Predator and CL could not provide any possible suspects.
Using Code Search for the file, "uniset_props.cpp" assigning to the concern owner because of his recent work on suspect file.

jshin@ -- Could you please look into the issue, kindly assign it to concern owner.


Thank You.

With an invalid UTF-8 input from sqlite, UnicodeSet goes into an infinite loop in 
a while loop starting at 
https://cs.chromium.org/chromium/src/third_party/icu/source/common/uniset_props.cpp?sq=package:chromium&l=474 

ApplyPattern() at 

https://cs.chromium.org/chromium/src/third_party/icu/source/common/uniset_props.cpp?sq=package:chromium&l=582

does not seem to move |chars|.  

>  https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=518239:518261

The regression range is a bit odd. The only ICU change in the range is 
https://chromium-review.googlesource.com/c/chromium/deps/icu/+/760120 . Reverting that change does not help (I still can reproduce this issue with that CL reverted.)


Actually, there's no ICU change in the range.  Perhaps, a fuzz test was added or updated in the range (but I don't see that, either).  

Anyway, I can reproduce it. 

I'm not sure if there's a way to inject *invalid* UTF-8 sql statement to sqlite in Chrome.  

It appears that the input string from sqlite fuzzer is not null-terminated (even though it's claimed to be) leading to an infinite loop. 
I'll keep looking. 

Hmm...  the input (converted to UTF-16 by sqlite) passed to ICU regex engine is terminated. 

Breakpoint 3, u_strlen_60 (s=0x286830 u<error reading variable>)
    at ../../third_party/icu/source/common/ustring.cpp:1003
1003        return t - s;
(gdb) p t
$2 = (const UChar *) 0x2a4794 u""
(gdb) p s
$3 = (const UChar *) 0x286830 u<error reading variable>
(gdb) p t - s
$4 = 61362

(gdb) x/40xh 0x286830+122710
0x2a4786:       0x007b  0x003a  0x005d  0x003b  0x003b  0x003b  0x004e  0x0000
0x2a4796:       0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000
0x2a47a6:       0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000
0x2a47b6:       0x0000  0x2851  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000
0x2a47c6:       0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000  0x0000

Most of the input above is passed to icu::UnicodeSet ctro as |pattern| (set specifier). During UnicodeSet construction, applyPattern() is called repeatedly eventually leading to a stack overflow. 

I've just filed an upstream bug ( http://bugs.icu-project.org/trac/ticket/13547 : not accessible to the public). 

A stand-alone reproducible test program was attached to the ICU bug. 

The above ICU bug is now assigned. Will wait for an upstream fix. 

Abhishek, how much do we have to worry about a stack overflow in renderer?  

Pri-3, stack overflow is just oom. also this is not happening frequently, so not a blocker.

Thank you !  I'll just pick up an upstream patch when it's ready (most likely to  limit the stack depth somewhat arbitrarily). 

ClusterFuzz has detected this issue as fixed in range 535445:535466.

Detailed report: https://clusterfuzz.com/testcase?key=4660727213457408

Fuzzer: libFuzzer_sqlite3_ossfuzz_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffe529e4ff8
Crash State:
  icu_60::UnicodeSet::applyPattern
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=518239:518261
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=535445:535466

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4660727213457408

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4660727213457408 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This issue was re-reported ( bug 812309 )

 Issue 812309  has been merged into this issue.

Fixed in public ICU, now in code review: http://bugs.icu-project.org/trac/changeset/40979

This will go into ICU 61, to be released in March.

Hmm.... applying the upstream patch and running the test case attached to clusterfuzzer report now leads to a Null-deference issue. The caller (sqlite) may need to null-check?  Will take a look. 

Even without applying the upstream patch, the test case resulted in the same 'null deference'.  

#0  0x0000000000000000 in ?? ()
#1  0x000000000041efd9 in mallocWithAlarm (n=664, pp=0x7fffffffb728)
    at ../../third_party/sqlite/amalgamation/sqlite3.c:25363
#2  0x00000000003e2ab2 in sqlite3Malloc (n=664)
    at ../../third_party/sqlite/amalgamation/sqlite3.c:25412
#3  0x00000000003ed90c in sqlite3MallocZero (n=664)
    at ../../third_party/sqlite/amalgamation/sqlite3.c:25617
#4  0x0000000000418636 in openDatabase (zFilename=0x20a0ce "fuzz.db", 
    ppDb=0x7fffffffb8c8, flags=134, zVfs=0x0)
    at ../../third_party/sqlite/amalgamation/sqlite3.c:146403
#5  0x0000000000351e18 in LLVMFuzzerTestOneInput (
    data=0x70b0000000b0 "2018-04-11 17:14:10 URL:https://clusterfuzz.com/v2/testcase-detail/download-testcase?id=4660727213457408 [61404] -> \"testcase-4660727213457408-lite3_ossfuzz_fuzzer\" [1]\n", size=<optimized out>) at ../../third_party/sqlite/fuzz/ossfuzz.c:133

-----------

So, I'll go ahead with cherry-picking. 

Moreover, mysteriously, the minimized test case downloaded today seems to be different from the one I downloaded before (I don't have the old one, but I made an ICU test program using that file:

http://bugs.icu-project.org/trac/attachment/ticket/13547/13547.cpp  . And, the string in that file does not seem to match

https://clusterfuzz.com/download?testcase_id=4660727213457408 .

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/deps/icu.git/+/aff99f5c22aded55ee29753ce049e61570294967

commit aff99f5c22aded55ee29753ce049e61570294967
Author: Jungshik Shin <jshin@chromium.org>
Date: Thu Apr 12 20:51:41 2018

Cherry pick 3 patches from the upstream

* Fix the undefined behavior in decimal number parsing

      http://bugs.icu-project.org/trac/changeset/40950

* Fix the handling of non-BMP characters in CJK breakiterator

      http://www.icu-project.org/trac/changeset/40949

* Limit the recursion depth of UnicodeSet pattern

      http://bugs.icu-project.org/trac/changeset/40979

TBR=inferno@chromium.org
Bug:  chromium:799850 ,  chromium:796807 ,  chromium:796752 
Test: See the bugs.
Change-Id: I1a8909371b601f36faca911039b10d36c7a92c85
Reviewed-on: https://chromium-review.googlesource.com/1009001
Reviewed-by: Jungshik Shin <jshin@chromium.org>

[modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/README.chromium
[add] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/patches/cjkdict_nonbmp.patch
[add] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/patches/number_ub.patch
[add] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/patches/uset_depth.patch
[modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/common/dictbe.cpp
[modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/common/unicode/uniset.h
[modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/common/uniset_closure.cpp
[modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/common/uniset_props.cpp
[modify] https://crrev.com/aff99f5c22aded55ee29753ce049e61570294967/source/i18n/decNumber.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bcb59cd6dd0e451d00d47b3d4a42a146dd307add

commit bcb59cd6dd0e451d00d47b3d4a42a146dd307add
Author: Jungshik Shin <jshin@chromium.org>
Date: Fri Apr 13 00:33:00 2018

Roll ICU to aff99f5

There are two changes:

 https://chromium.googlesource.com/chromium/deps/icu.git/+log/d888fd2..aff99f5

$ git log d888fd2..aff99f5 --date=short --no-merges --format='%ad %ae %s'
  2018-04-11 jshin@chromium.org Cherry pick 3 patches from the upstream
  2018-04-10 jshin@chromium.org Update IANA tzdb to 2018d and apply a fix
                                for long word selection

TBR=mark@chromium.org,inferno@chromium.org

Bug:  chromium:799850 ,  chromium:796807 ,  chromium:796752 
Bug: chromium:829144, chromium:473288
Test: See the two ICU cls above.
Change-Id: I0adf27e01c0349bd00d4916567bdc0bc70483439
Reviewed-on: https://chromium-review.googlesource.com/1011238
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550435}
[modify] https://crrev.com/bcb59cd6dd0e451d00d47b3d4a42a146dd307add/DEPS

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bcb59cd6dd0e451d00d47b3d4a42a146dd307add

commit bcb59cd6dd0e451d00d47b3d4a42a146dd307add
Author: Jungshik Shin <jshin@chromium.org>
Date: Fri Apr 13 00:33:00 2018

Roll ICU to aff99f5

There are two changes:

 https://chromium.googlesource.com/chromium/deps/icu.git/+log/d888fd2..aff99f5

$ git log d888fd2..aff99f5 --date=short --no-merges --format='%ad %ae %s'
  2018-04-11 jshin@chromium.org Cherry pick 3 patches from the upstream
  2018-04-10 jshin@chromium.org Update IANA tzdb to 2018d and apply a fix
                                for long word selection

TBR=mark@chromium.org,inferno@chromium.org

Bug:  chromium:799850 ,  chromium:796807 ,  chromium:796752 
Bug: chromium:829144, chromium:473288
Test: See the two ICU cls above.
Change-Id: I0adf27e01c0349bd00d4916567bdc0bc70483439
Reviewed-on: https://chromium-review.googlesource.com/1011238
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550435}
[modify] https://crrev.com/bcb59cd6dd0e451d00d47b3d4a42a146dd307add/DEPS

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/tools/buildspec/+/82e8c77b1e704e509f1a8aefa4f5e3380943405d

commit 82e8c77b1e704e509f1a8aefa4f5e3380943405d
Author: Jungshik Shin <jungshik@google.com>
Date: Wed Apr 25 16:57:19 2018