Brief triage:
  1) we're drawing a text glyph with an opaque color to
     an 8888 dst
  2) the complaint is that the argument to Load4(), 
     the dst pointer 0x1030f2f60486, is an unknown address
  3) it should not be possible to have an 8888 dst pointer
     like this that does not have 4 byte alignment 
  4) it's unclear what pixel within the glyph that dst pointer
     corresponds to, but by the stack pointing to Sk4px.h:177,
     it's 4-7 pixels away from the right edge of the glyph

I don't suspect anything on the stack lower than 
SkBlitMask::BlitColor() or so is to blame.  That's
where we first calculate the base dst pointer.  3)
has me thinking this might be an invalid rowBytes,
which points way up the stack.

Here's what's happening:

  1) Blink's feeding Skia nonsense coordinates to draw text at, e.g. (-0.58, +Inf), (1.5, NaN).
  2) Skia's mapping those through the matrix, converting to int, and drawing at those coordinates.
  3) Where we'd expect to look for pathological cases (inverted rect, empty rect, etc) instead we're asserting they don't happen.

So in a debug build, this immediately hits an assert, and in a release build it blows right on through.

CL coming, hopefully.

+inferno

Ever thought of running these fuzzes through a debug or release-with-asserts build after identifying and minimizing them?  The failing assert would have been nice addition to the report.

you can always reupload the testcase to get debug stack using https://cluster-fuzz.appspot.com/#uploadusertestcase, select linux_debug_* job type. for non-v8 job types, we run it by default with debug build as well and add the stack.

Just out of curiosity, why exclude v8 job types?

v8 job type uses tip of trunk v8 and we get v8 revision in report, so it is kind of confusing. since this is crashing in skia, so better to upload in regular chrome debug job type.

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/875e13ca0990e32da9db639743a913efe77f7e89

commit 875e13ca0990e32da9db639743a913efe77f7e89
Author: mtklein <mtklein@chromium.org>
Date: Sun Jun 19 12:28:33 2016

Simplify mask/clip intersection, making sure to explicitly check for an empty mask.

Previously we were only asserting the mask wasn't empty, which isn't necessarily true when we're given pathological float coordinates like +Inf or NaN.

A local run of nanobench --match text_ was not able to show this is faster or slower.

This patch fixed this first Chrome bug on my desktop, and the second is probably a dupe.
BUG= chromium:619378 , chromium:613912 

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2073873002

Review-Url: https://codereview.chromium.org/2073873002

[modify] https://crrev.com/875e13ca0990e32da9db639743a913efe77f7e89/src/core/SkDraw.cpp
[modify] https://crrev.com/875e13ca0990e32da9db639743a913efe77f7e89/tests/DrawTextTest.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9e60626f1eff0762824242bd6513faf9712e999b

commit 9e60626f1eff0762824242bd6513faf9712e999b
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Sun Jun 19 13:35:03 2016

Roll src/third_party/skia/ cc3a22b36..875e13ca0 (1 commit).

https://chromium.googlesource.com/skia.git/+log/cc3a22b369e1..875e13ca0990

$ git log cc3a22b36..875e13ca0 --date=short --no-merges --format='%ad %ae %s'
2016-06-19 mtklein Simplify mask/clip intersection, making sure to explicitly check for an empty mask.

BUG= 619378 , 613912 

CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel
TBR=brianosman@google.com

Review-Url: https://codereview.chromium.org/2074343002
Cr-Commit-Position: refs/heads/master@{#400619}

[modify] https://crrev.com/9e60626f1eff0762824242bd6513faf9712e999b/DEPS

This and 613912 look good at head now.

Does this require a merge to M52?

I guess?  It's probably been present since Chrome M1.

Yep, would be good to get this into M52.

[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Before we approve merge to M52, Could you please confirm whether this change is baked/verified in Canary and safe to merge?

I'm not really sure what it means to have a change baked.  Can you clarify that?  Is that just... people have been running it a while?

I tested the minimized reproduction cases for this and 613912 at tip-of-tree a couple hours ago.  No assert, no crash, and the drawing looks sensible.

The CL itself only affects the case where Blink passes NaN to Skia as a coordinate to draw text at.  That's a meaningless request, so I wouldn't expect to see that case outside of the fuzzer.

ClusterFuzz has detected this issue as fixed in range 37060:37109.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6224605513777152

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_chrome_v8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x10389203c486
Crash State:
  Sk4px::Load4
  void Sk4px::MapDstAlpha<sk_ssse3::blit_mask_d32_a8_opaque
  sk_ssse3::blit_mask_d32_a8_opaque
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8&range=35065:35144
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8&range=37060:37109

Minimized Testcase (0.25 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95vImjzR3dpHO-sD3g9-4-x1Yw1frTvdt9FVX5jkpPlIOrgj4UpvTeHsoYw9EySq69h5PXS53Yi8JsNzUOGWiwzUVaTEDZDexBVopcT87At2BmhqN_XKAy13ETdxaQBigotjqjqzkURxGEF5HUNHTlOs7_Cmw?testcase_id=6224605513777152
<style>
   * { writing-mode: vertical-lr; letter-spacing: 170141183460469231731687303715884105727mm;</style>
  븿z

Approving merge to M52 branch 2743 based on comment #19 and #20. Please merge ASAP possibly before 4:00 PM PST today so we can take it for this week Beta release. Thank you.

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/c20d6706cc0220956c43a020a1a71c4e73a468e0

commit c20d6706cc0220956c43a020a1a71c4e73a468e0
Author: mtklein <mtklein@chromium.org>
Date: Tue Jun 21 19:03:37 2016

Cherry-pick 875e13ca0 to M52.

TBR=

Original description:
    Simplify mask/clip intersection, making sure to explicitly check for an empty mask.

    Previously we were only asserting the mask wasn't empty, which isn't necessarily true when we're given pathological float coordinates like +Inf or NaN.

    A local run of nanobench --match text_ was not able to show this is faster or slower.

    This patch fixed this first Chrome bug on my desktop, and the second is probably a dupe.
    BUG= chromium:619378 , chromium:613912 

    GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2073873002

    Review-Url: https://codereview.chromium.org/2073873002
GOLD_TRYBOT_URL= https://gold.skia.org/search2?unt=true&query=source_type%3Dgm&master=false&issue=2085023002
NOTREECHECKS=true
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2085023002

[modify] https://crrev.com/c20d6706cc0220956c43a020a1a71c4e73a468e0/src/core/SkDraw.cpp
[modify] https://crrev.com/c20d6706cc0220956c43a020a1a71c4e73a468e0/tests/DrawTextTest.cpp

 Issue 622356  has been merged into this issue.

 Issue 623188  has been merged into this issue.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot