Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: junov@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/ec3bf2dcd1319333c1253db22c6c8f3e781c65a6
Time: Wed Aug 19 00:56:58 2015
The CL last changed line 188 of file ImageBuffer.cpp, which is stack frame 0.

Author: lukasza
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/69969af74bfff920f5fdcc2aa547ea4af2d477d2
Time: Fri Sep 02 19:50:36 2016
The CL last changed line 606 of file HTMLCanvasElement.cpp, which is stack frame 1.

Author: junov
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/bce6e17e44e6ce516ed63b6360823dea10461b3e
Time: Fri Feb 05 18:52:00 2016
The CL last changed line 711 of file HTMLCanvasElement.cpp, which is stack frame 2.

Suspected Project: chromium
Suspected Component: Blink>HTML



Plausible offending CL: https://chromium.googlesource.com/chromium/src/+/bce6e17e44e6ce516ed63b6360823dea10461b3e ?

@junov: Hey, would you mind checking the above issue and see if it's related to your change ?


Appreciate your help.

Thank you!

the crash seems to happen in the call of toImageData in the toBlob() function, sending this to xlai@ to take a look.

I couldn't find out what's wrong; I don't think it's a toBlob problem. m_snapshotState is the one that is null-ref but it was initialized in ImageBuffer constructor, which is baffling.
junov@: do you mind take a look at it?

Happened here too:
https://build.chromium.org/p/chromium.gpu.fyi/builders/Mac%2010.10%20Retina%20Release%20%28AMD%29/builds/8865/steps/webgl2_conformance_tests%20on%20ATI%20GPU%20on%20Mac%20Retina%20on%20Mac/logs/stdio

Log excerpt attached.

Deleted: stdout.txt 109 KB

stdout.txt 109 KB View Download

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9d280866e11c2c038005452c8d14fb3ffa91ac2c

commit 9d280866e11c2c038005452c8d14fb3ffa91ac2c
Author: junov <junov@chromium.org>
Date: Wed Sep 14 14:59:02 2016

Fix crash and potential crashes caused by ImageBuffer allocation failure.

This CL add null ptr checks in a few places that need them.

BUG= 644644 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2335263002
Cr-Commit-Position: refs/heads/master@{#418563}

[modify] https://crrev.com/9d280866e11c2c038005452c8d14fb3ffa91ac2c/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp
[modify] https://crrev.com/9d280866e11c2c038005452c8d14fb3ffa91ac2c/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp

ClusterFuzz has detected this issue as fixed in range 418539:418579.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6372973881851904

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0000000c
Crash State:
  blink::ImageBuffer::newSkImageSnapshot
  blink::HTMLCanvasElement::toImageData
  blink::HTMLCanvasElement::toBlob
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=415934:416233
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=418539:418579

Minimized Testcase (19.86 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96LQwxLE9mzrEt77TFp8-Auml3cqhAIBQA-55Alvb1wrj5VYMGBuMMNcuGqMQEKRdGzREnyObkbZqzinmS_j5BiHoXfw6TlviNvComt54R_gVhUZ6yX-lDQOFSYZSKIS06vEAf6dLfqbTKgdcbwJk8sT3wYsl0SiNABxe_i2s5GIPw79Jg?testcase_id=6372973881851904

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot