Crash in blink::HarfBuzzFace::createFace |
||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6072329860022272 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_chrome_v8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::HarfBuzzFace::createFace blink::HarfBuzzFace::HarfBuzzFace blink::FontPlatformData::harfBuzzFace Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv9439zRQolQxTAx15ZEjqIaMKOJSXR3AG7oeVQTh2LNww2zsp_QZ9qN8lWtjn4ZCFoAbnLSUn3eS2oXmo9GVry0H3burcy0sQpDoNLobj9bhXhd4c_MDov-mrQtDZ6-i_OIfjcDaLVDo3FFXN9_DJFYgvMwKKl2MKvikpPS62ne5TCBYO9E?testcase_id=6072329860022272 Additional requirements: Requires Gestures Filer: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 28 2016
,
Jun 28 2016
Unable to reproduce and clusterfuzz doesn't provide a regression range or even a revision. Requesting another clusterfuzz run.
,
Jul 2 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6072329860022272 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_chrome_v8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::HarfBuzzFace::createFace blink::HarfBuzzFace::HarfBuzzFace blink::FontPlatformData::harfBuzzFace Regressed: V8: r37284:37301 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv9439zRQolQxTAx15ZEjqIaMKOJSXR3AG7oeVQTh2LNww2zsp_QZ9qN8lWtjn4ZCFoAbnLSUn3eS2oXmo9GVry0H3burcy0sQpDoNLobj9bhXhd4c_MDov-mrQtDZ6-i_OIfjcDaLVDo3FFXN9_DJFYgvMwKKl2MKvikpPS62ne5TCBYO9E?testcase_id=6072329860022272 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 5 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5890531108585472 Fuzzer: ochang_domfuzzer Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::HarfBuzzFace::createFace blink::HarfBuzzFace::HarfBuzzFace blink::FontPlatformData::harfBuzzFace Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=403437:403457 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96xlM-Ur1FjQj1vP2ERXLr_yOtRH6nHSYk5HaO6qAZ8ckFyFGEzT-nQ50e_AdhcHqfdhvWrb6EG-C_R18JjUaHrLVEJJyhKdepJ3H6Iajk3bOunQqcdtjMQKksbkU7-VNUkaZCGNEc_5irW4hxz4oC-Yj4a0w?testcase_id=5890531108585472 Additional requirements: Requires Gestures Filer: ssamanoori See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 5 2016
Not reproducible in 24 runs using the reproduction scripts, config and build from the report.
,
Jul 5 2016
Anyway, speculative fix here: https://codereview.chromium.org/2127553003
,
Jul 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2204caeff04f85a6445606ab962f8d06145addd8 commit 2204caeff04f85a6445606ab962f8d06145addd8 Author: drott <drott@chromium.org> Date: Wed Jul 06 09:13:27 2016 Speculative nullptr dereference fix for HarfBuzz face creation BUG= 624088 Review-Url: https://codereview.chromium.org/2127553003 Cr-Commit-Position: refs/heads/master@{#403873} [modify] https://crrev.com/2204caeff04f85a6445606ab962f8d06145addd8/third_party/WebKit/Source/platform/fonts/shaping/HarfBuzzFace.cpp
,
Jul 6 2016
,
Jul 6 2016
,
Jul 7 2016
Your change meets the bar and is auto-approved for M53 (branch: 2785)
,
Jul 10 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 12 2016
ClusterFuzz has detected this issue as fixed in range 403869:403874. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5890531108585472 Fuzzer: ochang_domfuzzer Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::HarfBuzzFace::createFace blink::HarfBuzzFace::HarfBuzzFace blink::FontPlatformData::harfBuzzFace Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=403437:403457 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=403869:403874 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96xlM-Ur1FjQj1vP2ERXLr_yOtRH6nHSYk5HaO6qAZ8ckFyFGEzT-nQ50e_AdhcHqfdhvWrb6EG-C_R18JjUaHrLVEJJyhKdepJ3H6Iajk3bOunQqcdtjMQKksbkU7-VNUkaZCGNEc_5irW4hxz4oC-Yj4a0w?testcase_id=5890531108585472 Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 14 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 15 2016
Please merge your change to M53 branch 2785 ASAP (latest by 4:00 PM PST on Monday, 07/18) in order to make it to M53 dev release next week before Beta promotion.
,
Jul 18 2016
gentle ping .. drott@ as per c#15, could you please merge your change.
,
Jul 18 2016
Ops, I was wrong, very sorry. The approval was added on Comment 11.
,
Jul 18 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/76b9508019a9af2e43674ebfcc7bfd35b951ed80 commit 76b9508019a9af2e43674ebfcc7bfd35b951ed80 Author: Dominik Röttsches <drott@chromium.org> Date: Mon Jul 18 09:07:31 2016 Speculative nullptr dereference fix for HarfBuzz face creation BUG= 624088 Review-Url: https://codereview.chromium.org/2127553003 Cr-Commit-Position: refs/heads/master@{#403873} (cherry picked from commit 2204caeff04f85a6445606ab962f8d06145addd8) Review URL: https://codereview.chromium.org/2159663002 . Cr-Commit-Position: refs/branch-heads/2785@{#176} Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382} [modify] https://crrev.com/76b9508019a9af2e43674ebfcc7bfd35b951ed80/third_party/WebKit/Source/platform/fonts/shaping/HarfBuzzFace.cpp
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by mmohammad@chromium.org
, Jun 28 2016Status: Assigned (was: Available)