New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 626714 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 628222
Owner: ----
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in std::__1::basic_stringbuf<char, std::__1::char_traits<char>, std::__1::allocator

Project Member Reported by ClusterFuzz, Jul 8 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4749635575087104

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub_32bit
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x00000000
Crash State:
  std::__1::basic_stringbuf<char, std::__1::char_traits<char>, std::__1::allocator
  main
  _dl_find_dso_for_object
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=344473:344607

Minimized Testcase (0.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv970Td8D-eubRg1_UOBYGOQy2SoStUNcNBVXZgPsZIYsnU2pS-e8OHed1imfxDu0NSOaiBjQTMtpHNGFbFm4YmJ6XsmymhoeM4R4L6YZfIpTuget4do_KI307BFqfXGsRBepTphtZj0M_-lJMoX_GWJWO4o5ew?testcase_id=4749635575087104

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: ananta@chromium.org jbroman@chromium.org
Labels: Needs-triage Te-Logged M-52

From findit tool;

	No CL in the regression range changes the crashed files. The result is the blame information.

Author: erg@google.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/eae9c0623d1800201739b4be146649103a45cd93
Time: Tue Jan 11 00:50:59 2011
The CL last changed line 782 of file logging.cc, which is stack frame 2.

Author: erg@google.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/eae9c0623d1800201739b4be146649103a45cd93
Time: Tue Jan 11 00:50:59 2011
The CL last changed line 504 of file logging.cc, which is stack frame 3.

Author: sugoi@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6e8e4f83184b28130f22cc8ec184832b0d7aba2a
Time: Mon Nov 18 23:35:21 2013
The CL last changed line 49 of file filter_fuzz_stub.cc, which is stack frame 4.

Author: sugoi@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6e8e4f83184b28130f22cc8ec184832b0d7aba2a
Time: Mon Nov 18 23:35:21 2013
The CL last changed line 66 of file filter_fuzz_stub.cc, which is stack frame 5.

Author: sugoi@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6e8e4f83184b28130f22cc8ec184832b0d7aba2a
Time: Mon Nov 18 23:35:21 2013
The CL last changed line 85 of file filter_fuzz_stub.cc, which is stack frame 6.

Suspected Project: chromium
Cc: robertphillips@chromium.org senorblanco@chromium.org
Components: Internals>Skia
Looks like memory allocation in std::ostringstream is failing while constructing the log message. I'm wondering whether something is managing to use up a ton of memory and this just happens to be the thing that finally fails.

Given that, I'd look at the Skia revision range:
https://chromium.googlesource.com/skia/+log/d1c6b7c5007b5c609b44a9cdfe95ef64a5a8f29f..499ababa52f3ac4fccf957979713abe58be1584a?pretty=fuller

There is stuff in there that seems to touch the flattening/unflattening of SkImageFilters, which is what filter_fuzz_stub tests.
Labels: -M-52 -Needs-triage
Status: Untriaged (was: Available)
Project Member

Comment 4 by ClusterFuzz, Aug 5 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6712858899644416

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub_32bit
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x00000000
Crash State:
  std::__1::basic_stringbuf<char, std::__1::char_traits<char>, std::__1::allocator
  _dl_find_dso_for_object
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=344473:344607

Minimized Testcase (0.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94rsINxbHUoR0e4A5bN37xZLbFA-toq1ElLDNFltn4bl7WxrjkFHzLCOMNUq1zGFu4IGrdGFRjsrszYbaoLl5pQ22JyDDY2pgbnilC9rLZ0BXTyRso_2Nbq56YZiFhfNDOIYNiP_ZDUVdb3aAbc6SVF2PYk1w?testcase_id=6712858899644416

Issue manually filed by: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
This issue is not fixed, could someone please take a look?.

[2017-03-29 07:25:36 UTC] clusterfuzz-linux-0465: Progression task started: r460282.
[2017-03-29 07:28:31 UTC] clusterfuzz-linux-0465: Progression task finished.

Thank you.
Mergedinto: 628222
Status: Duplicate (was: Untriaged)
AFAICT this is a duplicate of  crbug.com/628222 

In two cases I checked we have:

REVISION 404340

soft rss limit exhausted (512Mb vs 629Mb)
allocator_may_return_null=1

REVISION 460664

soft rss limit exhausted (512Mb vs 560Mb)
allocator_may_return_null=1
failing allocation: new SkMallocPixelRef 

Project Member

Comment 10 by ClusterFuzz, Jun 16 2017

ClusterFuzz has detected this issue as fixed in range 479756:479771.

Detailed report: https://clusterfuzz.com/testcase?key=4749635575087104

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub_32bit
Platform Id: linux

Crash Type: Null-dereference WRITE
Crash Address: 0x00000004
Crash State:
  SkPixelRef::SkPixelRef
  SkMallocPixelRef::MakeZeroed
  SkBitmap::tryAllocPixels
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=344473:344607
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=479756:479771

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4749635575087104


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Cc: kjlubick@chromium.org kjlubick@google.com

Sign in to add a comment