bsalomon@, could you take a look at this? It's similar to the one (https://bugs.chromium.org/p/chromium/issues/detail?id=454267) you fixed before. Thanks!

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This is an instance where Skia has mapped a vertex buffer, written to part of it, and unmapped it. Even though no subsequent draws reference the unwritten portion, MSAN is triggered because of this added guard in the command buffer:

https://cs.chromium.org/chromium/src/gpu/command_buffer/client/gles2_implementation.cc?sq=package:chromium&type=cs&l=2022

Even though I hate to do it, I'm going to make Skia memset buffers after mapping as I don't see a practical way for us to maintain zeroing out just the pad between vertex attributes across all of our drawing code paths.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a0274bfffbf46eebfa0b9e774b2cda197659c5a2

commit a0274bfffbf46eebfa0b9e774b2cda197659c5a2
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Thu Jul 14 01:50:21 2016

Roll src/third_party/skia/ 50ead53ac..614d8f9a3 (3 commits).

https://chromium.googlesource.com/skia.git/+log/50ead53ac97d..614d8f9a3c44

$ git log 50ead53ac..614d8f9a3 --date=short --no-merges --format='%ad %ae %s'
2016-07-13 bsalomon Remove GrWrapTextureInBitmap from public API
2016-07-13 bsalomon Stop testing texture-backed bitmaps in bleed GMs
2016-07-13 bsalomon Make GrBatchAtlas robust against attempts to add large rects.

BUG= 627443 

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_blink_rel
TBR=msarett@google.com

Review-Url: https://codereview.chromium.org/2144143002
Cr-Commit-Position: refs/heads/master@{#405396}

[modify] https://crrev.com/a0274bfffbf46eebfa0b9e774b2cda197659c5a2/DEPS

Ignore comment #6. I had misdiagnosed the issue. This Skia change fixes the issue:

https://chromium.googlesource.com/skia.git/+/6d6b6ad0f30504b6d0540f1f6bc7c072f33e85b2

This should now be fixed at tip of tree.

ClusterFuzz has detected this issue as fixed in range 405185:405467.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6534151536902144

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  gpu::gles2::GLES2Implementation::BufferDataHelper
  GrGLBuffer::onUpdateData
  GrBufferAllocPool::unmap
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=402485:402737
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=405185:405467

Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Z8T-KaDRuAlhy0ZbxlPXLCbf3RZxmeV39saf1TnUp3A68oDTE8KqK_JlY4eNyzA94hncSuvFt5ihY-ch24xLZFlOXr4I9615bN9HJLX6fM5t7H16cjCdXX7YLf1nm2SzpMDqhONKIWZcMBcup80szWbSP2A?testcase_id=6534151536902144

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

+awhalley@, whether it is ok to take this merge in for M53 or not. Please note that fix has been already verified by clusterfuzz.

Good for M53.

Approving merge to M53 branch 2785 based on comment #12. Please merge ASAP or latest by 5:00 PM PST today so we can take it for M53 dev release tomorrow. Thank you.

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/042215e3d5336a52245945eb790ce41fa79138b7

commit 042215e3d5336a52245945eb790ce41fa79138b7
Author: bsalomon <bsalomon@google.com>
Date: Mon Jul 18 21:28:53 2016

Cherry-pick fix for GrAADistanceFieldPathRenderer bounds to M53.

-----------

Initialize fGammaCorrect in DF Path Renderer unit test

TBR=jvanverth@google.com
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2157933003

Review-Url: https://codereview.chromium.org/2157933003

Fix leak when DFPR fails to draw path

TBR=jvanverth@google.com
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2144283002

Review-Url: https://codereview.chromium.org/2144283002

Make GrBatchAtlas robust against attempts to add large rects.

Make GrAADistanceFieldPathRenderer robust against paths that in src space wind up being too large for the atlas.

BUG= chromium:627443 
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2144663004

Review-Url: https://codereview.chromium.org/2144663004
NOTREECHECKS=true
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2160563004

[modify] https://crrev.com/042215e3d5336a52245945eb790ce41fa79138b7/src/gpu/GrBatchAtlas.cpp
[modify] https://crrev.com/042215e3d5336a52245945eb790ce41fa79138b7/src/gpu/GrBatchAtlas.h
[modify] https://crrev.com/042215e3d5336a52245945eb790ce41fa79138b7/src/gpu/batches/GrAADistanceFieldPathRenderer.cpp
[add] https://crrev.com/042215e3d5336a52245945eb790ce41fa79138b7/tests/DFPathRendererTest.cpp

As per comment #14, this is already merged to M53. If nothing is pending for M53, please remove "Merge-Approved-53" label. Thank you.

The fix has been cherry picked to the M53 branch of Skia. The next M53 build of Chrome will pick it up.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot