There is no .cc and .cpp files in stack trace to find the suspect.hence leaving the bug in Avavilable state.

Could any one please look into this issue.

Thanks,

sahel@ are you able to beef up the validation in event_sender.cc to avoid this cluster fuzz bug? That or we should handle the case where the velocity is 0.

There is no validation in GestureFlingStart function (https://cs.chromium.org/chromium/src/components/test_runner/event_sender.cc?cl=GROK&l=1905)

I don't know what the invalid cases are, is the following validity check enough?
max (fabs(velocity_x), fabs(velocity_y)) > 0

What should I do if the condition is not met? just return from the GestureFlingStart function?

If I want to handle the max_start_velocity = 0 separately, is it enough to set a positive Epsilon value as max_velocity_start value that avoids division by 0?

 Issue 629021  has been merged into this issue.

Happens on ChromeOS too with touch pad two-finger scrolling on hangout window.

Program received signal SIGILL, Illegal instruction.
[Switching to Thread 13819]
ui::FlingCurve::FlingCurve (this=0x30c3d4ab92c0, velocity=..., start_timestamp=...) at ../../ui/events/gestures/fling_curve.cc:48
48        CHECK_GT(max_start_velocity, 0);
(gdb) bt
#0  ui::FlingCurve::FlingCurve (this=0x30c3d4ab92c0, velocity=..., start_timestamp=...) at ../../ui/events/gestures/fling_curve.cc:48
#1  0x00007f9563307d3c in CreateDefaultPlatformCurve (initial_velocity=...) at ../../ui/events/gestures/blink/web_gesture_curve_impl.cc:46
#2  ui::WebGestureCurveImpl::CreateFromDefaultPlatformCurve (initial_velocity=..., initial_offset=..., on_main_thread=<optimized out>)
    at ../../ui/events/gestures/blink/web_gesture_curve_impl.cc:60
#3  0x00007f95632a221c in content::BlinkPlatformImpl::createFlingAnimationCurve (this=<optimized out>, device_source=<optimized out>, velocity=..., cumulative_scroll=...)
    at ../../content/child/blink_platform_impl.cc:846
#4  0x00007f9563343e33 in ui::InputHandlerProxy::HandleGestureFlingStart (this=this@entry=0x30c3cf1cf918, gesture_event=...) at ../../ui/events/blink/input_handler_proxy.cc:733
#5  0x00007f9563344a9b in ui::InputHandlerProxy::HandleInputEvent (this=0x30c3cf1cf918, event=...) at ../../ui/events/blink/input_handler_proxy.cc:346
#6  0x00007f9563346293 in ui::InputHandlerProxy::HandleInputEventWithLatencyInfo (this=0x30c3cf1cf918, event=..., latency_info=latency_info@entry=0x7f955436d250)
    at ../../ui/events/blink/input_handler_proxy.cc:278
#7  0x00007f9561191568 in content::InputHandlerManager::HandleInputEvent (this=0x30c3ceea8c00, routing_id=13, input_event=0x30c3cfede638, latency_info=0x7f955436d250)
    at ../../content/renderer/input/input_handler_manager.cc:231
#8  0x00007f956118fea4 in Run (args#2=0x7f955436d250, args#1=0x30c3cfede638, args#0=13, this=0x30c3cee18a50) at ../../base/callback.h:389
#9  content::InputEventFilter::ForwardToHandler (this=0x30c3cee18a00, message=...) at ../../content/renderer/input/input_event_filter.cc:194
#10 0x00007f955d70ad41 in Run (this=0x7f955436db88) at ../../base/callback.h:389
#11 base::debug::TaskAnnotator::RunTask (this=0x30c3cee20180, queue_function=<optimized out>, pending_task=...) at ../../base/debug/task_annotator.cc:51
#12 0x00007f955d6b0454 in base::MessageLoop::RunTask (this=0x30c3cee20000, pending_task=...) at ../../base/message_loop/message_loop.cc:494
#13 0x00007f955d6b085e in base::MessageLoop::DeferOrRunPendingTask (this=0x30c3cee20000, pending_task=...) at ../../base/message_loop/message_loop.cc:503
#14 0x00007f955d6b2a58 in base::MessageLoop::DoWork (this=0x30c3cee20000) at ../../base/message_loop/message_loop.cc:627
#15 0x00007f955d6b2e09 in base::MessagePumpDefault::Run (this=0x30c3ceefcc60, delegate=0x30c3cee20000) at ../../base/message_loop/message_pump_default.cc:35
#16 0x00007f955d6cdbca in base::RunLoop::Run (this=0x7f955436dcc0) at ../../base/run_loop.cc:35
#17 0x00007f955d6afb49 in base::MessageLoop::Run (this=<optimized out>) at ../../base/message_loop/message_loop.cc:295
#18 0x00007f955d6ed142 in base::Thread::ThreadMain (this=0x30c3cee488c0) at ../../base/threading/thread.cc:256
#19 0x00007f955d6e9666 in base::(anonymous namespace)::ThreadFunc (params=<optimized out>) at ../../base/threading/platform_thread_posix.cc:70
#20 0x00007f955c0d2307 in start_thread (arg=0x7f955436e700) at pthread_create.c:309
#21 0x00007f955ab905cd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(gdb) p max_start_velocity 
$1 = 0

xiyuan@ I think the two bugs are not related.

This bug is about some validation check in test_runner/event_sender.cc while  Issue 629021  and the stack trace are related to cases that chromeos has some weird behavior sending a fling with zero velocity.

Adding Amir who may have been looking into fling generation code on Chrome OS recently

 Issue 628829  has been merged into this issue.

I have a fix for this ... this bug is a dup of  Issue 628525 

Do you have CL link?

I mispoke slightly ... the two issues are related but not identical ... sahel@ has a CL though which I imagine will be shared shortly. I'll be putting up my CL for the other issue in the next hour or so.

Please keep in mind that back/forward navigation in Chrome might be affected (it requires empty Fling to operate properly).

More discussion here: https://chromium-review.googlesource.com/#/c/361789/1

abodenha@, This issue is only about preventing test_runner/event_sender.cc from sending flings with zero velocity.

Re 13: khmel@ can you explain your comment about forward/back nav, and maybe provide a link to where in the code zero-velocity fling events are being used?

wjmaclean, I think what he's referring to is that two-finger swipe left/right can be used for back/forward navigation, and the fling event (even with 0 velocity) is used to know when the fingers have lifted from the touchpad so that the navigation animation can end.

Ahhh, ok ... If still be interested in a pointer into the codebase, as I
didn't see this use when I was looking.

I don't have a pointer to the code, but if you ask around the WAT office you'll probably find the folks that worked on it.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/42a50bbf81e1e75e5b734c2523c96656ad42fc8c

commit 42a50bbf81e1e75e5b734c2523c96656ad42fc8c
Author: sahel <sahel@chromium.org>
Date: Fri Jul 22 19:34:04 2016

Max start velocity should be greater than zero.

Check in event_sender.cc to avoid sending flingsgesturestart events with velocity of zero.

BUG= 628525 

Review-Url: https://codereview.chromium.org/2158173002
Cr-Commit-Position: refs/heads/master@{#407231}

[modify] https://crrev.com/42a50bbf81e1e75e5b734c2523c96656ad42fc8c/components/test_runner/event_sender.cc
[modify] https://crrev.com/42a50bbf81e1e75e5b734c2523c96656ad42fc8c/third_party/WebKit/LayoutTests/fast/events/touch/gesture/gesture-scrollbar-fling.html

ClusterFuzz has detected this issue as fixed in range 407206:407288.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4934954270326784

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: CHECK failure
Crash Address: 
Crash State:
  max_start_velocity > 0 in fling_curve.cc
  ui::FlingCurve::FlingCurve
  ui::WebGestureCurveImpl::CreateFromDefaultPlatformCurve
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=407206:407288

Minimized Testcase (0.08 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95A8lsIL5Qlk5q0DVCtktuUfzXqweKtDXarGyF9LQWIpSJh8caiix4WOEzrPBrkh2hhWufYxtgWFJbW_BlLJ0x52feTVj6IretXk-1kKvy-UkBDkzHRoZIfDCAux7YtlMAKMoz3FVq8-lUq5RWW3P0ECvTNiw?testcase_id=4934954270326784
<script>
    eventSender.gestureFlingStart(0, 0, 0, 0, "touchscreen");
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 625776  has been merged into this issue.

 Issue 628978  has been merged into this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot