When we find something with msan+libfuzzer, do we also run the same repro with asan? 
I am curious if some of these uninits are in fact buffer overflows.  

[Environment] MSAN_OPTIONS = print_stats=1:symbolize=1:coverage=0

Running command: <...>/libxml_xml_read_memory_fuzzer -runs=65536 <...>/fuzz-2-libxml_xml_read_memory_fuzzer
Seed: 1487312072
<...>/libxml_xml_read_memory_fuzzer: Running 1 inputs 65536 time(s) each.
==1224==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7ab3b8 in xmlNextChar third_party/libxml/src/parserInternals.c:535:13
    #1 0x74a306 in xmlParseDocTypeDecl third_party/libxml/src/parser.c:8415:5
    #2 0x789fb2 in xmlParseDocument third_party/libxml/src/parser.c:10878:2
    #3 0x79bcf4 in xmlDoRead third_party/libxml/src/parser.c:15391:5
    #4 0x79c769 in xmlReadMemory third_party/libxml/src/parser.c:15477:13
    #5 0x49b72b in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/libxml_xml_read_memory_fuzzer.cc:17:18
    #6 0x6127bc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/llvm/lib/Fuzzer/FuzzerLoop.cpp:306:13
    #7 0x5f20a7 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:240:3
    #8 0x5f6cac in FuzzerDriver third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:350:9
    #9 0x5f6cac in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char const*, unsigned long)) third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:387
    #10 0x5f1bc8 in main third_party/llvm/lib/Fuzzer/FuzzerMain.cpp:25:10
    #11 0x7faeb1168ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
    #12 0x41df74 in _start (<...>/libxml_xml_read_memory_fuzzer+0x41df74)

  Uninitialized value was created by a heap allocation
    #0 0x43e4e9 in __interceptor_malloc third_party/llvm/compiler-rt/lib/msan/msan_interceptors.cc:1003
    #1 0x9aec23 in xmlBufCreateSize third_party/libxml/src/buf.c:172:36
    #2 0x900844 in xmlAllocParserInputBuffer third_party/libxml/src/xmlIO.c:2432:19
    #3 0x9030bf in xmlParserInputBufferCreateMem third_party/libxml/src/xmlIO.c:3033:11
    #4 0x795f37 in xmlCreateMemoryParserCtxt third_party/libxml/src/parser.c:14579:11
    #5 0x79c6a0 in xmlReadMemory third_party/libxml/src/parser.c:15474:12
    #6 0x49b72b in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/libxml_xml_read_memory_fuzzer.cc:17:18
    #7 0x6127bc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/llvm/lib/Fuzzer/FuzzerLoop.cpp:306:13
    #8 0x5f20a7 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:240:3
    #9 0x5f6cac in FuzzerDriver third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:350:9
    #10 0x5f6cac in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char const*, unsigned long)) third_party/llvm/lib/Fuzzer/FuzzerDriver.cpp:387
    #11 0x5f1bc8 in main third_party/llvm/lib/Fuzzer/FuzzerMain.cpp:25:10
    #12 0x7faeb1168ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287

SUMMARY: MemorySanitizer: use-of-uninitialized-value third_party/libxml/src/parserInternals.c:535:13 in xmlNextChar
Unique heap origins: 121
Stack depot allocated bytes: 14168
Unique origin histories: 8
History depot allocated bytes: 192
Exiting
DEATH:
0x3c,0x21,0x44,0x4f,0x43,0x54,0x59,0x50,0x45,0x61,0x20,0x53,0x59,0x53,0x54,0x45,0x4d,0x27,0x20,0x68,0x72,0x65,0x66,0x3d,0x22,0x31,0x2a,0x25,0xdb,0x43,0x44,0x41,0x54,0x41,0x5b,0x22,0x3d,0x22,0x31,0x3c,0x3f,0x3c,0x3a,0x3e,0x9,0x26,0x23,0x3a,0x3c,0x3c,0x3f,0x30,0x3e,0x9,0x26,0x23,0xf8,0x3e,0x2a,0x26,0x23,0x3e,0x78,0x44,0x3c,0x3f,0x78,0x6d,0x6c,0x20,0x76,0x65,0x72,0x73,0x69,0x6f,0x6e,0x3d,0x22,0x31,0x2e,0x30,0x22,0x20,0x65,0x6e,0x63,0x6f,0x64,0x69,0x20,0x78,0x6d,0x6c,0x3a,0x69,0x64,0x3d,0x22,0x31,0x22,0x6e,0x67,0x54,0x2a,0x26,0x23,0x3c,0x3f,0x78,0x6d,0x6c,0x20,0x76,0x65,0x72,0x73,0x69,0x6f,0x22,0x5d,0x6e,0x3d,0x22,0x30,0x2e,0x3d,0x22,0x55,0x54,0x46,0x38,0x2d,0x22,0x3f,0xe0,0xa4,
<!DOCTYPEa SYSTEM href=\"1*%\xdbCDATA[\"=\"1<?<:>\x09&#:<<?0>\x09&#\xf8>*&#>xD<?xml version=\"1.0\" encodi xml:id=\"1\"ngT*&#<?xml versio\"]n=\"0.=\"UTF8-\"?\xe0\xa4
artifact_prefix=./; Test unit written to ./crash-f84f7afdbc69e8c34406a2dd9063c7339c78885d
Base64: PCFET0NUWVBFYSBTWVNURU0nIGhyZWY9IjEqJdtDREFUQVsiPSIxPD88Oj4JJiM6PDw/MD4JJiP4PiomIz54RDw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2RpIHhtbDppZD0iMSJuZ1QqJiM8P3htbCB2ZXJzaW8iXW49IjAuPSJVVEY4LSI/4KQ=

Deleted: fuzz-2-libxml_xml_read_memory_fuzzer 137 bytes

fuzz-2-libxml_xml_read_memory_fuzzer 137 bytes View Download

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5318549811232768

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  xmlNextChar
  xmlParseDocTypeDecl
  xmlParseDocument
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=372875:372885

Minimized Testcase (0.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94NDzkTXDERTLy7Gos9B2-1VKbG6jFBz1oo4JnQOuog-F7C2g8brVb0QMfK0j7NfY-xbBLJki2_4OguD1u9afpLZ_eGBV4IDUrM3U-iEL6sKrhIdh6A1QC64a6ef3A-X4jrRGqTyIynpid31YO37lHEPC2p4g

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5683764528676864

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  xmlNextChar
  xmlParseDocument
  xmlDoRead
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=372875:372885

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95nFcs1lwSDOIIQsFsdxibGLlkLIx0WlrCesjZJ5PF8xyHgKHfYT6a6ycnoCy4CXrxP_JEi3R10KJDxdQ5zeF4z4Z15Jj8u2Q-amZYeyW8S0N1ttbbJK3zPZ0jSIoC98nQfP1X6l_FW3Z5vnKUrLDT9dOJCpg
<!DOCTYPE� PUBLIC'I'


Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

This one should be reproducible, I've just checked with the testcase attached:

$ libfuzzer-linux-release-385289/libxml_xml_read_memory_fuzzer ./593691 
INFO: Seed: 31485942
libfuzzer-linux-release-385289/libxml_xml_read_memory_fuzzer: Running 1 inputs 1 time(s) each.
==35830==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x6e4360 in xmlNextChar third_party/libxml/src/parserInternals.c:535:13
    #1 0x6cb65d in xmlParseDocument third_party/libxml/src/parser.c:10878:2
    #2 0x6d8f32 in xmlDoRead third_party/libxml/src/parser.c:15391:5
    #3 0x6d9621 in xmlReadMemory third_party/libxml/src/parser.c:15477:13
    #4 0x4859f4 in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/libxml_xml_read_memory_fuzzer.cc:17:18
    #5 0x4a37cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:322:13
    #6 0x486cd6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) third_party/libFuzzer/src/FuzzerDriver.cpp:240:3
    #7 0x48b8dc in FuzzerDriver third_party/libFuzzer/src/FuzzerDriver.cpp:351:9
    #8 0x48b8dc in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:396
    #9 0x4be618 in main third_party/libFuzzer/src/FuzzerMain.cpp:25:10
    #10 0x7ffa7b789ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
    #11 0x41deb8 in _start (/tmp/msan/libfuzzer-linux-release-385289/libxml_xml_read_memory_fuzzer+0x41deb8)

  Uninitialized value was created by a heap allocation
    #0 0x4429b2 in __interceptor_malloc (/tmp/msan/libfuzzer-linux-release-385289/libxml_xml_read_memory_fuzzer+0x4429b2)
    #1 0x85a2e1 in xmlBufCreateSize third_party/libxml/src/buf.c:172:36
    #2 0x7dc208 in xmlAllocParserInputBuffer third_party/libxml/src/xmlIO.c:2432:19
    #3 0x7ddfa8 in xmlParserInputBufferCreateMem third_party/libxml/src/xmlIO.c:3033:11
    #4 0x6d452f in xmlCreateMemoryParserCtxt third_party/libxml/src/parser.c:14579:11
    #5 0x6d9555 in xmlReadMemory third_party/libxml/src/parser.c:15474:12
    #6 0x4859f4 in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/libxml_xml_read_memory_fuzzer.cc:17:18
    #7 0x4a37cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:322:13
    #8 0x486cd6 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) third_party/libFuzzer/src/FuzzerDriver.cpp:240:3
    #9 0x48b8dc in FuzzerDriver third_party/libFuzzer/src/FuzzerDriver.cpp:351:9
    #10 0x48b8dc in fuzzer::FuzzerDriver(int, char**, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:396
    #11 0x4be618 in main third_party/libFuzzer/src/FuzzerMain.cpp:25:10
    #12 0x7ffa7b789ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287

SUMMARY: MemorySanitizer: use-of-uninitialized-value third_party/libxml/src/parserInternals.c:535:13 in xmlNextChar
Exiting
DEATH:
0x3c,0x21,0x44,0x4f,0x43,0x54,0x59,0x50,0x45,0xe6,0x20,0x50,0x55,0x42,0x4c,0x49,0x43,0x27,0x49,0x27,
<!DOCTYPE\xe6 PUBLIC'I'

Deleted: 593691 20 bytes

593691 20 bytes View Download

scottmg: Uh oh! This issue still open and hasn't been updated in the last 47 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

scottmg: Uh oh! This issue still open and hasn't been updated in the last 62 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

In our internal testing, we found this issue was fixed by the fix for the following upstream libxml2 bug:

Bug 758606: Heap-based buffer overread in htmlCurrentChar
<https://bugzilla.gnome.org/show_bug.cgi?id=758606>

Looks like we closed most of the libxml bugs by recent update (bug 611953), kicked of redo 'Fixed' job for this issue.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5683764528676864

Fuzzer: libfuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  xmlNextChar
  xmlParseDocument
  xmlDoRead
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=372875:372885

Minimized Testcase (0.02 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95nFcs1lwSDOIIQsFsdxibGLlkLIx0WlrCesjZJ5PF8xyHgKHfYT6a6ycnoCy4CXrxP_JEi3R10KJDxdQ5zeF4z4Z15Jj8u2Q-amZYeyW8S0N1ttbbJK3zPZ0jSIoC98nQfP1X6l_FW3Z5vnKUrLDT9dOJCpg
<!DOCTYPE� PUBLIC'I'


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Fixed by library update to 2.9.4 in  bug 614405 

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Temporarily opening the bug to attach another CF report.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4572493713244160

Fuzzer: afl_libxml_xml_read_memory_fuzzer
Job Type: libxml_afl_reproduce_593691
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  xmlNextChar
  xmlParseDocument
  xmlDoRead
  

Minimized Testcase (0.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95nQ76Lb7JlQv7yBLeEwNua_K65QEafYjkX3Z46i8bSHnBFPQzuNgER1Mv_oSYMgUPIqqpQCQaPtegGp4Ie5hGXDaIe_3j6pvSEqv7jglh_Qz4JsKiA4ivetWeNUZrgdJZpvfct0cO_SBzMH5Lt1yvFd0PFLw?testcase_id=4572493713244160

Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Approving merge to M52 & M53.

Yeah I don't think merging this makes sense. I think we fixed it with  Issue 614405  and that should be on M52 IIRC.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot