New issue
Advanced search Search tips

Issue 854947 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jun 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: size > 0U in aligned_memory.cc

Project Member Reported by ClusterFuzz, Jun 21 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6292326021070848

Fuzzer: libFuzzer_paint_op_buffer_eq_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size > 0U in aligned_memory.cc
  base::AlignedAlloc
  paint_op_buffer_eq_fuzzer.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=529162:529166

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6292326021070848

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jun 21 2018

Components: Internals>Compositing Internals>Core
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jun 21 2018

Cc: enne@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.
Project Member

Comment 3 by ClusterFuzz, Jun 21 2018

Labels: Test-Predator-Auto-Owner
Owner: weili@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/2a9bfe4538e4b99f6adbf5b22ff65c15da6399ce (Add custom data op in paint op buffer).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 4 by enne@chromium.org, Jun 27 2018

Cc: -enne@chromium.org
Owner: enne@chromium.org

Comment 5 by enne@chromium.org, Jun 27 2018

This bug is happening because there's 48 bytes that we try to deserialize an invalid path effect from.  However, because of some logic in SkReadBuffer, this returns a valid object, which takes 76 bytes to reserialize.  The test is unhappy because it doesn't expect anything to take more bytes to reserialize than it needed originally to deserialize from.
Project Member

Comment 6 by bugdroid1@chromium.org, Jun 28 2018

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/27300f0d1ae3e237825615a31edbd0c56667f583

commit 27300f0d1ae3e237825615a31edbd0c56667f583
Author: Adrienne Walker <enne@chromium.org>
Date: Thu Jun 28 16:10:57 2018

Return nullptr from readFlattenable when invalid

Currently, in SkReadBuffer::readFlattenable, if reading the sizeRecorded
fails (or any previous read), then the read buffer is invalid and the
size returns zero.  In this bug, it calls SkLine2DPathEffect::CreateProc
which never checks the validity of the readBuffer and returns a
valid object.  Because the read size also is zero, then unset
but seemingly valid object gets returned to the caller.

Other failure cases return nullptr when the readBuffer is invalid, so
instead of making all procs handle this, just handle this at the end
of readFlattenable.

It'd be ideal if SkFlattenable::Deserialize could forward this error
back to the caller, but this seems like a smaller fix.

Bug: chromium: 854947
Change-Id: I26e4e90320c0d2c4efa191d301aa4ac7783eb476
Reviewed-on: https://skia-review.googlesource.com/138000
Commit-Queue: Mike Klein <mtklein@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>

[modify] https://crrev.com/27300f0d1ae3e237825615a31edbd0c56667f583/src/core/SkReadBuffer.cpp

Project Member

Comment 7 by bugdroid1@chromium.org, Jun 28 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/301be18e5f07a6ea6669612444a8269d37e5a447

commit 301be18e5f07a6ea6669612444a8269d37e5a447
Author: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date: Thu Jun 28 19:52:19 2018

Roll src/third_party/skia fcb04d853ec4..8849c9571022 (7 commits)

https://skia.googlesource.com/skia.git/+log/fcb04d853ec4..8849c9571022


git log fcb04d853ec4..8849c9571022 --date=short --no-merges --format='%ad %ae %s'
2018-06-28 swiftshader-skia-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com Roll third_party/externals/swiftshader b41a9d6f0bbc..539468cef869 (1 commits)
2018-06-28 enne@chromium.org Return nullptr from readFlattenable when invalid
2018-06-28 mtklein@chromium.org add --sync to adb push in bin/droid
2018-06-28 mtklein@google.com unify term/crash handlers, include SIGINT
2018-06-28 timliang@google.com added TextureRenderTarget to Metal gpu backend
2018-06-28 jvanverth@google.com Reland "Improve precision and speed of oval rendering."
2018-06-28 mtklein@chromium.org cut SkMaskBlurFilter code size by about half


Created with:
  gclient setdep -r src/third_party/skia@8849c9571022

The AutoRoll server is located here: https://autoroll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel

BUG=chromium: 854947
TBR=jcgregorio@chromium.org

Change-Id: I0a49c9a63772d399280b1766fea5045ebba98d31
Reviewed-on: https://chromium-review.googlesource.com/1118805
Reviewed-by: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Commit-Queue: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#571233}
[modify] https://crrev.com/301be18e5f07a6ea6669612444a8269d37e5a447/DEPS

Project Member

Comment 8 by ClusterFuzz, Jun 29 2018

ClusterFuzz has detected this issue as fixed in range 571232:571233.

Detailed report: https://clusterfuzz.com/testcase?key=6292326021070848

Fuzzer: libFuzzer_paint_op_buffer_eq_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size > 0U in aligned_memory.cc
  base::AlignedAlloc
  paint_op_buffer_eq_fuzzer.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=529162:529166
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=571232:571233

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6292326021070848

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Jun 29 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6292326021070848 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment