New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 811137 link

Starred by 1 user
Status: WontFix
Owner:
bsalomon@chromium.org
Last visit > 30 days ago
Closed: May 2018
Cc:
brajkumar@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in blink::Canvas2DLayerBridge::Hibernate

Project Member Reported by ClusterFuzz, Feb 11 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5794180190961664

Fuzzer: inferno_canvas_wrecker
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::Canvas2DLayerBridge::Hibernate
  base::internal::Invoker<base::internal::BindState<void
  blink::scheduler::WebSchedulerImpl::RunIdleTask
  
Sanitizer: memory (MSAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5794180190961664

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.

Comment 1 by brajkumar@chromium.org, Feb 12 2018

Cc: brajkumar@chromium.org
Components: Internals>GPU>Canvas2D
Labels: M-66 Test-Predator-Wrong CF-NeedsTriage
Unable to find actual suspect through code search and also observing no CL under regression range, hence adding appropriate label and leaving it as untriaged for further updates.

Note: The above issue is filed by clusterfuzz and observing no reproducible steps, please feel free to mark it as wontfix if this is not a valid issue.

Thanks!

Comment 2 by piman@chromium.org, Feb 12 2018

Owner: junov@chromium.org
Status: Assigned (was: Untriaged)

Comment 3 by junov@chromium.org, Feb 21 2018

Components: -Internals>GPU>Canvas2D Blink>Canvas

Comment 4 by junov@chromium.org, Feb 21 2018

Components: Internals>Skia
Owner: bsalomon@chromium.org
I was able to rproduce a crash with this test case, but I was not able to reproduce the same stack trace locally.  Running on a build with DCHECKs enabled shows some interesting bugs in skia.  There is a problem with GrAAConvexPathRenderer choking on NaNs

There is also a different bug when running chrome with --disable-gpu: There is an unhandled overflow in SkIRect::height() that causes a checked size_t to int conversion to fail at SkMaskBlurFilter.cpp:308
Project Member

Comment 5 by ClusterFuzz, May 31 2018

Status: WontFix (was: Assigned)
ClusterFuzz testcase 5794180190961664 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment