Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Probably  bug 780709 . Will let CF figure this out on its own in a day or two.

Predator and CL could not provide any possible suspects.
Using the code search for the file, “fx_memory.cpp” assigning to concern owner from GIT blame.
Suspecting Commit#
https://pdfium.googlesource.com/pdfium.git/+/ed099befbb300d6f9c393cb415fdb2a68c2ef471

@tsepez -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.

Thank You.

Probably  bug 780709 . Rerunning CF...

Nope, that's not it.

palmer: Can you help take a look? Not sure why PartitionAlloc is upset.

i.e. Is a bad cookie a sign of memory corruption? I checked the non-PartitionAlloc build with ASAN and Valgrind and both came back clean.

Is r463047 related to this somehow?

Here's what I'm seeing:

_TIFFrealloc (nil) of size 1224 returns 0xDEAD0010
  PartitionCookieWriteValue 0xDEAD0000
  PartitionCookieWriteValue 0xDEAD04f0 <-- original end location

_TIFFrealloc 0xDEAD0010 of size 1224 returns 0xDEAD0010
  PartitionCookieWriteValue 0xDEAD04d8

_TIFFrealloc 0xDEAD0010 of size 1232 returns 0xDEAD0010
  PartitionCookieWriteValue 0xDEAD04e0

_TIFFrealloc 0xDEAD0010 of size 1240 returns 0xDEAD0010
  PartitionCookieWriteValue 0xDEAD04e8 <-- end location has changed 3 times now

_TIFFfree 0xDEAD0010
  PartitionCookieCheckValue 0xDEAD0000
  PartitionCookieCheckValue 0xDEAD04f0 <-- still checking original end location

 Issue 781636  has been merged into this issue.

Here's a minimal test to trigger the DCHECK, at least in my Chromium checkout:

----
TEST_F(PartitionAllocTest, ReallocMovesCookies2) {                                                                                       
  const size_t kSize = 256 + 8;
  void* ptr = PartitionAllocGeneric(generic_allocator.root(), kSize, type_name);                                                         
  EXPECT_TRUE(ptr);
  
  ptr = PartitionReallocGeneric(generic_allocator.root(), ptr, kSize + 16, 
                                type_name);
  EXPECT_TRUE(ptr);
  
  PartitionFreeGeneric(generic_allocator.root(), ptr);
}
----

Here's a CL: https://chromium-review.googlesource.com/756179

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3e6a1e15dce9d46a5661896a17e9e4fb3ba99d2d

commit 3e6a1e15dce9d46a5661896a17e9e4fb3ba99d2d
Author: Lei Zhang <thestig@chromium.org>
Date: Tue Nov 07 06:22:29 2017

Fix PartitionAlloc cookies for small in-place reallocs.

BUG= 781473 

Change-Id: I45866a704b5b112804cb478260c0a5273597cf5f
Reviewed-on: https://chromium-review.googlesource.com/756179
Commit-Queue: Lei Zhang <thestig@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#514411}
[modify] https://crrev.com/3e6a1e15dce9d46a5661896a17e9e4fb3ba99d2d/base/allocator/partition_allocator/partition_alloc.cc
[modify] https://crrev.com/3e6a1e15dce9d46a5661896a17e9e4fb3ba99d2d/base/allocator/partition_allocator/partition_alloc_unittest.cc

Oh, I probably need to port the fix to PDFium.

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/c9653fb272dd2d006a2725c42b5a36ffafb099a7

commit c9653fb272dd2d006a2725c42b5a36ffafb099a7
Author: Lei Zhang <thestig@chromium.org>
Date: Tue Nov 07 18:54:51 2017

Fix PartitionAlloc cookies for small in-place reallocs.

This ports the non-test portion of Chromium commit r514411 to PDFium.

BUG= chromium:781473 

Change-Id: Iab203edf3cb49a491aca5e524815a15e74f47581
Reviewed-on: https://pdfium-review.googlesource.com/17990
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Lei Zhang <thestig@chromium.org>

[modify] https://crrev.com/c9653fb272dd2d006a2725c42b5a36ffafb099a7/third_party/base/allocator/partition_allocator/partition_alloc.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d8acd8b5af6c8cf010932d8130cc652025aeef71

commit d8acd8b5af6c8cf010932d8130cc652025aeef71
Author: pdfium-deps-roller@chromium.org <pdfium-deps-roller@chromium.org>
Date: Tue Nov 07 23:44:03 2017

Roll src/third_party/pdfium/ 979e916fd..58629a0e4 (30 commits)

https://pdfium.googlesource.com/pdfium.git/+log/979e916fde75..58629a0e49e4

$ git log 979e916fd..58629a0e4 --date=short --no-merges --format='%ad %ae %s'
2017-11-07 dsinclair Rename CXFA_Value to CXFA_ValueData
2017-11-07 dsinclair Rename CXFA_Validate to CXFA_ValidateData
2017-11-07 dsinclair Rename CXFA_ToolTip to CXFA_ToolTipData
2017-11-07 dsinclair Rename CXFA_Text to CXFA_TextData
2017-11-07 dsinclair Rename CXFA_Submit to CXFA_SubmitData
2017-11-07 dsinclair Rename CXFA_Stroke to CXFA_StrokeData
2017-11-07 dsinclair Rename CXFA_Script to CXFA_ScriptData
2017-11-07 dsinclair Rename CXFA_Rectangle to CXFA_RectangleData
2017-11-07 dsinclair Rename CXFA_Para to CXFA_ParaData
2017-11-07 dsinclair Rename CXFA_Occur to CXFA_OccurData
2017-11-07 dsinclair Rename CXFA_Margin to CXFA_MarginData
2017-11-07 rharrison Revert cleanup of IsHyphen and reimplement
2017-11-07 dsinclair Rename CXFA_Line to CXFA_LineData
2017-11-07 dsinclair Rename CXFA_Image to CXFA_ImageData
2017-11-07 dsinclair Rename CXFA_Font to CXFA_FontData
2017-11-07 dsinclair Rename CXFA_Fill to CXFA_FillData
2017-11-07 dsinclair Rename CXFA_Event to CXFA_EventData
2017-11-07 dsinclair Rename CXFA_Edge to CXFA_EdgeData
2017-11-07 dsinclair Rename CXFA_Corner to CXFA_CornerData
2017-11-07 npm Use MaybeOwned in CJBig2_Image
2017-11-07 thestig Fix PartitionAlloc cookies for small in-place reallocs.
2017-11-07 dsinclair Rename CXFA_Caption to CXFA_CaptionData
2017-11-07 dsinclair Rename CXFA_Calculate to CXFA_CalculateData
2017-11-07 dsinclair Rename CXFA_Box to CXFA_BoxData
2017-11-07 dsinclair Rename CXFA_Border to CXFA_BorderData
2017-11-07 dsinclair Rename CXFA_Bind to CXFA_BindData
2017-11-07 dsinclair Rename CXFA_BindItems to CXFA_BindItemsData
2017-11-07 dsinclair Rename CXFA_Assist to CXFA_AssistData
2017-11-07 dsinclair Rename CXFA_Arc to CXFA_ArcData
2017-11-07 npm Roll pdfium/third_party/freetype/src/ 91015cb41..8f5568bfc (5 commits)

Created with:
  roll-dep src/third_party/pdfium
BUG=781804, 781473 


The AutoRoll server is located here: https://pdfium-roll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


TBR=dsinclair@chromium.org

Change-Id: I928e7a20e996be289a8f914a7184b30665fbf283
Reviewed-on: https://chromium-review.googlesource.com/757260
Reviewed-by: <pdfium-deps-roller@chromium.org>
Commit-Queue: <pdfium-deps-roller@chromium.org>
Cr-Commit-Position: refs/heads/master@{#514650}
[modify] https://crrev.com/d8acd8b5af6c8cf010932d8130cc652025aeef71/DEPS

ClusterFuzz has detected this issue as fixed in range 514643:514680.

Detailed report: https://clusterfuzz.com/testcase?key=5856150611558400

Fuzzer: libFuzzer_pdf_codec_tiff_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Abrt
Crash Address: 0x03e900000d9a
Crash State:
  FXMEM_DefaultFree
  TIFFCleanup
  TIFFClientOpen
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=508791:508824
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=514643:514680

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5856150611558400

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4893665888829440 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.