Issue metadata
Sign in to add a comment
|
Heap-use-after-free in cc::DrawPolygon::Split |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5500578197405696 Fuzzer: inferno_twister Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x7d1800047160 Crash State: cc::DrawPolygon::Split cc::BspTree::BuildTree cc::BspTree::BuildTree Minimized Testcase (4.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96fx61TmB6jc1luWgy6CtBLRM3vnPD-aHV_x6jsmDZMwimC7CYI37ldRfH6VHr83aRboUurWQsFeanw95ZoX1ydFzsC7-IZeB0EDeom4pXCoBMOcGQQ5oZNUID12raI2nKvrzQ8_HIltFGpQAO59tqHX0u56w Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 16 2016
,
Jun 16 2016
,
Jun 16 2016
Btw, the stack trace looks like we are missing inlined frames: #1 0x7fef76d28e29 in cc::DrawPolygon::Split(cc::DrawPolygon const&, std::__1::unique_ptr<cc::DrawPolygon, std::__1::default_delete<cc::DrawPolygon> >*, std::__1::unique_ptr<cc::DrawPolygon, std::__1::default_delete<cc::DrawPolygon> >*) buildtools/third_party/libc++/trunk/include/memory:1740:31 This is similar to b/29090668. The MSan bug 613901 with the same stack trace does not have this problem.
,
Jun 17 2016
,
Jun 23 2016
ClusterFuzz has detected this issue as fixed in range 401416:401447. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5500578197405696 Fuzzer: inferno_twister Job Type: linux_tsan_chrome_mp Platform Id: linux Crash Type: Heap-use-after-free READ 8 Crash Address: 0x7d1800047160 Crash State: cc::DrawPolygon::Split cc::BspTree::BuildTree cc::BspTree::BuildTree Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=401416:401447 Minimized Testcase (4.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96fx61TmB6jc1luWgy6CtBLRM3vnPD-aHV_x6jsmDZMwimC7CYI37ldRfH6VHr83aRboUurWQsFeanw95ZoX1ydFzsC7-IZeB0EDeom4pXCoBMOcGQQ5oZNUID12raI2nKvrzQ8_HIltFGpQAO59tqHX0u56w?testcase_id=5500578197405696 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 23 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 23 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. - Your friendly ClusterFuzz
,
Jun 24 2016
,
Jun 26 2016
,
Jun 27 2016
Before we approve merge to M52, Could you please confirm whether this change is baked/verified in Canary and safe to merge?
,
Jun 27 2016
Your change meets the bar and is auto-approved for M52 (branch: 2743)
,
Jul 1 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 5 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 8 2016
,
Jul 12 2016
Hello! Please merge to M52 by 5pm PDT Today (Tuesday 12th) if at all possible. Cheers!
,
Jul 12 2016
It's been done. CL is https://codereview.chromium.org/2136493002/ - it just didn't have the right bug number attached.
,
Jul 12 2016
Ah, sorry. Many thanks!
,
Jul 13 2016
,
Jul 14 2016
Reply to comment #17, could you please confirm https://codereview.chromium.org/2136493002/ is merged to M52? I don't see it is merged yet to M52.
,
Jul 14 2016
It's commit 0ff47b330484b53d2e0381a55eaebcf6aac2499d
,
Jul 14 2016
OK, thank you.
,
Jul 14 2016
It looks like it didn't make it to m53, either. Should probably cherry-pick it there too.
,
Jul 14 2016
Please request a merge to M53 by applying Merge-Request-53 label. Thank you.
,
Jul 14 2016
I've done that on the bug that the original CL references (crbug.com/606984).
,
Jul 14 2016
For tracking purposes, m53 merge CL is https://codereview.chromium.org/2151893002
,
Jul 14 2016
Ok, thank you (M53 merge is also done - https://bugs.chromium.org/p/chromium/issues/detail?id=606984#c29).
,
Jul 29 2016
,
Sep 30 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Jun 16 2016