New issue
Advanced search Search tips

Issue 635448 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

!errorOccurred()

Project Member Reported by ClusterFuzz, Aug 8 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4505548638912512

Fuzzer: ochang_search_index_mutator
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !errorOccurred()
  blink::Resource::appendData
  blink::ImageResource::appendData
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=407480:407711

Minimized Testcase (32.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96T1cw4xutDJ2RmxGtq1cZIxrT_ZcV0JQtTcTmpBO2eKZSjF52gWIpGfPo2-dVwt_JApjW4DTkOoMiLVUiNqKn0ONxY7yHKEKc5g464qT5EVZlBymxppPSfAFNpiNwwFq9GcoP8f08dJcVkBoqltLHP4EFaQl9cq1LiOywkmQX6GAX4Eps?testcase_id=4505548638912512

Issue manually filed by: ajha

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 

Comment 1 by ajha@chromium.org, Aug 8 2016

Cc: ajha@chromium.org
Components: Blink>Loader
Labels: M-54 Findit-for-crash Te-Logged
Owner: japhet@chromium.org
Status: Assigned (was: Untriaged)
Suspected CLs	The result is a list of CLs that change the crashed files.

Author: japhet
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/d3d417564b290e70dc50bab63dc22a8889924be3
Time: Mon Jul 25 20:04:53 2016
Files Resource.cpp, ImageResource.cpp are changed in this cl (and is part of stack frame #0, "blink::Resource::appendData")
Minimum distance from crash line to modified line: 37. (file: Resource.cpp, crashed on: 363, modified: 400).

Suspected Project: chromium
Suspected Component: Blink>Loader

Based on the above findit result assigning to japhet@ for further investigation of this.

Thank you! 

Comment 3 by japhet@chromium.org, Aug 22 2016

Status: Fixed (was: Assigned)
Project Member

Comment 4 by bugdroid1@chromium.org, Aug 23 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b2a8e95798c79844c95f9af6fec979500ba09eff

commit b2a8e95798c79844c95f9af6fec979500ba09eff
Author: megjablon <megjablon@chromium.org>
Date: Mon Aug 22 23:56:41 2016

Revert of ImageDocumentParser should stop sending data to ImageResource once decoding fails. (patchset #3 id:40001 of https://codereview.chromium.org/2262833002/ )

Reason for revert:
Reverting due to webkit_unit_test failures on builder "Mac ASan 64 Tests (1)":

https://build.chromium.org/p/chromium.memory/builders/Mac%20ASan%2064%20Tests%20(1)

Output from
https://build.chromium.org/p/chromium.memory/builders/Mac%20ASan%2064%20Tests%20%281%29/builds/20849/steps/webkit_unit_tests%20on%20Mac-10.9/logs/stdio

[ RUN      ] WebFrameTest.ImageDocumentDecodeError
[       OK ] WebFrameTest.ImageDocumentDecodeError (87 ms)
[562/3806] WebFrameTest.ImageDocumentDecodeError (87 ms)
[ RUN      ] CompositedSelectionBoundsTest.None
ASAN:DEADLYSIGNAL
=================================================================
==91966==ERROR: AddressSanitizer: SEGV on unknown address 0x000045e0360e (pc 0x000045e0360e bp 0x7fff5f436950 sp 0x7fff5f436398 T0)
==91966==The signal is caused by a READ memory access.
    #0 0x45e0360d in
Traceback (most recent call last):
  File "/b/swarm_slave/w/irrExke3/tools/valgrind/asan/asan_symbolize.py", line 271, in <module>
    main()
  File "/b/swarm_slave/w/irrExke3/tools/valgrind/asan/asan_symbolize.py", line 268, in main
    loop.process_logfile()
  File "/b/swarm_slave/w/irrExke3/tools/valgrind/asan/third_party/asan_symbolize.py", line 416, in process_logfile
    processed = self.process_line(line)
  File "/b/swarm_slave/w/irrExke3/tools/valgrind/asan/third_party/asan_symbolize.py", line 439, in process_line_posix
    symbolized_line = self.symbolize_address(addr, binary, offset)
  File "/b/swarm_slave/w/irrExke3/tools/valgrind/asan/third_party/asan_symbolize.py", line 393, in symbolize_address
    result = symbolizers[binary].symbolize(addr, binary, offset)
  File "/b/swarm_slave/w/irrExke3/tools/valgrind/asan/third_party/asan_symbolize.py", line 244, in symbolize
    result = symbolizer.symbolize(addr, binary, offset)
  File "/b/swarm_slave/w/irrExke3/tools/valgrind/asan/third_party/asan_symbolize.py", line 216, in symbolize
    atos_line = self.atos.convert('0x%x' % int(offset, 16))
  File "/b/swarm_slave/w/irrExke3/tools/valgrind/asan/third_party/asan_symbolize.py", line 192, in convert
    self.w.write(line + "\n")
IOError: [Errno 5] Input/output error

Original issue's description:
> ImageDocumentParser should stop sending data to ImageResource once decoding fails.
>
> BUG= 635448 
> TEST=WebFrameTest.ImageDocumentDecodeError
>
> Committed: https://crrev.com/2fb53d05488ff879e38553839f174f15af2af39b
> Cr-Commit-Position: refs/heads/master@{#413539}

TBR=pdr@chromium.org,japhet@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 635448 

Review-Url: https://codereview.chromium.org/2264333002
Cr-Commit-Position: refs/heads/master@{#413587}

[modify] https://crrev.com/b2a8e95798c79844c95f9af6fec979500ba09eff/third_party/WebKit/Source/core/html/ImageDocument.cpp
[modify] https://crrev.com/b2a8e95798c79844c95f9af6fec979500ba09eff/third_party/WebKit/Source/web/tests/WebFrameTest.cpp
[delete] https://crrev.com/06ed71dfa04dd2cd44a4802630ddf192312ea61a/third_party/WebKit/Source/web/tests/data/not_an_image.ico

Project Member

Comment 6 by ClusterFuzz, Aug 28 2016

ClusterFuzz has detected this issue as fixed in range 414882:414933.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4505548638912512

Fuzzer: ochang_search_index_mutator
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !errorOccurred()
  blink::Resource::appendData
  blink::ImageResource::appendData
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=407480:407711
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=414882:414933

Minimized Testcase (32.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96T1cw4xutDJ2RmxGtq1cZIxrT_ZcV0JQtTcTmpBO2eKZSjF52gWIpGfPo2-dVwt_JApjW4DTkOoMiLVUiNqKn0ONxY7yHKEKc5g464qT5EVZlBymxppPSfAFNpiNwwFq9GcoP8f08dJcVkBoqltLHP4EFaQl9cq1LiOywkmQX6GAX4Eps?testcase_id=4505548638912512

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment