Crash in base::win::ForceCrashOnSigAbort |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4632783949660160 Fuzzer: marty_html_twiddler Job Type: windows_asan_chrome Platform Id: windows Crash Type: UNKNOWN WRITE Crash Address: 0x00000000 Crash State: base::win::ForceCrashOnSigAbort sk_abort_no_print SkBitmap::allocPixels Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=414207:414243 Minimized Testcase (0.64 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96z7OczG4qcSG7QPxDmOw8F6gcFVR3LJBU0C7kJyWSx313yyoXlyRkzrILVaISau5-LO2Ucnc4sv7URG_HI7Nz-xdKXbFsD4x2O7m-UvM-auDD1KK0QZfjGE3nUnFrp9Sa0RTmTW6nsyCdI1VqjUAze0g2veg?testcase_id=4632783949660160 Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 26 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5414702543011840 Fuzzer: marty_html_twiddler Job Type: windows_asan_chrome Platform Id: windows Crash Type: UNKNOWN WRITE Crash Address: 0x00000000 Crash State: base::win::ForceCrashOnSigAbort sk_abort_no_print SkBitmap::allocPixels Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=414671:414680 Minimized Testcase (0.74 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95jcPZaDG2ftxkmpQGTWwNir1h3qX1Zf2rE-pxvy7I88tot1hr9nFGGj0u-DzkIVnnF1Qw8JG5Z_OLnoTletfLB_B-khVrFq7eYQtvULpx4aeOjN9gvMS7-UXJ-VDmlqVjr71BSElhxFe--R0tcxiTtlfPusw?testcase_id=5414702543011840 Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 26 2016
I haven't touched anything for Windows so I'm sending this over to the people who might know something.
,
Aug 26 2016
The two reports here have *disjoint* regression ranges. Which probably means the regression ranges are just wrong?
,
Aug 26 2016
This is an OOM, and probably not a regression: the first repro case creates 64k columns, each separated by a 64k pixel gap, and then tries to allocate a software SkBitmap to draw the horizontal scrollbar into.
,
Aug 26 2016
Malloc has failed, so we are aborting.
The calling code *could* be changed to notice that the allocation has failed, and take some other action, if they called tryAllocN32Pixels() instead of allocN32Pixels().
---------
UIResourceBitmap PaintedScrollbarLayer::RasterizeScrollbarPart(
const gfx::Rect& layer_rect,
const gfx::Rect& content_rect,
ScrollbarPart part) {
DCHECK(!content_rect.size().IsEmpty());
DCHECK(!layer_rect.size().IsEmpty());
SkBitmap skbitmap;
skbitmap.allocN32Pixels(content_rect.width(), content_rect.height());
SkCanvas skcanvas(skbitmap);
,
Aug 30 2016
,
Oct 10 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5430286852816896 Fuzzer: j00ru_htmlcss_fuzz Job Type: windows_asan_chrome Platform Id: windows Crash Type: UNKNOWN WRITE Crash Address: 0x00000000 Crash State: base::win::ForceCrashOnSigAbort sk_abort_no_print SkBitmap::allocPixels Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome&range=424111:424112 Minimized Testcase (0.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97mKJKYUZYLBycvEb1lxXMEL8psHKlKwd-liQqTNP06pEYGtyd84Ihx9ppCNSntln8CTumOm7tpfENThXgzTaxH7qbMlltRV7lEPZCcRUAawtAPZ1KOGG_Lln8J-p3tladQ0ih3_7ueQ1XNaaAwkSlAAbGZjg?testcase_id=5430286852816896 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 22 2016
ClusterFuzz testcase 4632783949660160 is flaky and no longer reproduces, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mmohammad@chromium.org
, Aug 25 2016Status: Assigned (was: Untriaged)