuffer() [0x7f6c94889275]
	WebCore::GeneratorGeneratedImage::draw() [0x7f6ca5a3510d]
	WebCore::Image::drawTiled() [0x7f6c94945974]
	WebCore::GraphicsContext::drawTiledImage() [0x7f6c94880ffa]
	WebCore::RenderBoxModelObject::paintFillLayerExtended() [0x7f6c987a747f]
	WebCore::RenderBox::paintFillLayer() [0x7f6c9870c2d7]
	WebCore::RenderBox::paintFillLayers() [0x7f6c9870800e]
	WebCore::RenderBox::paintFillLayers() [0x7f6c98707e64]

crbug132398-cf-minimized.html
1.6 KB View Download
you might have to run from a layouttests path where repaint.js is defined.
Thanks.  But the assertion failure indicates a problem anyway... I think for now I will pursue that and see where it takes us.

I put in some printfs and found these values when the assertion failed... Mike/Brian, does this give you any insight?

kConfigCount=8
fConfig=6
fWidth=27083844
fRowBytes=15
ComputeRowBytes=108335376

Status: Started
P.S. Here's the ASAN error log I see when I run my ASANified release build, 22.0.1209.0 (Developer Build 146872).  It looks like the one in the ClusterFuzz report...

ASAN:SIGSEGV
==21780== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x7f024d66559b sp 0x7fff00a12f28 bp 0x7fff00a12f60 T0)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x7f024d66559b in ?? /build/buildd/eglibc-2.11.1/string/../sysdeps/x86_64/memset.S:1050
    #1 0x7f0256b0edf7 in sk_bzero(void*, unsigned long) third_party/skia/include/core/SkTypes.h:70
    #2 0x7f0256b0f8fb in CallBitmapXferProc(SkBitmap const&, SkIRect const&, void (*)(void*, unsigned long, unsigned int), unsigned int) third_party/skia/src/core/SkDraw.cpp:248
    #3 0x7f0256b0f142 in SkDraw::drawPaint(SkPaint const&) const third_party/skia/src/core/SkDraw.cpp:282
    #4 0x7f0256b039e3 in SkCanvas::internalDrawPaint(SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:1443
    #5 0x7f0256b079be in SkCanvas::drawARGB(unsigned int, unsigned int, unsigned int, unsigned int, SkXfermode::Mode) third_party/skia/src/core/SkCanvas.cpp:1893
    #6 0x7f025763c5c0 in WebCore::ImageBuffer::ImageBuffer(WebCore::IntSize const&, float, WebCore::ColorSpace, WebCore::RenderingMode, WebCore::DeferralMode, bool&) third_party/WebKit/Source/WebCore/platform/graphics/skia/ImageBufferSkia.cpp:140
    #7 0x7f0256e9a565 in WebCore::ImageBuffer::create(WebCore::IntSize const&, float, WebCore::ColorSpace, WebCore::RenderingMode, WebCore::DeferralMode) third_party/WebKit/Source/WebCore/platform/graphics/ImageBuffer.h:85
    #8 0x7f02575f1346 in WebCore::GraphicsContext::createCompatibleBuffer(WebCore::IntSize const&) const third_party/WebKit/Source/WebCore/platform/graphics/GraphicsContext.cpp:775
    #9 0x7f025a7fc1e4 in WebCore::GeneratorGeneratedImage::draw(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::FloatRect const&, WebCore::ColorSpace, WebCore::CompositeOperator) third_party/WebKit/Source/WebCore/platform/graphics/GeneratorGeneratedImage.cpp:40
    #10 0x7f025760808d in WebCore::Image::drawTiled(WebCore::GraphicsContext*, WebCore::FloatRect const&, WebCore::FloatPoint const&, WebCore::FloatSize const&, WebCore::ColorSpace, WebCore::CompositeOperator) third_party/WebKit/Source/WebCore/platform/graphics/Image.cpp:130
    #11 0x7f02575efc30 in WebCore::GraphicsContext::drawTiledImage(WebCore::Image*, WebCore::ColorSpace, WebCore::IntRect const&, WebCore::IntPoint const&, WebCore::IntSize const&, WebCore::CompositeOperator, bool) third_party/WebKit/Source/WebCore/platform/graphics/GraphicsContext.cpp:511
    #12 0x7f02581663d8 in WebCore::RenderBoxModelObject::paintFillLayerExtended(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const*, WebCore::FractionalLayoutRect const&, WebCore::BackgroundBleedAvoidance, WebCore::InlineFlowBox*, WebCore::FractionalLayoutSize const&, WebCore::CompositeOperator, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderBoxModelObject.cpp:727
    #13 0x7f0258138dfc in WebCore::RenderBox::paintFillLayer(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const*, WebCore::FractionalLayoutRect const&, WebCore::BackgroundBleedAvoidance, WebCore::CompositeOperator, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:967
    #14 0x7f02581378ef in WebCore::RenderBox::paintFillLayers(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const*, WebCore::FractionalLayoutRect const&, WebCore::BackgroundBleedAvoidance, WebCore::CompositeOperator, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:960
    #15 0x7f02581378ef in WebCore::RenderBox::paintFillLayers(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const*, WebCore::FractionalLayoutRect const&, WebCore::BackgroundBleedAvoidance, WebCore::CompositeOperator, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:960
    #16 0x7f02581378ef in WebCore::RenderBox::paintFillLayers(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const*, WebCore::FractionalLayoutRect const&, WebCore::BackgroundBleedAvoidance, WebCore::CompositeOperator, WebCore::RenderObject*) third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:960
    #17 0x7f0258138188 in WebCore::RenderBox::paintBackground(WebCore::PaintInfo const&, WebCore::FractionalLayoutRect const&, WebCore::BackgroundBleedAvoidance) third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:878
    #18 0x7f0258137e22 in WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::FractionalLayoutPoint const&) third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:853
    #19 0x7f02580c2447 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::FractionalLayoutPoint const&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2955
    #20 0x7f02580bd94f in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::FractionalLayoutPoint const&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2703
    #21 0x7f02580c1cce in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::FractionalLayoutPoint const&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2915
    #22 0x7f02580c2575 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::FractionalLayoutPoint const&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2983
    #23 0x7f02580bd94f in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::FractionalLayoutPoint const&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2703
    #24 0x7f02580c1cce in WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::FractionalLayoutPoint const&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2915
    #25 0x7f02580c2575 in WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::FractionalLayoutPoint const&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2983
    #26 0x7f02580bd94f in WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::FractionalLayoutPoint const&) third_party/WebKit/Source/WebCore/rendering/RenderBlock.cpp:2703
    #27 0x7f02581eca40 in WebCore::RenderLayer::paintLayerContents(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::FractionalLayoutRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:3161
    #28 0x7f02581ebf25 in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::FractionalLayoutRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:3038
    #29 0x7f02581eb0d4 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::FractionalLayoutRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:3016
    #30 0x7f02581ee6c6 in WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul>*, WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::FractionalLayoutRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:3248
    #31 0x7f02581ece54 in WebCore::RenderLayer::paintLayerContents(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::FractionalLayoutRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:3190
    #32 0x7f02581ebf25 in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::FractionalLayoutRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:3038
    #33 0x7f02581eb0d4 in WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::FractionalLayoutRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, WTF::HashMap<WebCore::OverlapTestRequestClient*, WebCore::IntRect, WTF::PtrHash<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::OverlapTestRequestClient*>, WTF::HashTraits<WebCore::IntRect> >*, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:3016
    #34 0x7f02581ead1f in WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::FractionalLayoutRect const&, unsigned int, WebCore::RenderObject*, WebCore::RenderRegion*, unsigned int) third_party/WebKit/Source/WebCore/rendering/RenderLayer.cpp:2829
    #35 0x7f0257d2dab3 in WebCore::FrameView::paintContents(WebCore::GraphicsContext*, WebCore::IntRect const&) third_party/WebKit/Source/WebCore/page/FrameView.cpp:3110
    #36 0x7f025757221b in WebCore::ScrollView::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) third_party/WebKit/Source/WebCore/platform/ScrollView.cpp:1057
    #37 0x7f0256efd4df in WebKit::PageWidgetDelegate::paint(WebCore::Page*, WebKit::PageOverlayList*, SkCanvas*, WebKit::WebRect const&, WebKit::PageWidgetDelegate::CanvasBackground) third_party/WebKit/Source/WebKit/chromium/src/PageWidgetDelegate.cpp:99
    #38 0x7f0256e9aa47 in WebKit::WebViewImpl::paint(SkCanvas*, WebKit::WebRect const&) third_party/WebKit/Source/WebKit/chromium/src/WebViewImpl.cpp:1631
    #39 0x7f0259bf6428 in RenderWidget::PaintRect(gfx::Rect const&, gfx::Point const&, skia::PlatformCanvas*) content/renderer/render_widget.cc:698
    #40 0x7f0259bef45c in RenderWidget::DoDeferredUpdate() content/renderer/render_widget.cc:970
    #41 0x7f0259bf52e2 in RenderWidget::DoDeferredUpdateAndSendInputAck() content/renderer/render_widget.cc:810
    #42 0x7f0259bf75ad in RenderWidget::InvalidationCallback() content/renderer/render_widget.cc:805
    #43 0x7f0259c0042c in base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (RenderWidget::*)()>, void ()(RenderWidget* const&)>::MakeItSo(base::internal::RunnableAdapter<void (RenderWidget::*)()>, RenderWidget* const&) ./base/bind_internal.h:871
    #44 0x7f0255ab9e13 in MessageLoop::RunTask(base::PendingTask const&) base/message_loop.cc:457
    #45 0x7f0255aba57d in MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop.cc:468
    #46 0x7f0255aba892 in MessageLoop::DoWork() base/message_loop.cc:644
    #47 0x7f0255ac6908 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_pump_default.cc:28
    #48 0x7f0255ab960c in MessageLoop::RunInternal() base/message_loop.cc:416
    #49 0x7f0255af3813 in base::RunLoop::Run() base/run_loop.cc:46
    #50 0x7f0255ab8347 in MessageLoop::Run() base/message_loop.cc:300
    #51 0x7f0259c10a18 in RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:271
    #52 0x7f025599ae0b in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:330
    #53 0x7f025599b8b3 in content::RunNamedProcessTypeMain(std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:383
    #54 0x7f025599c5f0 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:630
    #55 0x7f025599a57f in content::ContentMain(int, char const**, content::ContentMainDelegate*) content/app/content_main.cc:35
    #56 0x7f02546231f7 in ChromeMain chrome/app/chrome_main.cc:32
    #57 0x7f025462315b in main chrome/app/chrome_exe_main_gtk.cc:18
    #58 0x7f024d5fdc4d in __libc_start_main /build/buildd/eglibc-2.11.1/csu/libc-start.c:258
Stats: 7M malloced (9M for red zones) by 24380 calls
Stats: 0M realloced by 92 calls
Stats: 5M freed by 14388 calls
Stats: 0M really freed by 0 calls
Stats: 52M (13320 full pages) mmaped in 13 calls
  mmaps   by size class: 8:32766; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:256; 15:128; 16:64; 17:32; 18:16; 19:8;
  mallocs by size class: 8:20196; 9:1792; 10:1581; 11:307; 12:119; 13:134; 14:158; 15:47; 16:36; 17:8; 18:1; 19:1;
  frees   by size class: 8:11252; 9:1155; 10:1431; 11:150; 12:67; 13:112; 14:143; 15:41; 16:31; 17:4; 18:1; 19:1;
  rfrees  by size class:
Stats: malloc large: 10 small slow: 139

Comment 26 by reed@chromium.org, Jul 17 2012
That is definitely an ill-formed bitmap:

1. fRowBytes is smaller than fWidth, this is a non-starter
2. fWidth == 27083844 means allocating (depending on the height) over 100M per scanline, so no surprise that the pixel-address is null in the crash (i.e. we failed to allocated the memory).
Comment 27 by reed@chromium.org, Jul 18 2012
Cc: schenney@chromium.org reed@google.com
Comment 28 by epoger@google.com, Jul 18 2012
Owner: reed@chromium.org
Assigning to Mike for pursuing up the call stack--some Chrome code is apparently calling Skia with bogus parameters.

inferno- given that this is a null pointer dereference (not writing into forbidden addresses), should we lower the severity?
Elliot, this is not a null ptr deference. This is a write on non-null address.

Crash Type: Global-buffer-overflow WRITE 1
Crash Address: 0x00000517931b
Comment 30 by epoger@google.com, Jul 18 2012
I'm confused.  I see 3 ClusterFuzz crash reports listed above, from oldest to newest:


https://cluster-fuzz.appspot.com/testcase?key=69004125
Regressed	Chromium: r141671:r141688
Fixed	Chromium: r144163:r144169
ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x7f4ee4b6ef6f sp 0x7fffe5514968 bp 0x7fffe55149a0 T0)

https://cluster-fuzz.appspot.com/testcase?key=59287761
Regressed	Chromium: r141783:r141792
Skia: r4229:r4234
Fixed	Chromium: r142128:r142136
Skia: r4234:r4257
ERROR: AddressSanitizer global-buffer-overflow on address 0x00000517931b at pc 0xaa1ef6 bp 0x7fff8df5e460 sp 0x7fff8df5e458
WRITE of size 1 at 0x00000517931b thread T0

https://cluster-fuzz.appspot.com/testcase?key=65457468
Regressed	Chromium: r142299:r142312
Webkit: r120360:r120368
Fixed	Chromium: r143396:r143433
ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x7fe213b4df6f sp 0x7fffed1cd408 bp 0x7fffed1cd440 T0)


It seems to me like 69004125 and 65457468 , like my repro described in comment 25, are null pointer dereference.  Right?

Maybe 59287761 should be investigated separately?
Looks like the repro is flaking between a null ptr and global-buffer-overflow write. probably, once we fix null ptr deref in a seperate bug, then this bug makes it easy to analyze ? This bug is already having security flags, so lets keep it for tracking the security part.

Comment 32 by epoger@google.com, Jul 23 2012
I tried to split off the two null-pointer cases into a new bug, but I couldn't figure out how to change the bug those clusterfuzz reports were associated with.  And besides, we already have a lot of history in this bug...

So let's track down the null pointer case with the same priority we would use for an overflow write, and once we get that fixed let's confirm that ALL THREE of the clusterfuzz reports in comment 30 are no longer happening.

Mike, let me know what I can do to help.  As noted above, I can reliably reproduce the null pointer bug in a debugger on Linux.
Comment 33 by epoger@google.com, Jul 24 2012
Mike and I have been investigating more...

I can reliably reproduce this failure in my local build (crrev 146887, webkit 122718), but Mike has a newer build (crrev 148096, webkit 123359) where he never sees the problem.

It looks like maybe this problem snuck in at http://trac.webkit.org/browser/trunk/Source/WebCore/platform/graphics/GeneratorGeneratedImage.cpp?rev=120033 , and the rollout at http://trac.webkit.org/browser/trunk/Source/WebCore/platform/graphics/GeneratorGeneratedImage.cpp?rev=122785 fixed it...

I am rolling my tree forward to see what I find with newer code.
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=82591226

Fuzzer: Inferno_twister

Crash Type: Global-buffer-overflow WRITE 1
Crash Address: 0x0000062e3fdf
Crash State:
  - crash stack -
  D_Clear_BitmapXferProc
  SkDraw::drawPaint
  SkCanvas::internalDrawPaint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=147886:147890

Minimized Testcase (1.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96gLSQY2epV75DRqS-x2027ecLWj5olA4DaLOyrJoxHX_5KuXsCYI6j2PSNMexe4qmmt6DXXHrNjM7mIcN8nMi7dvQ4_EQHFiu-3ZtawuqHQBQjRAO7PutTwjGPyOZK9Q4B-CkDqCujNRKdxr7hsXMoqLGT1xA6FBOIJRhER018r2hWLno
Elliot, Mike, can you please check the testcase in last comment, it reproduced recently on r148021 and its testcase and stack look reliable ??
Comment 36 by reed@chromium.org, Jul 24 2012
Your "Detailed report:" link isn't working for me :(

'AuthSubToken' object has no attribute 'valid_for_scope'
Traceback (most recent call last):
  File "/base/python27_runtime/python27_lib/versions/third_party/webapp2-2.3/webapp2.py", line 1511, in __call__
    rv = self.handle_exception(request, response, e)
  File "/base/python27_runtime/python27_lib/versions/third_party/webapp2-2.3/webapp2.py", line 1505, in __call__
 ...

Unfortunately, the repro-case did not fail or trigger any asserts in a debug build.
Mike, please try again. I had broken the issue tracker api on ClusterFuzz
Project Member Comment 38 by clusterf...@chromium.org, Jul 25 2012
ClusterFuzz has detected this issue as fixed in range 148021:148048.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=82591226

Fuzzer: Inferno_twister

Crash Type: Global-buffer-overflow WRITE 1
Crash Address: 0x0000062e3fdf
Crash State:
  - crash stack -
  D_Clear_BitmapXferProc
  SkDraw::drawPaint
  SkCanvas::internalDrawPaint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=147886:147890
Fixed: https://cluster-fuzz.appspot.com/revisions?range=148021:148048

Minimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96gLSQY2epV75DRqS-x2027ecLWj5olA4DaLOyrJoxHX_5KuXsCYI6j2PSNMexe4qmmt6DXXHrNjM7mIcN8nMi7dvQ4_EQHFiu-3ZtawuqHQBQjRAO7PutTwjGPyOZK9Q4B-CkDqCujNRKdxr7hsXMoqLGT1xA6FBOIJRhER018r2hWLno

If you suspect that the result above is incorrect, try re-doing that job on the testcase report page.
Comment 39 by reed@google.com, Jul 25 2012
GeneratorGeneratedImage::draw() in GeneratorGeneratedImage.cpp was changed recently, reverting a previous change. It appears that the previous change caused us to try to allocate a monstrous-big ImageBuffer, which failed silently (we didn't detect that the cairo surface had no pixels), and so later on that (NULL) address was handed to skia.

This change was recently reverted, and so we (and the clusterfuzz it appears) no longer see the issue.

Elliot is working to try to retry *all* of the various test files in this issue. Unfortunately this bug has morphed a few times, and so there is no *one* test case to test against.

Comment 40 by kareng@google.com, Jul 25 2012
hey reed do you have the webkit rev that did the revert?
Comment 42 by epoger@google.com, Jul 27 2012
Status: WontFix
I think we can close this bug.  In detail…

There are 4 ClusterFuzz crash reports listed above, from oldest to newest:


https://cluster-fuzz.appspot.com/testcase?key=69004125
Regressed	Chromium: r141671:r141688
Fixed	Chromium: r144163:r144169
ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x7f4ee4b6ef6f sp 0x7fffe5514968 bp 0x7fffe55149a0 T0)

https://cluster-fuzz.appspot.com/testcase?key=59287761
Regressed	Chromium: r141783:r141792
Skia: r4229:r4234
Fixed	Chromium: r142128:r142136
Skia: r4234:r4257
ERROR: AddressSanitizer global-buffer-overflow on address 0x00000517931b at pc 0xaa1ef6 bp 0x7fff8df5e460 sp 0x7fff8df5e458
WRITE of size 1 at 0x00000517931b thread T0

https://cluster-fuzz.appspot.com/testcase?key=65457468
Regressed	Chromium: r142299:r142312
Webkit: r120360:r120368
Fixed	Chromium: r143396:r143433
ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x7fe213b4df6f sp 0x7fffed1cd408 bp 0x7fffed1cd440 T0)

Detailed report: 
https://cluster-fuzz.appspot.com/testcase?key=82591226
Regressed	Chromium: r147886:r147890
Fixed	Chromium: r148021:r148048
Webkit: r123346:r123359
ERROR: AddressSanitizer global-buffer-overflow on address 0x0000062e3fdf at pc 0xadfb26 bp 0x7fff9b89a400 sp 0x7fff9b89a3f8
WRITE of size 1 at 0x0000062e3fdf thread T0


I am attaching here the minimized test case from each ClusterFuzz report.

I have two local builds as of (crrev 148112, webkit 123359) on my Linux desktop:
- ASAN turned on, running in Release mode
- ASAN turned off, running in Debug mode

I have run all 4 test cases on both local builds, and I don't see any failures at all.

So I believe this bug can now be closed… although as Mike noted above, if/when http://trac.webkit.org/changeset/122785 is reverted we may see problems like this again.  But ClusterFuzz will let us know if that happens, right?
crbug132398-cf82591226-minimized.html
1.2 KB View Download
crbug132398-cf59287761-minimized.html
1023 bytes View Download
crbug132398-cf65457468-minimized.html
431 bytes View Download
crbug132398-cf69004125-minimized.html
1.6 KB View Download
Labels: Merge-Approved
Status: FixUnreleased
What's the rationale for the WontFix? It looks like we need to merge 122785 to stable, since 120033 definitely made it into m21.
Comment 44 by epoger@google.com, Aug 7 2012
Sounds like I need to download the most recent M21 build from http://master.chrome.corp.google.com/official_builds/ ... if any of the 4 tests in comment 42 fail, we will indeed need to cherry-pick a fix into M21.
Comment 45 by epoger@google.com, Aug 13 2012
I'm confused (again)...

I downloaded the following 3 binaries from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html :
- asan-linux-release-146884
- asan-linux-beta-21.0.1180.41
- asan-linux-beta-21.0.1180.77

And viewed all 4 of the tests in comment 42 (running on my Linux desktop via NX) ... and got NO failures.

Which is strange, because in comment 25 I ran my own ASANified release build, 22.0.1209.0 (Developer Build 146872), and got failures.

Any ideas???
Labels: -Restrict-View-SecurityTeam -Mstone-21 -Merge-Approved Restrict-View-SecurityNotify Mstone-22
Looking at the referenced WebKit revision (http://trac.webkit.org/changeset/122785), this is already in M22.
Project Member Comment 47 by bugdroid1@chromium.org, Oct 14 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Status: Fixed
Comment 49 by laforge@google.com, Jan 18 2013
Labels: Restrict-View-EditIssue
Project Member Comment 50 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-Internals -Type-Security -SecSeverity-High -Mstone-22 -Stability-AddressSanitizer -Internals-Skia -SecImpacts-Beta Cr-Internals-Skia Security-Impact-Beta M-22 Cr-Internals Security-Severity-High Type-Bug-Security Performance-Memory-AddressSanitizer
Project Member Comment 51 by bugdroid1@chromium.org, Mar 14 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 53 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 54 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Project Member Comment 55 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 56 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 57 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment