ASSERT: prev.elementAti(t_boundary.elementAti(numBreaks - 1)) == 0 |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5938875993423872 Fuzzer: libFuzzer_icu_break_iterator_utf32_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: prev.elementAti(t_boundary.elementAti(numBreaks - 1)) == 0 icu_60::CjkBreakEngine::divideUpDictionaryRange icu_60::DictionaryBreakEngine::findBreaks Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=525358:525394 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5938875993423872 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Dec 21 2017
From bug 723513 comment 3 and comment 4: Testcase has an invalid UTF-8. 𧻓㌛蟟m followed by 0xE8. Given that only valid UTF-8 or UTF-16 is fed to the API in question in Chromium/Blink, the risk woouldn't be that high. Anyway, the ICU code in question needs to be hardened. Comment 4 by jshin@chromium.org, Jun 13 Delete comment ⚐ The byte sequences of the minimized test string : ef ab 97 e3 8c 9b e8 9f 9f 6d e8 3 characters (of 3 bytes in UTF-8) followed by 'm' and followed by 0xE8.
,
Jan 13 2018
This one (unlike bug 723513 ) has a valid UTF-32 input: 29 00 02 00 00 33 00 00 00 c4 02 00 U+20029, U+3300, U+2C400
,
Jan 17 2018
An upstream bug filed with a standalone test program. http://www.icu-project.org/trac/ticket/13549
,
Jan 17 2018
Upstream bug is now assigned. The input for bug 723513 also leads to the same assertion failure (after being converted to UTF-8 with UnicodeString::fromUTF8(). Invalid sequences are converted to U+FFFD).
,
Jan 17 2018
,
Apr 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/deps/icu.git/+/aff99f5c22aded55ee29753ce049e61570294967 commit aff99f5c22aded55ee29753ce049e61570294967 Author: Jungshik Shin <jshin@chromium.org> Date: Thu Apr 12 20:51:41 2018 Cherry pick 3 patches from the upstream * Fix the undefined behavior in decimal number parsing http://bugs.icu-project.org/trac/changeset/40950 * Fix the handling of non-BMP characters in CJK breakiterator http://www.icu-project.org/trac/changeset/40949 * Limit the recursion depth of UnicodeSet pattern http://bugs.icu-project.org/trac/changeset/40979 TBR=inferno@chromium.org Bug: chromium:799850 , chromium:796807 , chromium:796752 Test: See the bugs. Change-Id: I1a8909371b601f36faca911039b10d36c7a92c85 Reviewed-on: https://chromium-review.googlesource.com/1009001 Reviewed-by: Jungshik Shin <jshin@chromium.org> [modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/README.chromium [add] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/patches/cjkdict_nonbmp.patch [add] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/patches/number_ub.patch [add] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/patches/uset_depth.patch [modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/common/dictbe.cpp [modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/common/unicode/uniset.h [modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/common/uniset_closure.cpp [modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/common/uniset_props.cpp [modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/i18n/decNumber.cpp
,
Apr 13 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bcb59cd6dd0e451d00d47b3d4a42a146dd307add commit bcb59cd6dd0e451d00d47b3d4a42a146dd307add Author: Jungshik Shin <jshin@chromium.org> Date: Fri Apr 13 00:33:00 2018 Roll ICU to aff99f5 There are two changes: https://chromium.googlesource.com/chromium/deps/icu.git/+log/d888fd2..aff99f5 $ git log d888fd2..aff99f5 --date=short --no-merges --format='%ad %ae %s' 2018-04-11 jshin@chromium.org Cherry pick 3 patches from the upstream 2018-04-10 jshin@chromium.org Update IANA tzdb to 2018d and apply a fix for long word selection TBR=mark@chromium.org,inferno@chromium.org Bug: chromium:799850 , chromium:796807 , chromium:796752 Bug: chromium:829144, chromium:473288 Test: See the two ICU cls above. Change-Id: I0adf27e01c0349bd00d4916567bdc0bc70483439 Reviewed-on: https://chromium-review.googlesource.com/1011238 Reviewed-by: Jungshik Shin <jshin@chromium.org> Commit-Queue: Jungshik Shin <jshin@chromium.org> Cr-Commit-Position: refs/heads/master@{#550435} [modify] https://crrev.com/bcb59cd6dd0e451d00d47b3d4a42a146dd307add/DEPS
,
Apr 13 2018
ClusterFuzz has detected this issue as fixed in range 550400:550448. Detailed report: https://clusterfuzz.com/testcase?key=5938875993423872 Fuzzer: libFuzzer_icu_break_iterator_utf32_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: prev.elementAti(t_boundary.elementAti(numBreaks - 1)) == 0 icu_60::CjkBreakEngine::divideUpDictionaryRange icu_60::DictionaryBreakEngine::findBreaks Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=525358:525394 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=550400:550448 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5938875993423872 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 13 2018
ClusterFuzz testcase 5938875993423872 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/bcb59cd6dd0e451d00d47b3d4a42a146dd307add commit bcb59cd6dd0e451d00d47b3d4a42a146dd307add Author: Jungshik Shin <jshin@chromium.org> Date: Fri Apr 13 00:33:00 2018 Roll ICU to aff99f5 There are two changes: https://chromium.googlesource.com/chromium/deps/icu.git/+log/d888fd2..aff99f5 $ git log d888fd2..aff99f5 --date=short --no-merges --format='%ad %ae %s' 2018-04-11 jshin@chromium.org Cherry pick 3 patches from the upstream 2018-04-10 jshin@chromium.org Update IANA tzdb to 2018d and apply a fix for long word selection TBR=mark@chromium.org,inferno@chromium.org Bug: chromium:799850 , chromium:796807 , chromium:796752 Bug: chromium:829144, chromium:473288 Test: See the two ICU cls above. Change-Id: I0adf27e01c0349bd00d4916567bdc0bc70483439 Reviewed-on: https://chromium-review.googlesource.com/1011238 Reviewed-by: Jungshik Shin <jshin@chromium.org> Commit-Queue: Jungshik Shin <jshin@chromium.org> Cr-Commit-Position: refs/heads/master@{#550435} [modify] https://crrev.com/bcb59cd6dd0e451d00d47b3d4a42a146dd307add/DEPS
,
Apr 25 2018
The following revision refers to this bug: https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/82e8c77b1e704e509f1a8aefa4f5e3380943405d commit 82e8c77b1e704e509f1a8aefa4f5e3380943405d Author: Jungshik Shin <jungshik@google.com> Date: Wed Apr 25 16:57:19 2018 |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by kkaluri@chromium.org
, Dec 21 2017Labels: M-65 Test-Predator-Wrong
Owner: js...@chromium.org
Status: Assigned (was: Untriaged)