New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 676571 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Dec 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in SkSurface::makeImageSnapshot

Project Member Reported by ClusterFuzz, Dec 22 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6511854588526592

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000028
Crash State:
  SkSurface::makeImageSnapshot
  blink::HTMLCanvasElement::getSourceImageForCanvas
  blink::HTMLCanvasElement::getSourceImageForCanvas
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=440099:440242

Minimized Testcase (0.31 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97eRPKf3RqbLqisL0YJJQSAW_Jp7MvVHZidBd9IzUtX4OMUclIISqLxEzQE4L4aYlNpBd0GsBlL8M-YyRTTZTaffgKRGeEgLoNr0cT86cqa_ISmcGVr00ybsEjoF8502MqaH7C-20VQfSe8O3d-5A2JywZmbw?testcase_id=6511854588526592
<script src="../resources/webgl-test-utils.js"></script>
<canvas id="canvas"" width="134217728"> <canvas id="canvas2d"</canvas>
<script>
var wtu = WebGLTestUtils;
var ctx2d = canvas2d.getContext("2d");
var gl = wtu.create3DContext(canvas);
if (!gl) {
} else {
    ctx2d.drawImage(canvas, 0,0, 40, 40);
}
</script>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: msrchandra@chromium.org
Components: Blink>Canvas Blink>HTML
Labels: Test-Predator-Correct-CLs
Owner: junov@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Find it results --
The result is a list of CLs that change the crashed files. 

Author: junov
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/aaee8c63e6a1716c78b5e5715e1f96b8df4ed1e3
Time: Wed Dec 21 21:59:14 2016
Lines 118-123, 1256 of file HTMLCanvasElement.cpp which potentially caused crash are changed in this cl (frame #2, "createTransparentSkImage"; frame #3, "blink::HTMLCanvasElement::getSourceImageForCanvas").
Minimum distance from crash line to modified line: 0. (file: HTMLCanvasElement.cpp, crashed on: 1253, modified: 1253).

@junov -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.
Project Member

Comment 2 by ClusterFuzz, Dec 24 2016

ClusterFuzz has detected this issue as fixed in range 440490:440591.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6511854588526592

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000028
Crash State:
  SkSurface::makeImageSnapshot
  blink::HTMLCanvasElement::getSourceImageForCanvas
  blink::HTMLCanvasElement::getSourceImageForCanvas
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=440099:440242
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=440490:440591

Minimized Testcase (0.31 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97eRPKf3RqbLqisL0YJJQSAW_Jp7MvVHZidBd9IzUtX4OMUclIISqLxEzQE4L4aYlNpBd0GsBlL8M-YyRTTZTaffgKRGeEgLoNr0cT86cqa_ISmcGVr00ybsEjoF8502MqaH7C-20VQfSe8O3d-5A2JywZmbw?testcase_id=6511854588526592
<script src="../resources/webgl-test-utils.js"></script>
<canvas id="canvas"" width="134217728"> <canvas id="canvas2d"</canvas>
<script>
var wtu = WebGLTestUtils;
var ctx2d = canvas2d.getContext("2d");
var gl = wtu.create3DContext(canvas);
if (!gl) {
} else {
    ctx2d.drawImage(canvas, 0,0, 40, 40);
}
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by ClusterFuzz, Dec 24 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6511854588526592 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment