New issue
Advanced search Search tips

Issue 852303 link

Starred by 1 user
Status: Fixed
Owner:
kainino@chromium.org
Closed: Aug 25
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in SkImage::peekPixels

Project Member Reported by ClusterFuzz, Jun 13 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5748791416979456

Fuzzer: inferno_twister_c
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  SkImage::peekPixels
  blink::WebGLRenderingContextBase::TexImageHelperImageBitmap
  blink::WebGL2RenderingContextBase::texImage2D
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=495528:495531

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5748791416979456

Additional requirements: Requires HTTP

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Jun 13 2018

Components: Blink>WebGL Internals>Skia
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jun 17 2018

Labels: -Reproducible Unreproducible
ClusterFuzz testcase 5748791416979456 appears to be flaky, updating reproducibility label.
Project Member

Comment 3 by ClusterFuzz, Jun 19 2018

Labels: OS-Windows
Project Member

Comment 4 by ClusterFuzz, Jul 13

Labels: OS-Mac

Comment 5 by enne@chromium.org, Aug 24

Owner: kbr@chromium.org
Status: Assigned (was: Untriaged)
kbr: can you triage/investigate this?

Comment 6 by kbr@chromium.org, Aug 24

Owner: kainino@chromium.org
Kai: could you please help triage this one? I am swamped.

Comment 7 by kainino@chromium.org, Aug 24 

It looks like the sk_image here is null:
https://cs.chromium.org/chromium/src/third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.cc?l=5597&rcl=db291e62aafe5a33279d5877c1c933b15a43b786
I don't see an obvious reason this would happen, but one idea is that it's an OOM condition (explaining the flakiness).

Comment 8 by kainino@chromium.org, Aug 24

Status: Started (was: Assigned)
Project Member

Comment 9 by bugdroid1@chromium.org, Aug 25 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9d224b2032ec247e4e5e4827e5d3a8bbb16b389c

commit 9d224b2032ec247e4e5e4827e5d3a8bbb16b389c
Author: Kai Ninomiya <kainino@chromium.org>
Date: Sat Aug 25 00:51:03 2018

Null-check ImageBitmap's SkImage in texImage2D

This should guard against a crash.
It's not clear exactly what the cause of this null is, but it's
probably some kind of failure to allocate the SkImage (e.g.
out-of-memory, GPU process loss, or other unpredictable failure case).

Bug:  852303 
Change-Id: I10a817f2dccd801f5834be343ad687af09e06721
Reviewed-on: https://chromium-review.googlesource.com/1188515
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Commit-Queue: Kai Ninomiya <kainino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#586085}
[modify] https://crrev.com/9d224b2032ec247e4e5e4827e5d3a8bbb16b389c/third_party/blink/renderer/modules/webgl/webgl_rendering_context_base.cc

Comment 10 by kainino@chromium.org, Aug 25

Status: Fixed (was: Started)
This is probably fixed but it's hard to know since it can't be reproduced. If clusterfuzz comes back and says it's not, we can look into it further.

Sign in to add a comment