Out-of-memory in paint_op_buffer_fuzzer |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5530164247920640 Fuzzer: libFuzzer_paint_op_buffer_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Out-of-memory (exceeds 2048 MB) Crash Address: Crash State: paint_op_buffer_fuzzer Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=555636:555647 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5530164247920640 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
May 7 2018
Predator could not provide any possible suspects. From the above CL observing some changes related to 'paint_op_buffer_fuzzer' , hence suspecting the same Suspect CL: https://chromium.googlesource.com/chromium/src/+/a8d50641199fe8b3045a4615d877d7c341bf7724 khushalsagar@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Thanks!
,
May 7 2018
Its OOM-ing because of arbitrary allocation during text blob deserialization. And that's coming from using whatever glyphCount is in the buffer to allocate the buffer run.
,
May 7 2018
I've worked around these in the past by making sure that glyphCount * sizeof(whatever glyph is) is at least going to fit in whatever memory is left. That limited allocations to at least the size of the input buffer.
,
May 7 2018
I was putting a blanket cap on the number of total glyphs (https://skia-review.googlesource.com/c/skia/+/126603), but #4 is a better idea.
,
May 7 2018
The following revision refers to this bug: https://skia.googlesource.com/skia/+/cea8e3d1326df16f1eeb41233703bf469016025c commit cea8e3d1326df16f1eeb41233703bf469016025c Author: Khushal <khushalsagar@chromium.org> Date: Mon May 07 21:31:30 2018 text-blob: Fix OOM issues during blob deserialization. Limit the number of glyphs allowed during blob deserialization. Allocating for an arbitrary number can lead to OOM issues. Bug: 840096 Change-Id: I1673fd312438b99ff76dadcfdc9f9427acdca13b R=bsalomon@chromium.org Reviewed-on: https://skia-review.googlesource.com/126603 Commit-Queue: Khusal Sagar <khushalsagar@chromium.org> Reviewed-by: Florin Malita <fmalita@chromium.org> [modify] https://crrev.com/cea8e3d1326df16f1eeb41233703bf469016025c/src/core/SkReadBuffer.h [modify] https://crrev.com/cea8e3d1326df16f1eeb41233703bf469016025c/src/core/SkTextBlob.cpp
,
May 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/349cab9c516366b18d562d1b0dc73606f6dd4133 commit 349cab9c516366b18d562d1b0dc73606f6dd4133 Author: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Date: Tue May 08 06:05:47 2018 Roll src/third_party/skia/ 9a9c25b36..6198f39ad (5 commits) https://skia.googlesource.com/skia.git/+log/9a9c25b36ce5..6198f39adc5c $ git log 9a9c25b36..6198f39ad --date=short --no-merges --format='%ad %ae %s' 2018-05-08 angle-skia-autoroll Roll third_party/externals/angle2/ 9f394f8cd..3b9b027c5 (1 commit) 2018-05-07 khushalsagar text-blob: Fix OOM issues during blob deserialization. 2018-05-07 fmalita [viewer] Avoid per-frame json UI updates 2018-05-07 bsalomon Visit the image proxy in GrLatticeOp 2018-05-07 bsalomon Add null proxy test to SkGpuDevice::drawProducerLattice Created with: roll-dep src/third_party/skia BUG= chromium:840096 ,chromium:b/77917978,chromium:b/77917978 The AutoRoll server is located here: https://autoroll.skia.org Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+/master/autoroll/README.md If the roll is causing failures, please contact the current sheriff, who should be CC'd on the roll, and stop the roller if necessary. CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel TBR=egdaniel@chromium.org Change-Id: I73084b62ba69340f17f0f9e7d801e2558c198599 Reviewed-on: https://chromium-review.googlesource.com/1049116 Reviewed-by: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Commit-Queue: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#556707} [modify] https://crrev.com/349cab9c516366b18d562d1b0dc73606f6dd4133/DEPS
,
May 8 2018
,
May 9 2018
ClusterFuzz has detected this issue as fixed in range 556697:556708. Detailed report: https://clusterfuzz.com/testcase?key=5530164247920640 Fuzzer: libFuzzer_paint_op_buffer_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Out-of-memory (exceeds 2048 MB) Crash Address: Crash State: paint_op_buffer_fuzzer Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=555636:555647 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=556697:556708 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5530164247920640 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 9 2018
ClusterFuzz testcase 5530164247920640 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, May 5 2018Labels: ClusterFuzz-Auto-CC