This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

	==3460==ERROR: AddressSanitizer: access-violation on unknown address 0xffffffffffffffff (pc 0x7ff863cefa9b bp 0x001ee59f7920 sp 0x001ee59f7780 T0)
==3460==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
 #0 0x7ff863cefa9a in gfx::RenderTextHarfBuzz::DrawVisualText(class gfx::internal::SkiaTextRenderer *) ui/gfx/render_text_harfbuzz.cc:1294:29
 #1 0x7ff86244a73d in gfx::RenderText::Draw(class gfx::Canvas *) ui/gfx/render_text.cc:828:5
 #2 0x7ff8679601cf in views::Textfield::PaintTextAndCursor(class gfx::Canvas *) ui/views/controls/textfield/textfield.cc:2169:16
#3 0x7ff86795fb75 in views::Textfield::OnPaint(class gfx::Canvas *) ui/views/controls/textfield/textfield.cc:1085:3
#4 0x7ff868ae9a3b in OmniboxViewViews::OnPaint(class gfx::Canvas *) chrome/browser/ui/views/omnibox/omnibox_view_views.cc:346:16
#5 0x7ff861f13589 in views::View::Paint(class views::PaintInfo const &) ui/views/view.cc:921:5
#6 0x7ff861f1aa86 in views::View::RecursivePaintHelper(void ( views::View::*)(class views::PaintInfo const &),class views::PaintInfo const &) ui/views/view.cc:1929:7
#7 0x7ff861f1a523 in views::View::PaintChildren(class views::PaintInfo const &) ui/views/view.cc:1559:3
#8 0x7ff861f13618 in views::View::Paint(class views::PaintInfo const &) ui/views/view.cc:925:3
#9 0x7ff861f1d6bd in views::View::PaintFromPaintRoot(class ui::PaintContext const &) ui/views/view.cc:1936:3

Which is:
        renderer->SetTypeface(run.skia_face);

So skia_face is not being initialized?

Anyway, I don't work on graphics stuff anymore, so cc'ing others who've touched the file recently. Over to msw@.

I haven't been working in this code for a long time either.
Rachel, please help find a good owner, thanks.

asvitkine and you were the only OWNERs here. 

So, next up, most CLs in the past few months - tapted?

Also, +tommycli, because Omnibox is in the callstack, and we only recently added placeholder text support.

If it helps, here is where we install the placeholder text:
https://cs.chromium.org/chromium/src/chrome/browser/ui/views/omnibox/omnibox_view_views.cc?q=OmniboxViewViews&sq=package:chromium&g=0&l=165

I'm not sure this is actionable. There's no regression range - "Low confidence in regression range. Test case crashes in revision r561819 but not later revision r561823." The crashing stack is r566739

I pressed some buttons in clusterfuzz.


run.skia_face is an sk_sp, which has a default constructor - 

template <typename T> class sk_sp {
public:
    using element_type = T;
    constexpr sk_sp() : fPtr(nullptr) {}

SkTypeface, however, doesn't initialise all its members

SkTypeface::SkTypeface(const SkFontStyle& style, bool isFixedPitch)
    : fUniqueID(SkTypefaceCache::NewFontID()), fStyle(style), fIsFixedPitch(isFixedPitch) { }

    SkFontID            fUniqueID;
    SkFontStyle         fStyle;
    mutable SkRect      fBounds;
    mutable SkOnce      fBoundsOnce;
    bool                fIsFixedPitch;


fBoundsOnce has a default initialiser (std::atomic<uint8_t> fState{NotStarted};)

SkRect does not. I doubt this is it though.



Maybe there's a range error on the line above

 const internal::TextRunHarfBuzz& run = *run_list->runs()[segment.run];


(e.g. runs().empty() or segment.run >= size()). Nothing stands out though.

Isn't it possible to use the clusterfuzz test case and repro locally with it?

The test case is "["key,^=^={(}{TAB}{TAB}","key,^={RIGHT}{F3}{TAB}{u}^=","key,{TAB}^-A{ESC}","key,{+}^-^=^=^-{TAB}{TAB}{END}"]"

I dunno how to interpret that. (Anyone?)

I tried downloading the build and running it, and mashing keys in various ways that might map to that and was unable to trigger a crash.

The second bisect I triggered is still running 

[2018-06-14 03:06:53 UTC] clusterfuzz-windows-243v: Regression task in-progress: Testing r561878 (current range 561849:561907).
[2018-06-14 03:22:05 UTC] clusterfuzz-windows-243v: Regression task in-progress: Testing r561890 (current range 561878:561907).

I suspect the lower bounds is a flake though - nothing in that range stands out to me

I would assume it should be possible to run that test case through clusterfuzz itself and get it to repro, but maybe ask the clusterfuzz folks?

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

ClusterFuzz has detected this issue as fixed in range 570224:570233.

Detailed report: https://clusterfuzz.com/testcase?key=5884892723019776

Fuzzer: noel-image-surku
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0xffffffffffffffff
Crash State:
  gfx::RenderTextHarfBuzz::DrawVisualText
  gfx::RenderText::Draw
  views::Textfield::PaintTextAndCursor
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=570224:570233

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5884892723019776

Additional requirements: Requires Gestures

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5884892723019776 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot