Crash in blink::ImageBuffer::newSkImageSnapshot |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6372973881851904 Fuzzer: inferno_twister_custom_bundle Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0000000c Crash State: blink::ImageBuffer::newSkImageSnapshot blink::HTMLCanvasElement::toImageData blink::HTMLCanvasElement::toBlob Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=415934:416233 Minimized Testcase (19.86 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96LQwxLE9mzrEt77TFp8-Auml3cqhAIBQA-55Alvb1wrj5VYMGBuMMNcuGqMQEKRdGzREnyObkbZqzinmS_j5BiHoXfw6TlviNvComt54R_gVhUZ6yX-lDQOFSYZSKIS06vEAf6dLfqbTKgdcbwJk8sT3wYsl0SiNABxe_i2s5GIPw79Jg?testcase_id=6372973881851904 Issue manually filed by: ashejole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 8 2016
the crash seems to happen in the call of toImageData in the toBlob() function, sending this to xlai@ to take a look.
,
Sep 8 2016
I couldn't find out what's wrong; I don't think it's a toBlob problem. m_snapshotState is the one that is null-ref but it was initialized in ImageBuffer constructor, which is baffling. junov@: do you mind take a look at it?
,
Sep 12 2016
Happened here too: https://build.chromium.org/p/chromium.gpu.fyi/builders/Mac%2010.10%20Retina%20Release%20%28AMD%29/builds/8865/steps/webgl2_conformance_tests%20on%20ATI%20GPU%20on%20Mac%20Retina%20on%20Mac/logs/stdio Log excerpt attached.
,
Sep 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/9d280866e11c2c038005452c8d14fb3ffa91ac2c commit 9d280866e11c2c038005452c8d14fb3ffa91ac2c Author: junov <junov@chromium.org> Date: Wed Sep 14 14:59:02 2016 Fix crash and potential crashes caused by ImageBuffer allocation failure. This CL add null ptr checks in a few places that need them. BUG= 644644 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2335263002 Cr-Commit-Position: refs/heads/master@{#418563} [modify] https://crrev.com/9d280866e11c2c038005452c8d14fb3ffa91ac2c/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp [modify] https://crrev.com/9d280866e11c2c038005452c8d14fb3ffa91ac2c/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp
,
Sep 14 2016
,
Sep 15 2016
ClusterFuzz has detected this issue as fixed in range 418539:418579. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6372973881851904 Fuzzer: inferno_twister_custom_bundle Job Type: linux_asan_chrome_v8_arm Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0000000c Crash State: blink::ImageBuffer::newSkImageSnapshot blink::HTMLCanvasElement::toImageData blink::HTMLCanvasElement::toBlob Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=415934:416233 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=418539:418579 Minimized Testcase (19.86 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96LQwxLE9mzrEt77TFp8-Auml3cqhAIBQA-55Alvb1wrj5VYMGBuMMNcuGqMQEKRdGzREnyObkbZqzinmS_j5BiHoXfw6TlviNvComt54R_gVhUZ6yX-lDQOFSYZSKIS06vEAf6dLfqbTKgdcbwJk8sT3wYsl0SiNABxe_i2s5GIPw79Jg?testcase_id=6372973881851904 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ashej...@chromium.org
, Sep 7 2016Components: Blink>Canvas Blink>HTML Tools>Test>FindIt>CorrectResult
Labels: M-55 Te-Logged
Owner: junov@chromium.org
Status: Assigned (was: Untriaged)