Hmm, I guess we shouldn't put "Stability-Libfuzzer" there. Or may be should, since the original target function has been written for libfuzzer?

I suggest the following approach:
- if bug has been found with libfuzzer, put Stability-Libfuzzer
- if bug has been found with AFL, put Stability-AFL

Thus we may track bugs:
A) found by Libfuzzer only
B) by AFL only
C) found by both as well

What is the command line to reproduce this bug? Thanks

Instructions for reproducing bugs found with AFL are there: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md#Reproducing-AFL-ASan-bugs

Please let us know if anything is not clear!

Would it be possible to include

$ gn gen out/afl '--args=use_afl=true is_asan=true enable_nacl=false proprietary_codecs=true'
$ ninja -C out/afl $FUZZER_NAME
$ out/afl/$FUZZER_NAME < /path/to/repro

In the bug or in the detailed report linked to by the bug?

Here's my steps:

(download minimized test case above)
$ cd chrome/src
$ gn gen out/afl '--args=use_afl=true is_asan=true enable_nacl=false proprietary_codecs=true'
$ ninja -C out/afl skia_pathop_fuzzer
c$./out/afl/skia_pathop_fuzzer ~/Downloads/fuzz-0-skia_pathop_fuzzer 
Running in AFl-fuzz mode
Usage:
afl-fuzz [afl-flags] ./out/afl/skia_pathop_fuzzer [N] -- run N fuzzing iterations before re-spawning the process (default: 1000)
skia_pathop_fuzzer: ../../third_party/libFuzzer/src/afl/afl_driver.cpp:99: int main(int, char **): Assertion `N > 0' failed.
Aborted (core dumped)

I also tried:

$./out/afl/skia_pathop_fuzzer < ~/Downloads/fuzz-0-skia_pathop_fuzzer 

Cary, I think this step is incorrect:
$ ./out/afl/skia_pathop_fuzzer ~/Downloads/fuzz-0-skia_pathop_fuzzer

try this instead
$ ./out/afl/skia_pathop_fuzzer < ~/Downloads/fuzz-0-skia_pathop_fuzzer

I'm not sure what could be causing the assertion failure you're seeing. I just confirmed the assertion is being used with this:

$ ./out/afl/skia_pathop_fuzzer -1
Running in AFl-fuzz mode
Usage:
afl-fuzz [afl-flags] ./out/cary/skia_pathop_fuzzer [N] -- run N fuzzing iterations before re-spawning the process (default: 1000)
skia_pathop_fuzzer: ../../third_party/libFuzzer/src/afl/afl_driver.cpp:259: int main(int, char **): Assertion `N > 0' failed.
Aborted

But when I try to reproduce the bug I get this:
$ ./out/afl/skia_pathop_fuzzer < ~/Downloads/fuzz-0-skia_pathop_fuzzer
Running in AFl-fuzz mode
Usage:
afl-fuzz [afl-flags] ./out/cary/skia_pathop_fuzzer [N] -- run N fuzzing iterations before re-spawning the process (default: 1000)
[0712/070748:INFO:SkDConicLineIntersection.cpp(111)] ../../third_party/skia/src/pathops/SkDConicLineIntersection.cpp:111: fatal error: ""conicPt.approximatelyEqual(linePt)""

Aborted

(I did notice the bug is caught before the invalid memory access now)

Can also confirm that using the build ClusterFuzz used will reproduce the original crash (which I assume is different in trunk):

First download and unzip https://storage.cloud.google.com/chromium-browser-afl/linux-release-asan/afl-linux-release-403615.zip

$ ./afl-linux-release-403615/skia_pathop_fuzzer < ~/Downloads/fuzz-0-skia_pathop_fuzzer
Running in AFl-fuzz mode
Usage:
afl-fuzz [afl-flags] ./afl-linux-release-403615/skia_pathop_fuzzer [N] -- run N fuzzing iterations before re-spawning the process (default: 1000)
ASAN:DEADLYSIGNAL
=================================================================
==17292==ERROR: AddressSanitizer: SEGV on unknown address 0x00009fff800a (pc 0x000000aa8e10 bp 0x7ffe5754aeb0 sp 0x7ffe5754ae70 T0)
==17292==The signal is caused by a READ memory access.
    #0 0xaa8e0f in containsCoincidence third_party/skia/src/pathops/SkOpSpan.h:398:30
    #1 0xaa8e0f in SkOpCoincidence::mark() third_party/skia/src/pathops/SkOpCoincidence.cpp:695
    #2 0xaaea94 in HandleCoincidence(SkOpContourHead*, SkOpCoincidence*, SkChunkAlloc*) third_party/skia/src/pathops/SkPathOpsCommon.cpp:518:22
    #3 0x65f844 in OpDebug(SkPath const&, SkPath const&, SkPathOp, SkPath*) third_party/skia/src/pathops/SkPathOpsOp.cpp:314:10
    #4 0x6365be in SkOpBuilder::resolve(SkPath*) third_party/skia/src/pathops/SkOpBuilder.cpp:149:18
    #5 0x4edc13 in LLVMFuzzerTestOneInput testing/libfuzzer/fuzzers/skia_pathop_fuzzer.cc:27:11
    #6 0x4ee0da in main third_party/libFuzzer/src/afl/afl_driver.cpp:107:7
    #7 0x7fd53c2fff44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV third_party/skia/src/pathops/SkOpSpan.h:398:30 in containsCoincidence
==17292==ABORTING

Thanks for your help.
I got the information I need to isolate this bug.

Here are my steps (to remind myself, and for whoever takes over the code next)

1) edit third_party/skia/src/pathops//SkPathOpsOp.cpp:194 to:
  #define DEBUGGING_PATHOPS_FROM_HOST 1  // enable to debug svg in chrome -- note path hardcoded below

2) run:
$ cd chrome/src
$ gn gen out/afl '--args=use_afl=true is_asan=true enable_nacl=false proprietary_codecs=true'
$ ninja -C out/afl skia_pathop_fuzzer
$ ./out/afl/skia_pathop_fuzzer < ~/Downloads/fuzz-0-skia_pathop_fuzzer 
$ cat ~/Documents/svgop.txt

This generates:

static void fuzz763_1(skiatest::Reporter* reporter, const char* filename) {
    SkPath path;
    path.setFillType((SkPath::FillType) 0);

    SkPath path1(path);
    path.reset();
    path.setFillType((SkPath::FillType) 0);
path.moveTo(SkBits2Float(0x00000000), SkBits2Float(0x00000000));  // 0, 0
path.cubicTo(SkBits2Float(0x1931204a), SkBits2Float(0x2ba1a14a), SkBits2Float(0x4a4a08ff), SkBits2Float(0x4a4a08ff), SkBits2Float(0x4a4a4a34), SkBits2Float(0x4a4a4a4a));  // 9.15721e-24f, 1.14845e-12f, 3.31014e+06f, 3.31014e+06f, 3.31432e+06f, 3.31432e+06f
path.moveTo(SkBits2Float(0x000010a1), SkBits2Float(0x19312000));  // 5.96533e-42f, 9.15715e-24f
path.cubicTo(SkBits2Float(0x4a4a4a4a), SkBits2Float(0x4a4a4a4a), SkBits2Float(0xa14a4a4a), SkBits2Float(0x08ff2ba1), SkBits2Float(0x08ff4a4a), SkBits2Float(0x4a344a4a));  // 3.31432e+06f, 3.31432e+06f, -6.85386e-19f, 1.53575e-33f, 1.53647e-33f, 2.95387e+06f
path.cubicTo(SkBits2Float(0x4a4a4a4a), SkBits2Float(0x4a4a4a4a), SkBits2Float(0x2ba1a14a), SkBits2Float(0x4e4a08ff), SkBits2Float(0x4a4a4a4a), SkBits2Float(0xa1a181ff));  // 3.31432e+06f, 3.31432e+06f, 1.14845e-12f, 8.47397e+08f, 3.31432e+06f, -1.09442e-18f

    SkPath path2(path);
    testPathOp(reporter, path1, path2, (SkPathOp) 4, filename);
}

3) Paste the above into: third_party/skia/tests/PathOpsOpTest.cpp 
   along with:

static struct TestDesc tests[] = {
+    TEST(fuzz763_1),

4) run:
$ cd skia
$ ninja -C out/Debug pathops_unittest
$ ./out/Debug/pathops_unittest -v -V -m PathOpsOp$

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5964772856299520

Fuzzer: afl_skia_pathop_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00009fff800a
Crash State:
  SkOpCoincidence::mark
  HandleCoincidence
  OpDebug
  
Recommended Security Severity: Medium


Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96j3KSpKRhvG-JHvfbmg6N4s5it23dDeeTuyvSqrBiRf5udc0t8JrO-yl6LncA9KfgYWYgaAZ8uygzIDLYQp_cWvmsJZCWAvYJwYRsbEOyTVDslqs_uq24CJWS8zJ8CERs2_PlL_InpLij1phHJWIDmC2mgMA?testcase_id=5964772856299520


Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

M53 beta launch is coming soon.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Monday (07/18/16). Thank you.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6629946856570880

Fuzzer: afl_skia_pathop_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00009fff800a
Crash State:
  SkOpCoincidence::mark
  HandleCoincidence
  OpDebug
  
Recommended Security Severity: Medium


Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96-p-QhYCGV9tTQnW-neIPV9rW-6YWnZD7O3xUbUO9SpkZo6raZsRVXXnOciN7b6FcUn04ByWeeGzMP7NEEViZsRJALA-mw5LLTn8_AnUsYo_4xiUFb5pI3oYHAotjWTYcPGQozGZcyZOGafUa8DHpiFFV4kw?testcase_id=6629946856570880


Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5459266882502656

Fuzzer: afl_skia_pathop_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00009fff800a
Crash State:
  SkOpCoincidence::mark
  HandleCoincidence
  OpDebug
  
Recommended Security Severity: Medium


Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv9529_miux1IC9cvex1sm1bZySTuacJqP2RncUDkS3RHH0N0iUal__ajy45S52csjDPBnzQaWqDzoq3_ZtV_5-wv1ACTweEyV7hx57vTUMXcIAYGR9yO-6C8gdzNbYHAJ4iMhOJl71TbBXcH0p-_hM9PIu9VIw?testcase_id=5459266882502656


Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

I'm unable to run the tool with ToT. This is the output I get:

/chrome/src$./out/afl/skia_pathop_fuzzer < ~/Downloads/fuzz-0-skia_pathop_fuzzer 
Running in AFl-fuzz mode
Usage:
afl-fuzz [afl-flags] ./out/afl/skia_pathop_fuzzer [N] -- run N fuzzing iterations before re-spawning the process (default: 1000)

Maybe the above output is what happens when no problem is detected?

Cary, I'll look into this now.
FYI the program will always print this message, regardless of whether there's an error.
"Running in AFl-fuzz mode
Usage:
afl-fuzz [afl-flags] ./out/afl/skia_pathop_fuzzer [N] -- run N fuzzing iterations before re-spawning the process (default: 1000)"

I'll check this on ToT shortly

I don't get a crash on ToT.
I guess the bug has been fixed?

My confusion is that most tools echo 'Usage: ' when the input parameters are incorrect and then fails to run the test. This tool appears to do that even when the test run is successful.

I want to keep printing some information at startup here.
Who about this one? 

======================= INFO =========================
This binary is built for AFL-fuzz.
To run the target function on a single input execute this:
  ./lib/Fuzzer/test/AFLDriverTest < INPUT_FILE
To run the fuzzing execute this:
  afl-fuzz [afl-flags] ./lib/Fuzzer/test/AFLDriverTest [N] -- run N fuzzing iterations before re-spawning the process (default: 1000)
======================================================

Do what ever you think is best; I would prefer seeing that the execution was successful if that indeed is the case. I would likewise prefer to see the info only in response to --help -? or the like.

I agree with the concern, but at least now I don't see a good way to completely 
eliminate the message because the binary is easy to misuse
(e.g. to run "./exe INPUT" instead of "./exe < INPUT") and it's not easy to 
make the interface more flexible w/o extra complexity. 

For now (LLVM r276052) the binary will print

======================= INFO =========================
This binary is built for AFL-fuzz.
To run the target function on a single input execute this:
  ./lib/Fuzzer/test/AFLDriverTest < INPUT_FILE
To run the fuzzing execute this:
  afl-fuzz [afl-flags] ./lib/Fuzzer/test/AFLDriverTest [N] -- run N fuzzing iterations before re-spawning the process (default: 1000)
======================================================

And then at the end: 

./lib/Fuzzer/test/AFLDriverTest: successfully executed 1 input(s)

ClusterFuzz has detected this issue as fixed in range 406032:406205.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5459266882502656

Fuzzer: afl_skia_pathop_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00009fff800a
Crash State:
  SkOpCoincidence::mark
  HandleCoincidence
  OpDebug
  
Recommended Security Severity: Medium

Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=406032:406205

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv9529_miux1IC9cvex1sm1bZySTuacJqP2RncUDkS3RHH0N0iUal__ajy45S52csjDPBnzQaWqDzoq3_ZtV_5-wv1ACTweEyV7hx57vTUMXcIAYGR9yO-6C8gdzNbYHAJ4iMhOJl71TbBXcH0p-_hM9PIu9VIw?testcase_id=5459266882502656


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 406032:406205.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5459266882502656

Fuzzer: afl_skia_pathop_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00009fff800a
Crash State:
  SkOpCoincidence::mark
  HandleCoincidence
  OpDebug
  
Recommended Security Severity: Medium

Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=406032:406205

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv9529_miux1IC9cvex1sm1bZySTuacJqP2RncUDkS3RHH0N0iUal__ajy45S52csjDPBnzQaWqDzoq3_ZtV_5-wv1ACTweEyV7hx57vTUMXcIAYGR9yO-6C8gdzNbYHAJ4iMhOJl71TbBXcH0p-_hM9PIu9VIw?testcase_id=5459266882502656


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot