Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: Lei Zhang
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/94293688e82ee6a979478fa983e217549c44e3c2
Time: Wed Jan 27 18:27:56 2016 -0800
The CL last changed line 33 of file fpdfxfa_doc.h, which is stack frame 0.

Author: Tom Sepez
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/bf59a070593d079256161f6ff47148df309668c7
Time: Wed Oct 21 14:07:23 2015 -0700
The CL last changed line 472 of file fsdk_mgr.h, which is stack frame 1.

Author: Tom Sepez
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/50d12ada784ad3ba3f9ed6935d59f1ce828695e5
Time: Tue Nov 24 09:50:51 2015 -0800
The CL last changed line 996 of file fsdk_mgr.cpp, which is stack frame 2.

Author: Nico Weber
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/9d8ec5a6e37e8d1d4d4edca9040de234e2d4728f
Time: Tue Aug 04 13:00:21 2015 -0700
The CL last changed line 211 of file Document.cpp, which is stack frame 3.

Author: Tom Sepez
Project: chromium-pdfium
Changelist: https://pdfium.googlesource.com/pdfium.git/+/dfbf8e7ba55695c4e6cb30eadbe9c6a2955815ba
Time: Wed Oct 14 14:17:26 2015 -0700
The CL last changed line 90 of file JS_Define.h, which is stack frame 4.

Author: verwaest
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/3f027300dc25b38d2c99cf35d590b09e2111ca61
Time: Thu Mar 10 15:45:28 2016
The CL last changed line 129 of file api-arguments.h, which is stack frame 5.

Author: verwaest
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/3f027300dc25b38d2c99cf35d590b09e2111ca61
Time: Thu Mar 10 15:45:28 2016
The CL last changed line 1165 of file objects.cc, which is stack frame 6.

Suspected Project: chromium-pdfium

A quick glance at the changelist makes me suspect https://chromium.googlesource.com/chromium/src/+/08e9434b6f4938517755815da37752b0cd906be7
There was no relevant V8 change in the range; and "suspected project" points at pdfium anyway...

The asan bug started after https://codereview.chromium.org/1652873003/ but I have a feeling that just uncovered some other underlying issue.

 Issue 613471  has been merged into this issue.

This only happens when we run in Chromium, doesn't seem to happen in pdfium_test. It looks like this has something to do with the isolates in that the data we're getting back is in a weird state.

We have the pointer to the object, the object destructor hasn't been called, but the members are wiped out?

This looks like it's a problem in pdfium_engine.cc. There are two issues that I see in there.

In PDFiumEngine::CheckPageAvailable there is a if (!FPDFAvail_IsPageAvail()) but, the FDPFAvail returns 3 possible values, -1, 0 or 1 for ERROR, NOTAVAIL or AVAIL. We need to correctly handle the ERROR case and set that the data is not available.

Then, in PDFiumEngine::FinishLoadingDocument, we call FPDFAvail_IsPageAvail() but don't check the return value. It's possible that this can also return ERROR or NOT_AVAIL.

This means we can have a non-available page which, when we call the JS document open can give us bad data back when we try to access the page we assume exists.

Potential fix up at: https://codereview.chromium.org/2030953003/

I think this is the actual solution: https://codereview.chromium.org/2045013004/

tsepez: BTW, this is a nullptr deref -> can we remove the view restrictions?

Chromium picked up the fix in r398836.

ClusterFuzz has detected this issue as fixed in range 398833:398850.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4844167381647360

Fuzzer: ifratric_acrojs
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  CPDFSDK_PageView::GetPageIndex
  Document::pageNum
  void JSPropGetter<Document, &
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=393862:393893
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=398833:398850

Minimized Testcase (312.17 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94T9Fw7E4vzjPepANczc-XKqw67AI5EZ6bHe5h62Cu7TEfFeyXHzGZiZdUJ6Z_SU6sijiaz6SJWFtMnOiiPJ4ad2rG4M7xINxrFbLlgPBQnaqIBW3i61HyUIqAhvU6sfS9wbZ0VsL_J67NSkB5sndxvvqGwT9H8mnAHVSKl7vCeV9yAhqo

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot