In the range listed, ec8e7dc866c0edc91cb9c79cd82ea40d2b5e5b58 seems like the most likely. It's possible this is a dupe of  issue 610641 , but I'll check the test.

s/dupe of/the same as/, so fix might be to merge that CL. Per that bug though, severity is < High.

From the other bugs, it looks like you are planning to merge the CL to fix this. Is my understanding correct? Thanks.

Yes, that is correct.

 Issue 610641  merged to M51: https://bugs.chromium.org/p/chromium/issues/detail?id=610641#c17

Thanks for taking care of this. Are you OK with making this a dup of 610641 since it was the same fix, merged back?

How can this be a dupe, this is still reproducing on trunk as of today.

In 610641 it says, "ClusterFuzz has detected this issue as fixed in range 392865:392881." So if this is still reproducing on trunk, it seems there must be another issue here. fs, can you please take another look and run the minimized test case against your fix that you merged back?

I am talking about testcase in c#0 https://cluster-fuzz.appspot.com/testcase?key=5990532672651264. One in 610641 looks fixed, so it is probably a different bug than this. Or this one is a variant that still needs fixing.

Hmm, it did not repro for me with yesterday's trunk. Is there interaction required? (I can't download/run those.) Hmm, maybe synthesizeGraphemeWidths wasn't actually on the stack in  issue 610641 .

pdr, could you take a look? (I'll try to get a build going after dinner.)

What is the exact issue downloading the test cases? As owner of the bug you should have access.

The "Local reproduction config" thing I cannot download (and AFAIK not use/run either.) The TC downloads fine. I'm starting to suspect that this may require a font that only exists on Mac or something like that though. 

Yes local repro config wont work for non-chromium.org account since it needs downloading clusterfuzz. the testcase should run fine from command prompt, however looks like it needs mac.

Yes, it looks like it would need to have Font::individualCharacterRanges return a Vector with size() > number of characters in the TextRun (overlapping shaper runs?)

pdr, handing this over to you (feel free to redistribute if needed), since there's little chance I'll be able to debug this for real on a Mac before ~afternoon (local time) tomorrow =/ 

This doesn't repro for me on OSX 10.11.5 at tip-of-trunk. Clusterfuzz says this affects beta/M51 so I'm leaning towards this being a dupe of https://bugs.chromium.org/p/chromium/issues/detail?id=610641#c17 which was just merged to M51 10 hours ago. I've queued up a retry of the "fixed" bit on clusterfuzz to see if this has already been fixed.

Lets give Clusterfuzz a few hours to churn on this.


Aside--I thought Clusterfuzz was restricted to just Google accounts which is why I minimize testcases for Opera folks. Are Opera folks able to view Clusterfuzz reports? If so, I'll stop stealing all the minimization fun from them!

Thanks for having a look! Inferno indicates in c#13 it repros on current trunk though.

We can view the reports just fine - sometimes it requires knowing the right order of steps though (like accessing the "Detailed report" before accessing the TC and other quirks.) I'm going to make sure you minimize all the ones with the getElementsByTagName('*')[foo % 42] structure though, because those sure are a pain... =P

We already cut M51 stable RC (51.0.2704.63 in progress now) which includes fix for https://bugs.chromium.org/p/chromium/issues/detail?id=610641#c17. Will that be ok or we need to block the  tomorrow's M51 Stable release?

+ timwillis@  (Security TPM)

@govind, I think this is fixed in the cut that's in progress now. I think we should hold off on pushing the release until Clusterfuzz confirms this is fixed though.

@inferno: I don't think we should delay M51 stable for this issue. Let me know if you want to hold up the release. We can always drop this in the first post stable once we do some more debugging.

When looking deeper into the report this does look like it assert in the first access (TextRun::operator[]) in isValidSurrogatePair (i.e U16_IS_LEAD(run[index])), while in  issue 610641  it was the second. So I'm convinced it's not a dupe, and that this is in fact worse off than the other similar looking bug since it may actually end up reading OOB.

Tried reproing on Mac, but the version was close enough to what pdr had (10.11.4 on the one I tried on), and I failed to reproduce.

What version does the bots run?

I see what Abishek is saying about this being distinct from  issue 610641 . This bug likely requires a mac because the fonts on mac better support ligatures and there is some sort of complex surrogate pair ligature bug here.

Using the asan-mac build I'm going to try to minimize the test to something we can reproduce on other OSes first. This might require building the branch so I don't really have an ETA.

Abhishek, I'm having trouble reproducing this locally.

I'm using the asan binary and testcase from https://cluster-fuzz.appspot.com/testcase?key=5990532672651264 with the regular ASAN env (verified with --help). I don't see the assert being hit on OSX 10.11.5. I wasn't able to run the local asan script (following up with that separately) but the config looks like it's just a regular load of the page.

I also looked at the other reports on clusterfuzz for this but have been similarly unable to reproduce them:
https://cluster-fuzz.appspot.com/testcase?key=4728704802750464 CHECK failed: i < size() in Vector.h @ HEADr395689
https://cluster-fuzz.appspot.com/testcase?key=6065583032631296 CHECK failed: i < size() in Vector.h @ HEADr395684

Could there be a local setting or font required for this to repro?

This was found on Mac 10.9.5 (version on the CF infra bots), so i am guessing some specific font is required. Looking at git blame, it definitely looks like regression either from 
1. https://chromium.googlesource.com/chromium/src//+/bd627c9a9d79a058525581fc88985da16082b8c7
or 
2. https://chromium.googlesource.com/chromium/src//+/14177d51219e4ba4d1381eb6a4486ec5d71020c0 

Regression range on https://cluster-fuzz.appspot.com/testcase?key=5990532672651264 has this CL which could be regresse too - https://chromium.googlesource.com/chromium/src/+/ec8e7dc866c0edc91cb9c79cd82ea40d2b5e5b58

To make progress on this bug I think we will need access to a machine like clusterfuzz is running. I'd like to start by trying a generic 10.9 machine like we run on the trybots, and if that doesn't work I'll see if I can get access to one of the cluster fuzz VMs.

@wkorman, who can I ask for VNC access to a 10.9.5 trybot machine?

friedman@ can help you. Probably you can use one of the ones in http://crbug.com/604929.

You likely need to request to be added to ganpati groups to have visibility into the try-ssh and chrome-bot passwords in valentine. See:

https://chrome-internal.googlesource.com/infra/infra_internal/+/master/doc/ssh.md

and the older https://sites.google.com/a/google.com/chrome-infrastructure/golo/remote-access. Then you'll need to get a working VNC client that doesn't prompt for username, and possibly do an ssh tunnel thing as part of that. My notes below.

* ssh and port-forward to allow vnc into mac golo bot

on linux workstation:

% ssh -L 0.0.0.0:8000:127.0.0.1:5900 vm603-m4.golo
(log in with try-ssh@ password, then chrome-bot)

on mac:

with VNC Viewer, connect to lemur.sfo.corp.google.com:8000 with password for chromebot

Progress!

I've minimized this down to a simple testcase that does reliably crash on OSX 10.9.5:
<!DOCTYPE HTML>
<svg xmlns="http://www.w3.org/2000/svg" width="100" height="100">
<text y="10">&#x75819;&#xfe0e;</text>
</svg>

I confirmed 10.9.5 is using the "Times" font and I've attached the times fonts from OSX 10.9.5.

Deleted: times.zip 1.6 MB

times.zip 1.6 MB Download

We're cutting M51 Stable RC on Tuesday, May 31st @ 1:00 PM PST. Pls make sure to land the fix and get it merged before then if you like to make it to next week M51 Stable release.

This shouldn't block the release, but it's a very nice to have.

Attaching a minimized testcase that repros on OSX 10.11.5.

Patch up: https://codereview.chromium.org/2020863002

Once we figured out the root cause, the fix was pretty simple. We should probably merge this into all available channels.

Deleted: svgcrash.html 120 bytes

svgcrash.html 120 bytes View Download

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/433ceaeabee98073e81d552dee947aa6983efd53

commit 433ceaeabee98073e81d552dee947aa6983efd53
Author: pdr <pdr@chromium.org>
Date: Mon May 30 02:39:04 2016

Guard against invalid glyph shaping results

HarfBuzz can fail to shape all glyphs and will return a shape result
shorter than the text length along with debug warnings:
[ERROR:HarfBuzzShaper.cpp(375)] HarfBuzz returned empty glyph buffer after shaping.
[ERROR:HarfBuzzShaper.cpp(672)] Shape result extraction failed.

This patch fixes an SVG crash on the U+180E Mongolian vowel separator
by ensuring CachingWordShaper::individualCharacterRanges returns a
vector as long as the text run length. A DCHECK and test have been added
to protect against this crash in the future.

BUG= 613915 

Review-Url: https://codereview.chromium.org/2020863002
Cr-Commit-Position: refs/heads/master@{#396668}

[add] https://crrev.com/433ceaeabee98073e81d552dee947aa6983efd53/third_party/WebKit/LayoutTests/svg/text/invalid-glyph-crash-expected.txt
[add] https://crrev.com/433ceaeabee98073e81d552dee947aa6983efd53/third_party/WebKit/LayoutTests/svg/text/invalid-glyph-crash.html
[modify] https://crrev.com/433ceaeabee98073e81d552dee947aa6983efd53/third_party/WebKit/Source/platform/fonts/Font.cpp
[modify] https://crrev.com/433ceaeabee98073e81d552dee947aa6983efd53/third_party/WebKit/Source/platform/fonts/shaping/CachingWordShaper.cpp

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

@TPMs, I'd like to merge this as far as you'll let me. The patch just hardens the code to a simple bug and is not very risky.

Requesting merge into 52 at least.

Your change meets the bar and is auto-approved for M52 (branch: 2743)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6b4e1fe685250d3acc3257631f465863ef518ee8

commit 6b4e1fe685250d3acc3257631f465863ef518ee8
Author: pdr@chromium.org <pdr@chromium.org>
Date: Tue May 31 22:16:47 2016

Guard against invalid glyph shaping results

HarfBuzz can fail to shape all glyphs and will return a shape result
shorter than the text length along with debug warnings:
[ERROR:HarfBuzzShaper.cpp(375)] HarfBuzz returned empty glyph buffer after shaping.
[ERROR:HarfBuzzShaper.cpp(672)] Shape result extraction failed.

This patch fixes an SVG crash on the U+180E Mongolian vowel separator
by ensuring CachingWordShaper::individualCharacterRanges returns a
vector as long as the text run length. A DCHECK and test have been added
to protect against this crash in the future.

BUG= 613915 

Review-Url: https://codereview.chromium.org/2020863002
Cr-Commit-Position: refs/heads/master@{#396668}
(cherry picked from commit 433ceaeabee98073e81d552dee947aa6983efd53)

Review URL: https://codereview.chromium.org/2020423002 .

Cr-Commit-Position: refs/branch-heads/2743@{#154}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[add] https://crrev.com/6b4e1fe685250d3acc3257631f465863ef518ee8/third_party/WebKit/LayoutTests/svg/text/invalid-glyph-crash-expected.txt
[add] https://crrev.com/6b4e1fe685250d3acc3257631f465863ef518ee8/third_party/WebKit/LayoutTests/svg/text/invalid-glyph-crash.html
[modify] https://crrev.com/6b4e1fe685250d3acc3257631f465863ef518ee8/third_party/WebKit/Source/platform/fonts/Font.cpp
[modify] https://crrev.com/6b4e1fe685250d3acc3257631f465863ef518ee8/third_party/WebKit/Source/platform/fonts/shaping/CachingWordShaper.cpp

Let's try and get this into the planned stable release tomorrow.

@pdr - after approval, could you get this merged by 1500 PDT?

[Automated comment] Request affecting a post-stable build (M51), manual review required.

Merge approved for M51 (branch 2704)

Approving merge to M51 branch 2704 based on comment #46, #48 (baked in beta already) and #49. Please merge ASAP.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/46829e208fbf201388eec566299b859dedfab823

commit 46829e208fbf201388eec566299b859dedfab823
Author: pdr@chromium.org <pdr@chromium.org>
Date: Mon Jun 13 20:12:19 2016

Guard against invalid glyph shaping results

HarfBuzz can fail to shape all glyphs and will return a shape result
shorter than the text length along with debug warnings:
[ERROR:HarfBuzzShaper.cpp(375)] HarfBuzz returned empty glyph buffer after shaping.
[ERROR:HarfBuzzShaper.cpp(672)] Shape result extraction failed.

This patch fixes an SVG crash on the U+180E Mongolian vowel separator
by ensuring CachingWordShaper::individualCharacterRanges returns a
vector as long as the text run length. A DCHECK and test have been added
to protect against this crash in the future.

BUG= 613915 

Review-Url: https://codereview.chromium.org/2020863002
Cr-Commit-Position: refs/heads/master@{#396668}
(cherry picked from commit 433ceaeabee98073e81d552dee947aa6983efd53)

Review URL: https://codereview.chromium.org/2063813003 .

Cr-Commit-Position: refs/branch-heads/2704@{#716}
Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251}

[add] https://crrev.com/46829e208fbf201388eec566299b859dedfab823/third_party/WebKit/LayoutTests/svg/text/invalid-glyph-crash-expected.txt
[add] https://crrev.com/46829e208fbf201388eec566299b859dedfab823/third_party/WebKit/LayoutTests/svg/text/invalid-glyph-crash.html
[modify] https://crrev.com/46829e208fbf201388eec566299b859dedfab823/third_party/WebKit/Source/platform/fonts/Font.cpp
[modify] https://crrev.com/46829e208fbf201388eec566299b859dedfab823/third_party/WebKit/Source/platform/fonts/shaping/CachingWordShaper.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/46829e208fbf201388eec566299b859dedfab823

commit 46829e208fbf201388eec566299b859dedfab823
Author: pdr@chromium.org <pdr@chromium.org>
Date: Mon Jun 13 20:12:19 2016

Guard against invalid glyph shaping results

HarfBuzz can fail to shape all glyphs and will return a shape result
shorter than the text length along with debug warnings:
[ERROR:HarfBuzzShaper.cpp(375)] HarfBuzz returned empty glyph buffer after shaping.
[ERROR:HarfBuzzShaper.cpp(672)] Shape result extraction failed.

This patch fixes an SVG crash on the U+180E Mongolian vowel separator
by ensuring CachingWordShaper::individualCharacterRanges returns a
vector as long as the text run length. A DCHECK and test have been added
to protect against this crash in the future.

BUG= 613915 

Review-Url: https://codereview.chromium.org/2020863002
Cr-Commit-Position: refs/heads/master@{#396668}
(cherry picked from commit 433ceaeabee98073e81d552dee947aa6983efd53)

Review URL: https://codereview.chromium.org/2063813003 .

Cr-Commit-Position: refs/branch-heads/2704@{#716}
Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251}

[add] https://crrev.com/46829e208fbf201388eec566299b859dedfab823/third_party/WebKit/LayoutTests/svg/text/invalid-glyph-crash-expected.txt
[add] https://crrev.com/46829e208fbf201388eec566299b859dedfab823/third_party/WebKit/LayoutTests/svg/text/invalid-glyph-crash.html
[modify] https://crrev.com/46829e208fbf201388eec566299b859dedfab823/third_party/WebKit/Source/platform/fonts/Font.cpp
[modify] https://crrev.com/46829e208fbf201388eec566299b859dedfab823/third_party/WebKit/Source/platform/fonts/shaping/CachingWordShaper.cpp

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot