Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/2a9bfe4538e4b99f6adbf5b22ff65c15da6399ce (Add custom data op in paint op buffer).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This bug is happening because there's 48 bytes that we try to deserialize an invalid path effect from.  However, because of some logic in SkReadBuffer, this returns a valid object, which takes 76 bytes to reserialize.  The test is unhappy because it doesn't expect anything to take more bytes to reserialize than it needed originally to deserialize from.

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/27300f0d1ae3e237825615a31edbd0c56667f583

commit 27300f0d1ae3e237825615a31edbd0c56667f583
Author: Adrienne Walker <enne@chromium.org>
Date: Thu Jun 28 16:10:57 2018

Return nullptr from readFlattenable when invalid

Currently, in SkReadBuffer::readFlattenable, if reading the sizeRecorded
fails (or any previous read), then the read buffer is invalid and the
size returns zero.  In this bug, it calls SkLine2DPathEffect::CreateProc
which never checks the validity of the readBuffer and returns a
valid object.  Because the read size also is zero, then unset
but seemingly valid object gets returned to the caller.

Other failure cases return nullptr when the readBuffer is invalid, so
instead of making all procs handle this, just handle this at the end
of readFlattenable.

It'd be ideal if SkFlattenable::Deserialize could forward this error
back to the caller, but this seems like a smaller fix.

Bug: chromium: 854947
Change-Id: I26e4e90320c0d2c4efa191d301aa4ac7783eb476
Reviewed-on: https://skia-review.googlesource.com/138000
Commit-Queue: Mike Klein <mtklein@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>

[modify] https://crrev.com/27300f0d1ae3e237825615a31edbd0c56667f583/src/core/SkReadBuffer.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/301be18e5f07a6ea6669612444a8269d37e5a447

commit 301be18e5f07a6ea6669612444a8269d37e5a447
Author: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date: Thu Jun 28 19:52:19 2018

Roll src/third_party/skia fcb04d853ec4..8849c9571022 (7 commits)

https://skia.googlesource.com/skia.git/+log/fcb04d853ec4..8849c9571022


git log fcb04d853ec4..8849c9571022 --date=short --no-merges --format='%ad %ae %s'
2018-06-28 swiftshader-skia-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com Roll third_party/externals/swiftshader b41a9d6f0bbc..539468cef869 (1 commits)
2018-06-28 enne@chromium.org Return nullptr from readFlattenable when invalid
2018-06-28 mtklein@chromium.org add --sync to adb push in bin/droid
2018-06-28 mtklein@google.com unify term/crash handlers, include SIGINT
2018-06-28 timliang@google.com added TextureRenderTarget to Metal gpu backend
2018-06-28 jvanverth@google.com Reland "Improve precision and speed of oval rendering."
2018-06-28 mtklein@chromium.org cut SkMaskBlurFilter code size by about half


Created with:
  gclient setdep -r src/third_party/skia@8849c9571022

The AutoRoll server is located here: https://autoroll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel

BUG=chromium: 854947
TBR=jcgregorio@chromium.org

Change-Id: I0a49c9a63772d399280b1766fea5045ebba98d31
Reviewed-on: https://chromium-review.googlesource.com/1118805
Reviewed-by: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Commit-Queue: skia-chromium-autoroll <skia-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#571233}
[modify] https://crrev.com/301be18e5f07a6ea6669612444a8269d37e5a447/DEPS

ClusterFuzz has detected this issue as fixed in range 571232:571233.

Detailed report: https://clusterfuzz.com/testcase?key=6292326021070848

Fuzzer: libFuzzer_paint_op_buffer_eq_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size > 0U in aligned_memory.cc
  base::AlignedAlloc
  paint_op_buffer_eq_fuzzer.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=529162:529166
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=571232:571233

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6292326021070848

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6292326021070848 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.