New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 659280 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Nov 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in base::debug::DebugBreak

Project Member Reported by ClusterFuzz, Oct 25 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6029853636952064

Fuzzer: libfuzzer_text_resource_decoder_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x03e90000228f
Crash State:
  base::debug::DebugBreak
  blink::SegmentedString::advanceAndASSERT
  blink::HTMLTokenizer::nextToken
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=423501:423546

Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv950tE-JtSt7Ei7u7hcWZZphOqFg5ajZWw27uUeZeuQ1ijb2WwlOjEwZIpajvGwUtjyxEyqpH0_PhTICKTARE9gqK2Y-4S8JwsyxiMa-VwdX4JAcMJ-aA2HLP42qco4K8P13I8Z_47DCOYBTYFrtVT0CX3tsrQ?testcase_id=6029853636952064

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Components: Blink>HTML>Parser Blink>HTML
Labels: M-55 Te-Logged
Owner: tkent@chromium.org
Status: Assigned (was: Untriaged)
Suspected CL
https://chromium.googlesource.com/chromium/src/+/808f09ae9b773d69c271aedd63157b2b020cd0a2%5E%21/third_party/WebKit/Source/platform/text/SegmentedString.h

tkent@, could you please take a look and help us to find correct owner if it is not related your changes.

Comment 2 by tkent@chromium.org, Oct 25 2016

Components: -Blink>HTML
Owner: kouhei@chromium.org
Status: Untriaged (was: Assigned)
This is not related to my change.
Assign kouhei@ for triage.

Cc: mmoroz@chromium.org
+mmoroz, do you know if clusterfuzz was executing ASSERT_UNUSED? tkent your patch might have exposed this dcheck actually :)

Comment 4 by mmoroz@chromium.org, Oct 29 2016

Hm, as I see:

-#define ASSERT_UNUSED(variable, assertion) ASSERT(assertion)


for debug build both ASSERT and DCHECK should be available. I don't think that replacing of ASSERT_UNUSED wit DCHECK could cause the crash.

Comment 5 by mmoroz@chromium.org, Oct 29 2016

Cc: csharrison@chromium.org
Cc: dominicc@chromium.org
Status: Started (was: Untriaged)
Confirmed local repro
OK. Looks like it is the fuzzer that's broken. The HTMLTokenizerNames are all null.
Project Member

Comment 11 by bugdroid1@chromium.org, Nov 1 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/923cc839a733579c5b768f1f9c2d84729c72f833

commit 923cc839a733579c5b768f1f9c2d84729c72f833
Author: kouhei <kouhei@chromium.org>
Date: Tue Nov 01 12:22:56 2016

TextResourceDecoderFuzzer should use blink::InitializeBlinkFuzzTest

Before this CL, TextResourceDecoder was run on uninitialized Blink platform.
This CL ensures Blink is initialized by using blink::InitializeBlinkFuzzTest.

BUG= 659280 

Review-Url: https://codereview.chromium.org/2465213002
Cr-Commit-Position: refs/heads/master@{#428986}

[modify] https://crrev.com/923cc839a733579c5b768f1f9c2d84729c72f833/third_party/WebKit/Source/core/BUILD.gn
[modify] https://crrev.com/923cc839a733579c5b768f1f9c2d84729c72f833/third_party/WebKit/Source/core/html/parser/TextResourceDecoderFuzzer.cpp

Project Member

Comment 12 by ClusterFuzz, Nov 2 2016

ClusterFuzz has detected this issue as fixed in range 428837:429212.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6029853636952064

Fuzzer: libfuzzer_text_resource_decoder_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x03e90000228f
Crash State:
  base::debug::DebugBreak
  blink::SegmentedString::advanceAndASSERT
  blink::HTMLTokenizer::nextToken
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=423501:423546
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=428837:429212

Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv950tE-JtSt7Ei7u7hcWZZphOqFg5ajZWw27uUeZeuQ1ijb2WwlOjEwZIpajvGwUtjyxEyqpH0_PhTICKTARE9gqK2Y-4S8JwsyxiMa-VwdX4JAcMJ-aA2HLP42qco4K8P13I8Z_47DCOYBTYFrtVT0CX3tsrQ?testcase_id=6029853636952064

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by ClusterFuzz, Nov 2 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 14 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment