Issue metadata
Sign in to add a comment
|
AddressSanitizer: attempting free on address which was not malloc()-ed in tt_face_vary_cvt
Reported by
cdsrc2...@gmail.com,
Jun 30 2018
|
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Steps to reproduce the problem:
Version 69.0.3477.0 (Developer Build) (64-bit)
1.Get new version chrome:
a) Build source code
config args.gn file as below:
use_sanitizer_coverage = true
is_asan = true
is_debug = false
enable_nacl = false
treat_warnings_as_errors = false
ninja -j16 -C out/chrome_asan chrome
2.python3.5m -m http.server 8605
3 ./crhome http://127.0.0.1:8605/crash.html
What is the expected behavior?
What went wrong?
=================================================================
==1==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x7ffecd8126a0 in thread T0 (chrome)
#0 0x5639c67ddac2 in __interceptor_free _asan_rtl_:3
#1 0x5639c701a389 in tt_face_vary_cvt /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/freetype/src/src/truetype/ttgxvar.c:3382:5
#2 0x5639c701898c in tt_set_mm_blend /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/freetype/src/src/truetype/ttgxvar.c:2601:17
#3 0x5639c701643c in TT_Set_Var_Design /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/freetype/src/src/truetype/ttgxvar.c:2877:13
#4 0x5639c6f2a00c in FT_Set_Var_Design_Coordinates /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/freetype/src/src/base/ftmm.c:224:17
#5 0x5639cec151b3 in ft_face_setup_axes /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/skia/src/ports/SkFontHost_FreeType.cpp:321:9
#6 0x5639cec151b3 in ref_ft_face(SkTypeface const*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/skia/src/ports/SkFontHost_FreeType.cpp:380:0
#7 0x5639cec109c9 in AutoFTAccess::AutoFTAccess(SkTypeface const*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/skia/src/ports/SkFontHost_FreeType.cpp:428:20
#8 0x5639cec1b9bd in SkTypeface_FreeType::onGetTableData(unsigned int, unsigned long, unsigned long, void*) const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/skia/src/ports/SkFontHost_FreeType.cpp:1623:18
#9 0x5639d788ea72 in blink::FontFormatCheck::ProbeVariableFont(sk_sp<SkTypeface>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/fonts/opentype/font_format_check.cc:53:18
#10 0x5639d77f9df9 in blink::FontCustomPlatformData::GetFontPlatformData(float, bool, bool, blink::FontSelectionRequest const&, blink::FontSelectionCapabilities const&, blink::FontOrientation, blink::FontVariationSettings const*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/fonts/font_custom_platform_data.cc:87:7
#11 0x5639d77f59c0 in blink::RemoteFontFaceSource::CreateFontData(blink::FontDescription const&, blink::FontSelectionCapabilities const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/css/remote_font_face_source.cc:224:26
#12 0x5639d77aa500 in blink::CSSFontFaceSource::GetFontData(blink::FontDescription const&, blink::FontSelectionCapabilities const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/css/css_font_face_source.cc:69:19
#13 0x5639d77a6de5 in blink::CSSFontFace::GetFontData(blink::FontDescription const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/css/css_font_face.cc:115:56
#14 0x5639d779b6ea in blink::CSSSegmentedFontFace::GetFontData(blink::FontDescription const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/css/css_segmented_font_face.cc:130:35
#15 0x5639d7e90615 in blink::CSSFontSelector::GetFontData(blink::FontDescription const&, WTF::AtomicString const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/css/css_font_selector.cc:95:18
#16 0x5639d6e12642 in blink::FontFallbackList::GetFontData(blink::FontDescription const&, int&) const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/fonts/font_fallback_list.cc:163:34
#17 0x5639d6e12023 in blink::FontFallbackList::FontDataAt(blink::FontDescription const&, unsigned int) const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/fonts/font_fallback_list.cc:235:36
#18 0x5639d6e116c3 in blink::FontFallbackList::DeterminePrimarySimpleFontData(blink::FontDescription const&) const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/fonts/font_fallback_list.cc:103:33
#19 0x5639da44f849 in PrimarySimpleFontData /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/fonts/font_fallback_list.h:76:11
#20 0x5639da44f849 in PrimaryFont /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/fonts/font.h:231:0
#21 0x5639da44f849 in blink::ComputedStyle::ComputedLineHeight() const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/style/computed_style.cc:1765:0
#22 0x5639d987699e in blink::LayoutBlock::LineHeight(bool, blink::LineDirectionMode, blink::LinePositionMode) const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block.cc:1598:27
#23 0x5639d9877a46 in blink::LayoutBlock::MinLineHeightForReplacedObject(bool, blink::LayoutUnit) const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block.cc:1682:7
#24 0x5639d9c8494e in MinLineHeightForReplacedObject /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/api/line_layout_block_flow.h:98:27
#25 0x5639d9c8494e in blink::LineWidth::UpdateAvailableWidth(blink::LayoutUnit) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/line/line_width.cc:53:0
#26 0x5639d9c5d879 in blink::LineBreaker::NextLineBreak(blink::BidiResolver<blink::InlineIterator, blink::BidiRun, blink::BidiIsolatedRun>&, blink::LineInfo&, blink::LayoutTextInfo&, WTF::Vector<blink::WordMeasurement, 64ul, WTF::PartitionAllocator>&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/line/line_breaker.cc:73:13
#27 0x5639d98e9938 in blink::LayoutBlockFlow::LayoutRunsAndFloatsInRange(blink::LineLayoutState&, blink::BidiResolver<blink::InlineIterator, blink::BidiRun, blink::BidiIsolatedRun>&, blink::InlineIterator const&, blink::BidiStatus const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow_line.cc:1130:22
#28 0x5639d98e6438 in blink::LayoutBlockFlow::LayoutRunsAndFloats(blink::LineLayoutState&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow_line.cc:1009:3
#29 0x5639d98f9240 in blink::LayoutBlockFlow::LayoutInlineChildren(bool, blink::LayoutUnit) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow_line.cc:2001:5
#30 0x5639d988a368 in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:597:5
#31 0x5639d9888ada in blink::LayoutBlockFlow::UpdateBlockLayout(bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:470:5
#32 0x5639d98618c1 in blink::LayoutBlock::UpdateLayout() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block.cc:439:3
#33 0x5639d9893fa1 in blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:790:11
#34 0x5639d9894dcf in blink::LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:853:7
#35 0x5639d9890bee in blink::LayoutBlockFlow::LayoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:1558:5
#36 0x5639d988a358 in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:599:5
#37 0x5639d9888ada in blink::LayoutBlockFlow::UpdateBlockLayout(bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:470:5
#38 0x5639d98618c1 in blink::LayoutBlock::UpdateLayout() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block.cc:439:3
#39 0x5639d9893fa1 in blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:790:11
#40 0x5639d9894dcf in blink::LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:853:7
#41 0x5639d9890bee in blink::LayoutBlockFlow::LayoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:1558:5
#42 0x5639d988a358 in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:599:5
#43 0x5639d9888ada in blink::LayoutBlockFlow::UpdateBlockLayout(bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:470:5
#44 0x5639d9c01b54 in blink::LayoutView::UpdateBlockLayout(bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_view.cc:285:20
#45 0x5639d98618c1 in blink::LayoutBlock::UpdateLayout() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block.cc:439:3
#46 0x5639d9c0295a in blink::LayoutView::UpdateLayout() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_view.cc:328:20
#47 0x5639d8d0cece in blink::LocalFrameView::PerformLayout(bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/frame/local_frame_view.cc:860:24
#48 0x5639d8d08101 in blink::LocalFrameView::UpdateLayout() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/frame/local_frame_view.cc:1022:7
#49 0x5639d8d28963 in blink::LocalFrameView::UpdateStyleAndLayoutIfNeededRecursiveInternal() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/frame/local_frame_view.cc:3089:5
#50 0x5639d8d204b5 in blink::LocalFrameView::UpdateStyleAndLayoutIfNeededRecursive() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/frame/local_frame_view.cc:3052:3
#51 0x5639d8d1d427 in blink::LocalFrameView::UpdateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/frame/local_frame_view.cc:2622:3
#52 0x5639da06b5d6 in blink::PageAnimator::UpdateAllLifecyclePhases(blink::LocalFrame&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/page/page_animator.cc:106:9
#53 0x5639d8ab8abd in blink::WebViewImpl::UpdateLifecycle(blink::WebWidget::LifecycleUpdate) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/exported/web_view_impl.cc:1771:3
#54 0x5639d8ab6a81 in UpdateAllLifecyclePhases /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/public/web/web_widget.h:93:45
#55 0x5639d8ab6a81 in blink::WebViewImpl::ResizeViewWhileAnchored(float, float, bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/exported/web_view_impl.cc:1657:0
#56 0x5639d8ab7358 in blink::WebViewImpl::ResizeWithBrowserControls(blink::WebSize const&, float, float, bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/exported/web_view_impl.cc:1713:5
#57 0x5639dd1bdf76 in content::RenderViewImpl::ResizeWebWidget() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_view_impl.cc:1934:14
#58 0x5639dd1e67cf in content::RenderWidget::SynchronizeVisualProperties(content::VisualProperties const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_widget.cc:1314:3
#59 0x5639dd1dab7a in content::RenderWidget::OnSynchronizeVisualProperties(content::VisualProperties const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_widget.cc:787:3
#60 0x5639dd1beb9e in content::RenderViewImpl::OnSynchronizeVisualProperties(content::VisualProperties const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_view_impl.cc:1997:19
#61 0x5639dd1cc554 in DispatchToMethodImpl<content::RenderWidget *, void (content::RenderWidget::*)(const content::VisualProperties &), std::__1::tuple<content::VisualProperties>, 0> /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/tuple.h:52:3
#62 0x5639dd1cc554 in DispatchToMethod<content::RenderWidget *, void (content::RenderWidget::*)(const content::VisualProperties &), std::__1::tuple<content::VisualProperties> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/tuple.h:60:0
#63 0x5639dd1cc554 in DispatchToMethod<content::RenderWidget, void (content::RenderWidget::*)(const content::VisualProperties &), void, std::__1::tuple<content::VisualProperties> > /home/cowboy/chromium/src/out/chrome_asan_shared/../../ipc/ipc_message_templates.h:51:0
#64 0x5639dd1cc554 in bool IPC::MessageT<ViewMsg_SynchronizeVisualProperties_Meta, std::__1::tuple<content::VisualProperties>, void>::Dispatch<content::RenderWidget, content::RenderWidget, void, void (content::RenderWidget::*)(content::VisualProperties const&)>(IPC::Message const*, content::RenderWidget*, content::RenderWidget*, void*, void (content::RenderWidget::*)(content::VisualProperties const&)) /home/cowboy/chromium/src/out/chrome_asan_shared/../../ipc/ipc_message_templates.h:146:0
#65 0x5639dd1cb445 in content::RenderWidget::OnMessageReceived(IPC::Message const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_widget.cc:653:5
#66 0x5639dd1a994a in content::RenderViewImpl::OnMessageReceived(IPC::Message const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/render_view_impl.cc:1101:5
#67 0x5639cf70d529 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../ipc/ipc_channel_proxy.cc:320:14
#68 0x5639ce1822f0 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:99:12
#69 0x5639ce1822f0 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#70 0x5639cd085f35 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:166:21
#71 0x5639ce1822f0 in Run /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/callback.h:99:12
#72 0x5639ce1822f0 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/task_annotator.cc:101:0
#73 0x5639ce1e1442 in base::MessageLoop::RunTask(base::PendingTask*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:319:25
#74 0x5639ce1e26bf in DeferOrRunPendingTask /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:329:5
#75 0x5639ce1e26bf in base::MessageLoop::DoWork() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_loop.cc:373:0
#76 0x5639ce1eaeef in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/message_loop/message_pump_default.cc:37:31
#77 0x5639ce25cb20 in base::RunLoop::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/run_loop.cc:102:14
#78 0x5639dd28f5b5 in content::RendererMain(content::MainFunctionParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/renderer/renderer_main.cc:218:23
#79 0x5639cd6deb59 in content::RunZygote(content::ContentMainDelegate*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:561:14
#80 0x5639cd6e238d in content::ContentMainRunnerImpl::Run() /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main_runner_impl.cc:960:10
#81 0x5639cd702493 in service_manager::Main(service_manager::MainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../services/service_manager/embedder/main.cc:459:29
#82 0x5639cd6dd197 in content::ContentMain(content::ContentMainParams const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../content/app/content_main.cc:19:10
#83 0x5639c680d42f in ChromeMain /home/cowboy/chromium/src/out/chrome_asan_shared/../../chrome/app/chrome_main.cc:101:12
#84 0x7fa950a7c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291:0
Address 0x7ffecd8126a0 is located in stack of thread T0 (chrome)
SUMMARY: AddressSanitizer: bad-free (/home/cowboy/chromium/src/out/chrome_asan_shared/chrome+0x7b75ac2)
==1==ABORTING
Received signal 6
#0 0x5639c6783811 in __interceptor_backtrace /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:4024:13
#1 0x5639ce37bc3e in base::debug::StackTrace::StackTrace(unsigned long) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:808:41
#2 0x5639ce37ab8d in base::debug::(anonymous namespace)::StackDumpSignalHandler(int, siginfo_t*, void*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../base/debug/stack_trace_posix.cc:334:3
#3 0x7fa957a1f390 in __funlockfile ??:?
#4 0x7fa957a1f390 in ?? ??:0
#5 0x7fa950a91428 in gsignal /build/glibc-Cl5G7W/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54:0
#6 0x7fa950a9302a in abort /build/glibc-Cl5G7W/glibc-2.23/stdlib/abort.c:89:0
#7 0x5639c67f9377 in __sanitizer::Abort() /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cc:155:3
#8 0x5639c67f7da1 in __sanitizer::Die() /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:59:5
#9 0x5639c67e4169 in __asan::ScopedInErrorReport::~ScopedInErrorReport() _asan_rtl_:7
#10 0x5639c67e221b in __asan::ReportFreeNotMalloced(unsigned long, __sanitizer::BufferedStackTrace*) _asan_rtl_:1
#11 0x5639c67ddbac in __interceptor_free _asan_rtl_:3
#12 0x5639c701a38a in tt_face_vary_cvt /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/freetype/src/src/truetype/ttgxvar.c:3382:5
#13 0x5639c701898d in tt_set_mm_blend /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/freetype/src/src/truetype/ttgxvar.c:2601:17
#14 0x5639c701643d in TT_Set_Var_Design /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/freetype/src/src/truetype/ttgxvar.c:2877:13
#15 0x5639c6f2a00d in FT_Set_Var_Design_Coordinates /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/freetype/src/src/base/ftmm.c:224:17
#16 0x5639cec151b4 in ft_face_setup_axes /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/skia/src/ports/SkFontHost_FreeType.cpp:321:9
#17 0x5639cec151b4 in ref_ft_face(SkTypeface const*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/skia/src/ports/SkFontHost_FreeType.cpp:380:0
#18 0x5639cec109ca in AutoFTAccess::AutoFTAccess(SkTypeface const*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/skia/src/ports/SkFontHost_FreeType.cpp:428:20
#19 0x5639cec1b9be in SkTypeface_FreeType::onGetTableData(unsigned int, unsigned long, unsigned long, void*) const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/skia/src/ports/SkFontHost_FreeType.cpp:1623:18
#20 0x5639d788ea73 in blink::FontFormatCheck::ProbeVariableFont(sk_sp<SkTypeface>) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/fonts/opentype/font_format_check.cc:53:18
#21 0x5639d77f9dfa in blink::FontCustomPlatformData::GetFontPlatformData(float, bool, bool, blink::FontSelectionRequest const&, blink::FontSelectionCapabilities const&, blink::FontOrientation, blink::FontVariationSettings const*) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/fonts/font_custom_platform_data.cc:87:7
#22 0x5639d77f59c1 in blink::RemoteFontFaceSource::CreateFontData(blink::FontDescription const&, blink::FontSelectionCapabilities const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/css/remote_font_face_source.cc:224:26
#23 0x5639d77aa501 in blink::CSSFontFaceSource::GetFontData(blink::FontDescription const&, blink::FontSelectionCapabilities const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/css/css_font_face_source.cc:69:19
#24 0x5639d77a6de6 in blink::CSSFontFace::GetFontData(blink::FontDescription const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/css/css_font_face.cc:115:56
#25 0x5639d779b6eb in blink::CSSSegmentedFontFace::GetFontData(blink::FontDescription const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/css/css_segmented_font_face.cc:130:35
#26 0x5639d7e90616 in blink::CSSFontSelector::GetFontData(blink::FontDescription const&, WTF::AtomicString const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/css/css_font_selector.cc:95:18
#27 0x5639d6e12643 in blink::FontFallbackList::GetFontData(blink::FontDescription const&, int&) const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/fonts/font_fallback_list.cc:163:34
#28 0x5639d6e12024 in blink::FontFallbackList::FontDataAt(blink::FontDescription const&, unsigned int) const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/fonts/font_fallback_list.cc:235:36
#29 0x5639d6e116c4 in blink::FontFallbackList::DeterminePrimarySimpleFontData(blink::FontDescription const&) const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/fonts/font_fallback_list.cc:103:33
#30 0x5639da44f84a in PrimarySimpleFontData /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/fonts/font_fallback_list.h:76:11
#31 0x5639da44f84a in PrimaryFont /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/platform/fonts/font.h:231:0
#32 0x5639da44f84a in blink::ComputedStyle::ComputedLineHeight() const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/style/computed_style.cc:1765:0
#33 0x5639d987699f in blink::LayoutBlock::LineHeight(bool, blink::LineDirectionMode, blink::LinePositionMode) const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block.cc:1598:27
#34 0x5639d9877a47 in blink::LayoutBlock::MinLineHeightForReplacedObject(bool, blink::LayoutUnit) const /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block.cc:1682:7
#35 0x5639d9c8494f in MinLineHeightForReplacedObject /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/api/line_layout_block_flow.h:98:27
#36 0x5639d9c8494f in blink::LineWidth::UpdateAvailableWidth(blink::LayoutUnit) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/line/line_width.cc:53:0
#37 0x5639d9c5d87a in blink::LineBreaker::NextLineBreak(blink::BidiResolver<blink::InlineIterator, blink::BidiRun, blink::BidiIsolatedRun>&, blink::LineInfo&, blink::LayoutTextInfo&, WTF::Vector<blink::WordMeasurement, 64ul, WTF::PartitionAllocator>&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/line/line_breaker.cc:73:13
#38 0x5639d98e9939 in blink::LayoutBlockFlow::LayoutRunsAndFloatsInRange(blink::LineLayoutState&, blink::BidiResolver<blink::InlineIterator, blink::BidiRun, blink::BidiIsolatedRun>&, blink::InlineIterator const&, blink::BidiStatus const&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow_line.cc:1130:22
#39 0x5639d98e6439 in blink::LayoutBlockFlow::LayoutRunsAndFloats(blink::LineLayoutState&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow_line.cc:1009:3
#40 0x5639d98f9241 in blink::LayoutBlockFlow::LayoutInlineChildren(bool, blink::LayoutUnit) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow_line.cc:2001:5
#41 0x5639d988a369 in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:597:5
#42 0x5639d9888adb in blink::LayoutBlockFlow::UpdateBlockLayout(bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:470:5
#43 0x5639d98618c2 in blink::LayoutBlock::UpdateLayout() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block.cc:439:3
#44 0x5639d9893fa2 in blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:790:11
#45 0x5639d9894dd0 in blink::LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:853:7
#46 0x5639d9890bef in blink::LayoutBlockFlow::LayoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:1558:5
#47 0x5639d988a359 in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:599:5
#48 0x5639d9888adb in blink::LayoutBlockFlow::UpdateBlockLayout(bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:470:5
#49 0x5639d98618c2 in blink::LayoutBlock::UpdateLayout() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block.cc:439:3
#50 0x5639d9893fa2 in blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:790:11
#51 0x5639d9894dd0 in blink::LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:853:7
#52 0x5639d9890bef in blink::LayoutBlockFlow::LayoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:1558:5
#53 0x5639d988a359 in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:599:5
#54 0x5639d9888adb in blink::LayoutBlockFlow::UpdateBlockLayout(bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block_flow.cc:470:5
#55 0x5639d9c01b55 in blink::LayoutView::UpdateBlockLayout(bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_view.cc:285:20
#56 0x5639d98618c2 in blink::LayoutBlock::UpdateLayout() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_block.cc:439:3
#57 0x5639d9c0295b in blink::LayoutView::UpdateLayout() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/layout/layout_view.cc:328:20
#58 0x5639d8d0cecf in blink::LocalFrameView::PerformLayout(bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/frame/local_frame_view.cc:860:24
#59 0x5639d8d08102 in blink::LocalFrameView::UpdateLayout() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/frame/local_frame_view.cc:1022:7
#60 0x5639d8d28964 in blink::LocalFrameView::UpdateStyleAndLayoutIfNeededRecursiveInternal() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/frame/local_frame_view.cc:3089:5
#61 0x5639d8d204b6 in blink::LocalFrameView::UpdateStyleAndLayoutIfNeededRecursive() /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/frame/local_frame_view.cc:3052:3
#62 0x5639d8d1d428 in blink::LocalFrameView::UpdateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/frame/local_frame_view.cc:2622:3
#63 0x5639da06b5d7 in blink::PageAnimator::UpdateAllLifecyclePhases(blink::LocalFrame&) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/page/page_animator.cc:106:9
#64 0x5639d8ab8abe in blink::WebViewImpl::UpdateLifecycle(blink::WebWidget::LifecycleUpdate) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/exported/web_view_impl.cc:1771:3
#65 0x5639d8ab6a82 in UpdateAllLifecyclePhases /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/public/web/web_widget.h:93:45
#66 0x5639d8ab6a82 in blink::WebViewImpl::ResizeViewWhileAnchored(float, float, bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/exported/web_view_impl.cc:1657:0
#67 0x5639d8ab7359 in blink::WebViewImpl::ResizeWithBrowserControls(blink::WebSize const&, float, float, bool) /home/cowboy/chromium/src/out/chrome_asan_shared/../../third_party/blink/renderer/core/exported/web_view_impl.cc:1713:5
r8: 000000000000e3e2 r9: 0000000000000000 r10: 0000000000000008 r11: 0000000000000202
r12: 000000000000001e r13: 00000ff528c31f01 r14: 00007ffecd8111b0 r15: 00005639e05127d8
di: 0000000000000001 si: 0000000000000001 bp: 00007ffecd8125f0 bx: 00005639e0480330
dx: 0000000000000006 ax: 0000000000000000 cx: 00007fa950a91428 sp: 00007ffecd810f78
ip: 00007fa950a91428 efl: 0000000000000202 cgf: 002b000000000033 erf: 0000000000000000
trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.
Did this work before? N/A
Chrome version: Version 69.0.3477.0 (Developer Build) (64-bit) Channel: dev
OS Version: Ubuntu16.04
Flash Version:
,
Jul 3
This crashes a local asan build for me, although ClusterFuzz doesn't seem to be able to reproduce it for some reason. drott@ can you please have a look a this? Is this a freetype bug?
,
Jul 3
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6440715866079232.
,
Jul 4
,
Jul 4
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 11
We rolled FreeType in https://chromium-review.googlesource.com/c/chromium/src/+/1127377 which contains http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=589d1f0899343b18c3181f35451550dc1b904bef fixing https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9070 which is probably a duplicate or very similar issue (I can't access it.) I reverted the roll and retested with the above crash.html plus ha.woff: Reproducible! - After the roll, this issue is no longer reproducible. Marking this as fixed/verified.
,
Jul 11
kenrb@, does this need backporting to 68?
,
Jul 12
,
Jul 12
Confirmed that https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9070 is the same bug. Adding Merge-Request-68 to either roll forward, or if that change is too large, cherrypick http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=589d1f0899343b18c3181f35451550dc1b904bef
,
Jul 12
This bug requires manual review: We are only 11 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 13
What is the safer choice here? Rolling forward vs cherrypicking?
,
Jul 13
So cherrypicking is probably the safest in the sense of not changing anything too much. It's also not difficult, we're set up to do that in a fairly straight forward way. The biggest issue is actually PDFium's use of FreeType, we don't want to roll to something that the PDFium in M68 isn't good with.
,
Jul 16
,
Jul 16
Cherrypicking sounds good to me, thanks!
,
Jul 16
Ben, if you don't mind, I'll assign this to you for the cherry-pick?
,
Jul 16
Great thanks for confirming. Let's go with cherrypicking. Approved for M68.
,
Jul 16
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/5c623218df5e7fe189ad1ebc972e2e9966f210b2 commit 5c623218df5e7fe189ad1ebc972e2e9966f210b2 Author: Ben Wagner <bungeman@chromium.org> Date: Mon Jul 16 17:44:11 2018 Roll FreeType for m68. https://chromium.googlesource.com/chromium/src/third_party/freetype2/+log/9e345c911714ed62250be13d03d72e25d91fbc77..62b55f8e51ea8b2b244d8e2ccff5c6aa2170260c Pick up fuzzer fixes. BUG= chromium:859303 Change-Id: Ia298dcdf8339e3310b0b64f01c1a3cb180e5d572 Reviewed-on: https://chromium-review.googlesource.com/1138349 Reviewed-by: Ben Wagner <bungeman@chromium.org> Cr-Commit-Position: refs/branch-heads/3440@{#679} Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733} [modify] https://crrev.com/5c623218df5e7fe189ad1ebc972e2e9966f210b2/DEPS
,
Jul 16
I'll go ahead and make the same merge for PDFium's third_party/freetype2 directory.
,
Jul 16
The following revision refers to this bug: https://pdfium.googlesource.com/pdfium/+/a0f8d235c80192931ed1db0c4f300c67c361cd98 commit a0f8d235c80192931ed1db0c4f300c67c361cd98 Author: Lei Zhang <thestig@chromium.org> Date: Mon Jul 16 22:57:46 2018 M68: Roll DEPS for FreeType to 62b55f8e. https://chromium.googlesource.com/chromium/src/third_party/freetype2/+log/9e345c911714ed62250be13d03d72e25d91fbc77..62b55f8e51ea8b2b244d8e2ccff5c6aa2170260c Pick up fuzzer fixes. BUG= chromium:859303 TBR=bungeman@chromium.org Change-Id: Ie50e65c5879588a412c01f88aad668e2320aa9c4 Reviewed-on: https://pdfium-review.googlesource.com/37990 Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Lei Zhang <thestig@chromium.org> [modify] https://crrev.com/a0f8d235c80192931ed1db0c4f300c67c361cd98/DEPS
,
Jul 17
Thanks all!
,
Jul 30
Per comment 9, I'm afraid this bug was know about before this report, so the VRP panel declined to reward.
,
Oct 18
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jul 2