New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 817730 link

Starred by 1 user
Status: Assigned
Owner:
schenney@chromium.org
Cc:
vmp...@chromium.org
zakerinasab@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Bus in blink::CopyPixels

Project Member Reported by ClusterFuzz, Mar 1 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5229653732884480

Fuzzer: noel-image-surku
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bus
Crash Address: 0x7fe650c02000
Crash State:
  blink::CopyPixels
  blink::ImageFrameGenerator::DecodeAndScale
  blink::DecodingImageGenerator::GetPixels
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=523878:523922

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5229653732884480

Additional requirements: Requires Gestures

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Mar 1 2018

Components: Blink>Paint
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Mar 1 2018

Cc: zakerinasab@chromium.org vmp...@chromium.org junov@chromium.org
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

Add ImageData constructor from StaticBitmapImage by zakerinasab@chromium.org - https://chromium.googlesource.com/chromium/src/+/2c863229da24ed1cb180759c9342e7a5125fd6f5

Re-enable overlays for 2d canvas by junov@chromium.org - https://chromium.googlesource.com/chromium/src/+/ec6125cd13b1850ece40029cff8c4504db7f7c43

oop: Use TransferCache for PaintTypeface serialization and transport. by vmpstr@chromium.org - https://chromium.googlesource.com/chromium/src/+/7273cfe05dcb33f6abb7626457b5b6d36cbea31c

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

Comment 3 by zakerinasab@chromium.org, Mar 1 2018 

Looking at my CL, it only introduces new API and does not change any call site (the call sites were updated in a follow up CL). So I don't think this can be the source of the failure. Also I don't get a crash on ToT with content_shell. Nothing appears on the browser window and this is the output in the shell:

[254761:254761:0301/102907.123705:ERROR:sandbox_linux.cc(379)] InitializeSandbox() called with multiple threads in process gpu-process.
[254739:254739:0301/102907.368165:ERROR:gpu_process_transport_factory.cc(1007)] Lost UI shared context.
tcmalloc: large alloc 2096832512 bytes == 0x23a28edd7000 @  0x7fef100faa0d 0x7fef1004971e 0x7fef0f711385 0x7fef0f9eb10c 0x7fef0f971e37 0x7fef0f9713b9 0x7fef0ae9af1e 0x7fef0ae9930e 0x7fef0ae9f554 0x7fef0aea0613 0x7fef0aea09ae 0x7fef0aea0dd3 0x7fef0aea1431 0x7fef0aea019f 0x7fef0ae98360 0x7fef0adfaa7b 0x7fef0adf9cb9 0x7fef0adf9748 0x7fef0add2652 0x7fef0891acb3 0x7fef0891aaf5 0x7fef0fe56f2a 0x7fef0fe51d08 0x7fef0fe52731 0x7fef0fe52a33 0x7fef0fdf69b6 0x7fef0892079e 0x7fef089276a7 0x7fef08924d64 0x7fef08924cdd 0x7fef08906cb3
[254739:254746:0301/102909.534464:WARNING:discardable_shared_memory_manager.cc(436)] Some MojoDiscardableSharedMemoryManagerImpls are still alive. They will be leaked.

Comment 4 by schenney@chromium.org, Mar 2 2018 

I thought I fixed all these cases, so it wouldn't surprise me if it does not repro. Clusterfuzz seems to be fuzzing M-65, which doesn't have all the fixes.

Comment 5 by schenney@chromium.org, Mar 5 2018

Owner: schenney@chromium.org
Status: Assigned (was: Untriaged)

Comment 6 by junov@chromium.org, Jul 25

Cc: -junov@chromium.org

Sign in to add a comment