Sebastien, any idea what is going on here ? This is a weird crash in stack_trace_win.cc.

Moving component to Internals, please change if not appropriate.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6362885597167616

Fuzzer: inferno_twister
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x005cde33
Crash State:
  base::debug::StackDumpExceptionFilter
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=408381:408405

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94Oq6rtxPi_IiLzQ0iKbVgiQV83GzfRwc2X8efRSgFgI9lfIYcLwFYXPeVs5rVQchqaHphhuGVtb7esROBPtXcsLvJgxkPshnwbxJNs0nH8F8IuHg7wKGbkpftk9AcObWMk9VuEpapLNCJRj9H_yobtEBkh_HRkfhzB98mwsJJ-XaG4PKA?testcase_id=6362885597167616


Filer: tanin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

sebmarchand: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I can repro this, it looks like a simple OOM:

01 0499eeb4 100c7845 chrome_child!base::`anonymous namespace'::OnNoMemory+0x11 [c:\b\c\b\win_syzyasan_lkgr\src\base\process\memory_win.cc @ 41]
02 0499eec0 100c77cd chrome_child!base::allocator::WinCallNewHandler+0x15 [c:\b\c\b\win_syzyasan_lkgr\src\base\allocator\winheap_stubs_win.cc @ 66]
03 0499eed0 12904a72 chrome_child!malloc+0x17 [c:\b\c\b\win_syzyasan_lkgr\src\base\allocator\allocator_shim_win.cc @ 72]
04 0499eedc 1017e7b6 chrome_child!operator new+0x2c [f:\dd\vctools\crt\vcstartup\src\heap\new_scalar.cpp @ 19]
05 0499eef4 1017e697 chrome_child!cc::ListContainerHelper::CharAllocator::AllocateNewList+0x59 [c:\b\c\b\win_syzyasan_lkgr\src\cc\base\list_container_helper.cc @ 247]
06 (Inline) -------- chrome_child!cc::ListContainerHelper::CharAllocator::Allocate+0x64 [c:\b\c\b\win_syzyasan_lkgr\src\cc\base\list_container_helper.cc @ 131]
07 0499ef00 113de76c chrome_child!cc::ListContainerHelper::Allocate+0x2b [c:\b\c\b\win_syzyasan_lkgr\src\cc\base\list_container_helper.cc @ 461]
08 (Inline) -------- chrome_child!cc::ListContainer<cc::DrawQuad>::AllocateAndConstruct+0x813fe6e0 [c:\b\c\b\win_syzyasan_lkgr\src\cc\base\list_container.h @ 118]
09 (Inline) -------- chrome_child!cc::RenderPass::CreateAndAppendDrawQuad+0x813fe6e0 [c:\b\c\b\win_syzyasan_lkgr\src\cc\quads\render_pass.h @ 95]
0a 0499ef40 1134ecc9 chrome_child!cc::SolidColorLayerImpl::AppendSolidQuads+0xbb [c:\b\c\b\win_syzyasan_lkgr\src\cc\layers\solid_color_layer_impl.cc @ 58]
0b 0499f78c 11340797 chrome_child!cc::PictureLayerImpl::AppendQuads+0xb5 [c:\b\c\b\win_syzyasan_lkgr\src\cc\layers\picture_layer_impl.cc @ 166]
0c 0499f91c 113471ba chrome_child!cc::LayerTreeHostImpl::CalculateRenderPasses+0x77f [c:\b\c\b\win_syzyasan_lkgr\src\cc\trees\layer_tree_host_impl.cc @ 922]
0d 0499f9cc 1140eebd chrome_child!cc::LayerTreeHostImpl::PrepareToDraw+0x3db [c:\b\c\b\win_syzyasan_lkgr\src\cc\trees\layer_tree_host_impl.cc @ 1112]
0e 0499fa34 114104ec chrome_child!cc::ProxyImpl::DrawAndSwapInternal+0x64 [c:\b\c\b\win_syzyasan_lkgr\src\cc\trees\proxy_impl.cc @ 630]
0f 0499fa70 1141549c chrome_child!cc::ProxyImpl::ScheduledActionDrawAndSwapIfPossible+0xa8 [c:\b\c\b\win_syzyasan_lkgr\src\cc\trees\proxy_impl.cc @ 521]
10 0499fa88 11416467 chrome_child!cc::Scheduler::DrawAndSwapIfPossible+0x39 [c:\b\c\b\win_syzyasan_lkgr\src\cc\scheduler\scheduler.cc @ 615]
11 0499fb2c 11415e3e chrome_child!cc::Scheduler::ProcessScheduledActions+0x21c [c:\b\c\b\win_syzyasan_lkgr\src\cc\scheduler\scheduler.cc @ 691]
12 0499fb8c 1140d378 chrome_child!cc::Scheduler::OnBeginImplFrameDeadline+0x107 [c:\b\c\b\win_syzyasan_lkgr\src\cc\scheduler\scheduler.cc @ 604]
13 (Inline) -------- chrome_child!base::internal::FunctorTraits<void (__thiscall cc::ProxyMain::*)(void),void>::Invoke+0x8142d378 [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 214]
14 (Inline) -------- chrome_child!base::internal::InvokeHelper<1,void>::MakeItSo+0x42 [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 303]
15 (Inline) -------- chrome_child!base::internal::Invoker<base::internal::BindState<void (__thiscall cc::ProxyMain::*)(void),base::WeakPtr<cc::ProxyMain> >,void __cdecl(void)>::RunImpl+0x4f [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 346]
16 0499fba0 10197f7f chrome_child!base::internal::Invoker<base::internal::BindState<void (__thiscall cc::ProxyMain::*)(void),base::WeakPtr<cc::ProxyMain> >,void __cdecl(void)>::Run+0x37 [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 324]
17 (Inline) -------- chrome_child!base::Callback<void __cdecl(void),1>::Run+0x1a [c:\b\c\b\win_syzyasan_lkgr\src\base\callback.h @ 389]
18 0499fba8 12b6f088 chrome_child!base::CancelableCallback<void __cdecl(void)>::Forward+0x6 [c:\b\c\b\win_syzyasan_lkgr\src\base\cancelable_callback.h @ 107]
19 (Inline) -------- chrome_child!base::internal::FunctorTraits<void (__thiscall gpu::GpuChannelManager::*)(void),void>::Invoke+0x82b8f071 [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 214]
1a 0499fbb4 12b6fc30 chrome_child!base::internal::InvokeHelper<1,void>::MakeItSo<void (__thiscall gpu::GpuChannelManager::*const &)(void),base::WeakPtr<gpu::GpuChannelManager> const &>+0x21 [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 303]
1b (Inline) -------- chrome_child!base::internal::Invoker<base::internal::BindState<void (__thiscall gpu::GpuChannelManager::*)(void),base::WeakPtr<gpu::GpuChannelManager> >,void __cdecl(void)>::RunImpl+0x82b8fc1c [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 346]
1c 0499fbc4 10e2d29d chrome_child!base::internal::Invoker<base::internal::BindState<void (__thiscall gpu::GpuChannelManager::*)(void),base::WeakPtr<gpu::GpuChannelManager> >,void __cdecl(void)>::Run+0x13 [c:\b\c\b\win_syzyasan_lkgr\src\base\bind_internal.h @ 324]
1d (Inline) -------- chrome_child!base::Callback<void __cdecl(void),1>::Run+0x1c [c:\b\c\b\win_syzyasan_lkgr\src\base\callback.h @ 389]
1e 0499fc24 10dcc32e chrome_child!base::debug::TaskAnnotator::RunTask+0x100 [c:\b\c\b\win_syzyasan_lkgr\src\base\debug\task_annotator.cc @ 54]
1f 0499fd6c 10dcb752 chrome_child!base::MessageLoop::RunTask+0x2fb [c:\b\c\b\win_syzyasan_lkgr\src\base\message_loop\message_loop.cc @ 497]
20 (Inline) -------- chrome_child!base::MessageLoop::DeferOrRunPendingTask+0x80deb741 [c:\b\c\b\win_syzyasan_lkgr\src\base\message_loop\message_loop.cc @ 505]
21 0499fe2c 10e2fe6d chrome_child!base::MessageLoop::DoWork+0x25e [c:\b\c\b\win_syzyasan_lkgr\src\base\message_loop\message_loop.cc @ 629]
22 0499fe60 10dcbef0 chrome_child!base::MessagePumpDefault::Run+0x140 [c:\b\c\b\win_syzyasan_lkgr\src\base\message_loop\message_pump_default.cc @ 36]
23 0499fe6c 10e1a59d chrome_child!base::MessageLoop::RunHandler+0x11 [c:\b\c\b\win_syzyasan_lkgr\src\base\message_loop\message_loop.cc @ 459]
24 0499fe90 10e08660 chrome_child!base::RunLoop::Run+0x65 [c:\b\c\b\win_syzyasan_lkgr\src\base\run_loop.cc @ 36]
25 0499fe98 10e08bba chrome_child!base::Thread::Run+0xb [c:\b\c\b\win_syzyasan_lkgr\src\base\threading\thread.cc @ 229]
26 0499fee8 10de5953 chrome_child!base::Thread::ThreadMain+0x12c [c:\b\c\b\win_syzyasan_lkgr\src\base\threading\thread.cc @ 304]
27 0499ff04 742738f4 chrome_child!base::`anonymous namespace'::ThreadFunc+0x82 [c:\b\c\b\win_syzyasan_lkgr\src\base\threading\platform_thread_win.cc @ 86]
28 0499ff18 77295de3 KERNEL32!BaseThreadInitThunk+0x24
29 0499ff60 77295dae ntdll!__RtlUserThreadStart+0x2f
2a 0499ff70 00000000 ntdll!_RtlUserThreadStart+0x1b


We should do something to handle this in a better way in SyzyAsan, we should probably look for the win::kOomExceptionCode exception code.

sebmarchand: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fd76103704c54eec019f2e7cb56aab8c71681aa3

commit fd76103704c54eec019f2e7cb56aab8c71681aa3
Author: sebmarchand <sebmarchand@chromium.org>
Date: Wed Aug 31 22:34:01 2016

Roll Syzygy deps to v0.8.20.6

BUG= 629006 ,  630372 

Review-Url: https://codereview.chromium.org/2298273003
Cr-Commit-Position: refs/heads/master@{#415785}

[modify] https://crrev.com/fd76103704c54eec019f2e7cb56aab8c71681aa3/DEPS

I've rescheduled the fuzzer run to see if the commit in #8 has fixed this issue.

Any update on this ?

Clusterfuzz reported:

Known crash revision 406657 did not crash. Test case appears to be flaky.

:-\

I wonder if it's worth moving this to WontFix?

Both crashes are not reproducible anymore. Thanks!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot