New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 676866 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in SkOpSpanBase::final

Project Member Reported by ClusterFuzz, Dec 24 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4682955239981056

Fuzzer: libfuzzer_skia_pathop_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  SkOpSpanBase::final
  SkOpSpanBase::upCastable
  SkOpCoincidence::apply
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=427111:427178

Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv957mxbMqBwotqTrTYK_PmRRpywljSOFeWERMOGdwS7gFLiiJReA_hkUY-W5NY8lHv0-9ILPbGQWmAnQI6MowtmsQsu6w8dm3rTD43sKf9ZKEWAIWlfT_ZkL7iYZgdjGd_R_IMuVdKX45Ugbqd00qhoVP_aMiQ?testcase_id=4682955239981056

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Cc: msrchandra@chromium.org
Components: Internals>Skia
Labels: Test-Predator-Correct-CLs
Owner: caryclark@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Find it results --
The result is a list of CLs that change the crashed files. 

Author: caryclark
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/1326068147ee60de138061a3fc1157fcfd5d017b
Time: Mon Oct 24 12:10:14 2016
File SkPathOpsOp.cpp is changed in this cl (and is part of stack frame #4, "OpDebug")
Minimum distance from crash line to modified line: 11. (file: SkPathOpsOp.cpp, crashed on: 308, modified: 319).

@caryclark -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.
Project Member

Comment 2 by bugdroid1@chromium.org, Jan 3 2017

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/5a2057aee9c6293c3dc78cfb013c06ea707d39e4

commit 5a2057aee9c6293c3dc78cfb013c06ea707d39e4
Author: Cary Clark <caryclark@google.com>
Date: Tue Jan 03 15:47:34 2017

fix fuzzer

abort if incoming data is out of range

TBR=reed@google.com
BUG= 676866 

Change-Id: I7d4850611654a399e32ea2012b23ca369dc53e70
Reviewed-on: https://skia-review.googlesource.com/6525
Reviewed-by: Cary Clark <caryclark@google.com>
Commit-Queue: Cary Clark <caryclark@google.com>

[modify] https://crrev.com/5a2057aee9c6293c3dc78cfb013c06ea707d39e4/src/pathops/SkOpCoincidence.cpp
[modify] https://crrev.com/5a2057aee9c6293c3dc78cfb013c06ea707d39e4/tests/PathOpsOpTest.cpp

Project Member

Comment 3 by bugdroid1@chromium.org, Jan 3 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4d82a20c967489dec3695b6d4255c7755efc2a7c

commit 4d82a20c967489dec3695b6d4255c7755efc2a7c
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Tue Jan 03 17:45:16 2017

Roll src/third_party/skia/ 3de1adf80..55325b7c5 (3 commits).

https://skia.googlesource.com/skia.git/+log/3de1adf800c6..55325b7c59fe

$ git log 3de1adf80..55325b7c5 --date=short --no-merges --format='%ad %ae %s'
2017-01-03 halcanary clean up non-ASCII comments
2017-01-03 caryclark fix fuzzer
2017-01-02 msarett Use nullptr instead of png_NULL in SkPNGImageEncoder

BUG= 676866 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
TBR=csmartdalton@google.com

Review-Url: https://codereview.chromium.org/2603383002
Cr-Commit-Position: refs/heads/master@{#441150}

[modify] https://crrev.com/4d82a20c967489dec3695b6d4255c7755efc2a7c/DEPS

Status: Fixed (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Jan 4 2017

ClusterFuzz has detected this issue as fixed in range 441127:441152.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4682955239981056

Fuzzer: libfuzzer_skia_pathop_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  SkOpSpanBase::final
  SkOpSpanBase::upCastable
  SkOpCoincidence::apply
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=427111:427178
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=441127:441152

Minimized Testcase (0.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv957mxbMqBwotqTrTYK_PmRRpywljSOFeWERMOGdwS7gFLiiJReA_hkUY-W5NY8lHv0-9ILPbGQWmAnQI6MowtmsQsu6w8dm3rTD43sKf9ZKEWAIWlfT_ZkL7iYZgdjGd_R_IMuVdKX45Ugbqd00qhoVP_aMiQ?testcase_id=4682955239981056

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment