Issue 627387  has been merged into this issue.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6537793551728640

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000008
Crash State:
  SkPixelRef::SkPixelRef
  SkMallocPixelRef::NewAllocate
  SkBitmap::tryAllocPixels
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub&range=321145:321437

Minimized Testcase (0.34 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97BCXc0uWPH3HDxzbe7VdqiD10uo_skFGeKVUXcKgzVJbUS3ntfAtqRK3Ctpor-6DY9MD5EXAOSCO6s-JwO99AzpxAJhWF37qZ24FlrNVLvkHY-T4AzgTxbjKfB8V28AieRQoPIf-1WuhSZACXfnmLbJvtY9g?testcase_id=6537793551728640

Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6645295282913280

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000008
Crash State:
  SkPixelRef::SkPixelRef
  SkMallocPixelRef::NewZeroed
  SkBitmap::tryAllocPixels
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub&range=357565:358520

Minimized Testcase (0.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ufKY5PkfC-AcvXGpypeTTergnAQhRLa1HMcjgnPU3x4m_uFUFF9hiyPmR0Yq4WHin0tp4K2niJRNBwGsjbC8BxzUvIlhPS36_cY042fFUpqVqLWB40wkc2oDx8zHqOFUmbjH4qpnW8BQPt5AhAe3u0X4cdw?testcase_id=6645295282913280

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

 Issue 631910  has been merged into this issue.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5448718585430016

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000008
Crash State:
  SkSpecialImage_Raster::SkSpecialImage_Raster
  SkSpecialImage::MakeFromRaster
  SkSpecularLightingImageFilter::onFilterImage
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub&range=387561:387601

Minimized Testcase (128.55 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97QHwF-djazN4UNCiv1TWQaHDrSvthVTODaM2-byj5UzVezdOVQ1lI1HmrG52-810r9eO-vxQgezcspjyQgZ4c2ZpvKn2B6mKhBaqSP9jUK5blH_oMghCly6W8PGrNwU-UuSt4S1pT2XGKlU0jpslHGVenHVsNe4Z4LjkFhPu6j9ijEkMo?testcase_id=5448718585430016

Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

 Issue 627797  has been merged into this issue.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6269969933533184

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000008
Crash State:
  SkMallocPixelRef::NewAllocate
  SkBitmap::tryAllocPixels
  SkBlurImageFilter::onFilterImage
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub&range=413372:413374

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97cPBmFqh3FCj85gefSf6H3SvqEzazLEnsU9O5tiJWqJH8N7n25JpfzpzEn1S8KA6CXi6dWmfWF2lnkP0gXQyvSzEuDqqKILRf6q8nomuiVQnVcrBayHDdpJuS3t142lVXWqJuhtC0lMEqKF8Axt3-oN8DLpg?testcase_id=6269969933533184


Issue manually filed by: durga.behera

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

 Issue 639798  has been merged into this issue.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5095927201398784

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000008
Crash State:
  SkSpecialImage::MakeFromRaster
  SkSpecialSurface_Raster::onMakeImageSnapshot
  SkSpecialSurface::makeImageSnapshot
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub&range=386318:386319

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv969dqFkRxkng30viHYBhyPSnI2wM4Mm-88Ub0wKrwlYZJhUcqWcwrCpnBroDnvGId9KVffTx1h47iDuEXYXMjf8oyTuNOXYWGnYTXfTfKIp8opVqZe9owlwHVeQuMtZlaw5ng9ZjOehk_9ddM9BLkCYnLCBtQ?testcase_id=5095927201398784


Issue manually filed by: durga.behera

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 413717:413785.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6269969933533184

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000008
Crash State:
  SkMallocPixelRef::NewAllocate
  SkBitmap::tryAllocPixels
  SkBlurImageFilter::onFilterImage
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub&range=413372:413374
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub&range=413717:413785

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97cPBmFqh3FCj85gefSf6H3SvqEzazLEnsU9O5tiJWqJH8N7n25JpfzpzEn1S8KA6CXi6dWmfWF2lnkP0gXQyvSzEuDqqKILRf6q8nomuiVQnVcrBayHDdpJuS3t142lVXWqJuhtC0lMEqKF8Axt3-oN8DLpg?testcase_id=6269969933533184


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

I believe the fuzzer is still being run with "allocator_may_return_null=1" 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4947937107116032

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub_32bit
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x00000004
Crash State:
  SkImageFilterCache::Get
  SkImageFilter::~SkImageFilter
  SkColorFilterImageFilter::~SkColorFilterImageFilter
  

Minimized Testcase (1025.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Wfmm5ZCGNFyHgyxBFmRoZqR4Im6cLXRHfiPrFiPB_XQy5E9lLHKrtEeXeFjn88liL8J9XOKXyUJ9Uvu8-9nFOqwFWQsptPE7F1-0Yb6RkFw4adtZR2c13L67_DuhxMR6z2FY3A1AiVZpM5jitOkf_J8m6F1QSU6kn1Erd6zSYmf9uhA8?testcase_id=4947937107116032

Issue manually filed by: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6653249644134400

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000008
Crash State:
  SkMallocPixelRef::NewZeroed
  SkBitmap::tryAllocPixels
  SkBitmapDevice::Create
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub&range=386318:386319

Minimized Testcase (0.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95qLTLUMoDlpC9mKl6uNNRMfDG3mj5BC3CxkTGt1h9ouWZOrpa9BAo-msv3d4iu22hR6TIh5HxyIu01_9oT43jmluiWQvc37WTCxLODqn10t_2qC1ZC4u-WTiY4A45WRgiKPMoCBYX4qyynThQA0lE2K-7uAA?testcase_id=6653249644134400

Issue manually filed by: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

 Issue 642684  has been merged into this issue.

 Issue 648410  has been merged into this issue.

It appears the afl code and pdfium fuzzer set allocator_may_return_null=1.

kcc: We've been running into issues with this allocator_may_return_null=1 setting, since it makes it look like Skia is dereferencing nullptr when really the language is being changed out from under us at run time ('new' is returning nullptr). Is there someone we can talk to about this or a component we can assign this to? Seems like there should be a 'Fuzzer' component here in the bug tracker.

Indeed, AFAICT, all (or most?) of the ClusterFuzz jobs run with asan's 
allocator_may_return_null=1.

asan does not make a distinction between new and malloc here. 
are you saying it should? 

From my perspective there is no benefit in doing so.
If we set allocator_may_return_null=0 these tests will continue crashing, just with different report (can't malloc instead of null dereference). 
Will you treat failed malloc as bugs or not? 
They hurt fuzzing very much. 

As for bug filing: I don't think we have any special component for Fuzzer/asan. inferno? 
You can just CC to me and inferno and assign to one of us.

I confirm that CF uses allocator_may_return_null=1 by default.

I've found allocator_may_return_null=0 for 2 jobs only: linux_asan_pdfium and linux_ubsan_pdfium.

ClusterFuzz has detected this issue as fixed in range 445292:445294.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4947937107116032

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub_32bit
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x00000004
Crash State:
  SkImageFilterCache::Get
  SkImageFilter::~SkImageFilter
  SkColorFilterImageFilter::~SkColorFilterImageFilter
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=391407:391453
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_filter_fuzz_stub_32bit&range=445292:445294

Minimized Testcase (1025.85 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Wfmm5ZCGNFyHgyxBFmRoZqR4Im6cLXRHfiPrFiPB_XQy5E9lLHKrtEeXeFjn88liL8J9XOKXyUJ9Uvu8-9nFOqwFWQsptPE7F1-0Yb6RkFw4adtZR2c13L67_DuhxMR6z2FY3A1AiVZpM5jitOkf_J8m6F1QSU6kn1Erd6zSYmf9uhA8?testcase_id=4947937107116032

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Marking 'Fixed' as per c#23. Please feel free to update the status if someone thinks otherwise.

Thank you!

 Issue 686527  has been merged into this issue.

 Issue 690592  has been merged into this issue.

 Issue 692460  has been merged into this issue.

 Issue 686085  has been merged into this issue.

This is causing some triage issue for skia. Probably should check return value and trigger hard crash for reliable stack and non-security flag.

I believe it was determined in a meeting last week that this will be fixed sometime next quarter to have the malloc, but not new, able to return NULL (or some similar solution)..to kcc until staffed (?)

 Issue 626714  has been merged into this issue.

Yes.

ClusterFuzz has detected this issue as fixed in range 464815:464837.

Detailed report: https://clusterfuzz.com/testcase?key=5095927201398784

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000008
Crash State:
  SkSpecialImage::MakeFromRaster
  SkSpecialSurface_Raster::onMakeImageSnapshot
  SkSpecialSurface::makeImageSnapshot
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=386318:386319
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=464815:464837

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv969dqFkRxkng30viHYBhyPSnI2wM4Mm-88Ub0wKrwlYZJhUcqWcwrCpnBroDnvGId9KVffTx1h47iDuEXYXMjf8oyTuNOXYWGnYTXfTfKIp8opVqZe9owlwHVeQuMtZlaw5ng9ZjOehk_9ddM9BLkCYnLCBtQ?testcase_id=5095927201398784


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 485950:486005.

Detailed report: https://clusterfuzz.com/testcase?key=6537793551728640

Fuzzer: sugoi_filter_fuzzer
Job Type: linux_asan_filter_fuzz_stub
Platform Id: linux

Crash Type: Null-dereference WRITE
Crash Address: 0x000000000008
Crash State:
  SkMagnifierImageFilter::onFilterImage
  SkImageFilter::filterImage
  SkImageFilter::filterInput
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=321145:321437
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_filter_fuzz_stub&range=485950:486005

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6537793551728640


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

 Issue 763213  has been merged into this issue.

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

throwing new() does not return NULL since July 2017 (https://github.com/google/sanitizers/issues/295), judging by the lack of complains from CF on this bug, seems like the problem is solved?

It appears the relevant change is https://reviews.llvm.org/D34731 which makes 'new'  crash on unsatisfiable requests no matter the value of allocator_may_return_null. (Oddly, it seems allocator_may_return_null=1 must be set or 'new(nothrow)' will crash as well, so it is now necessary to set allocator_may_return_null=1 to get conformant behavior.) As a result, it seems this is fixed. I'll mark it as such and we can always open this again if we run into something.

Now we just need to make sure that Chromium and libc++ allocators can never return nullptr from new (which they could when compiled without exceptions last time I looked).