Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/c2a778621cbcd812e2687269ba3f10132a31df12 ([Zucchini] Add dissassembler_dex Fuzzer).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Update: ckitagawa@ has a preliminary CL that would relax the test:
https://bugs.chromium.org/p/chromium/issues/detail?id=863478

However, I deemed that the DCHECK is proper, and decided to take a deeper look. Looks like the bug is due to 2 things:
(1) insns size == 0 should be disallowed; this is DEX spec constraint A1:
https://source.android.com/devices/tech/dalvik/constraints

(2) BufferRegion::FitsIn() is too strict: We dictated that empty region won't fit in the end of buffer.

I'm going to relax (2), and add a TODO for (1) (will have more rigorous checks in upcoming CL).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2b31de169e783260c9e2fbaea295b39ae808fbf9

commit 2b31de169e783260c9e2fbaea295b39ae808fbf9
Author: Samuel Huang <huangs@chromium.org>
Date: Thu Jul 19 14:32:28 2018

[Zucchini] Fix BufferRegion::FitsIn() so empty region fits at end of buffer.

This CL is similar to:
https://chromium-review.googlesource.com/1133688

BufferRegion::FitsIn() (and BufferViewBase::covers()) decides whether
a BufferRegion fits inside a buffer. A special case is whether an empty
region fits at the end of a buffer?

Previously this was considered to be a pathological case, so the result
is "false". However, this led to a DCHECK failure found by the DEX
fuzzer: a CodeItem with insns_size = 0 is checked against an empty
buffer.

It may seem straightforward to change the DCHECK to a handled failure.
However, the failing code (in CodeItemParser::GetCodeItemInsns())
occurs after CodeItem have been supposedly validated, so the DCHECK
is correctly placed! Two causes are:
(1) Technically insns_size should be > 0, as dictated by constraint A1
    ("The insns array mus tnot be empty") in Dalvik spec.
(2) The FitsIn() check is too stringent.

This CL focuses on relaxing (2). This makes checking slightly more
permissive elsewhere in code (patch_reader.cc and Win32 disassembler),
but this looks like the right thing to do.

As for (1), we plan to visit
https://source.android.com/devices/tech/dalvik/constraints
and implement more rigorous checks. So we simply add a TODO for now.

Bug:  863478 
Change-Id: Iacbb2bb9bf26701db960192c7b727351ea5afdec
Reviewed-on: https://chromium-review.googlesource.com/1142517
Reviewed-by: agrieve <agrieve@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Commit-Queue: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#576482}
[modify] https://crrev.com/2b31de169e783260c9e2fbaea295b39ae808fbf9/components/zucchini/buffer_view.h
[modify] https://crrev.com/2b31de169e783260c9e2fbaea295b39ae808fbf9/components/zucchini/buffer_view_unittest.cc
[modify] https://crrev.com/2b31de169e783260c9e2fbaea295b39ae808fbf9/components/zucchini/disassembler_dex.cc

ClusterFuzz has detected this issue as fixed in range 576481:576484.

Detailed report: https://clusterfuzz.com/testcase?key=5358735254618112

Fuzzer: libFuzzer_zucchini_disassembler_dex_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  source.covers(insns) in disassembler_dex.cc
  zucchini::CodeItemParser::GetCodeItemInsns
  zucchini::InstructionParser::InstructionParser
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=572202:572204
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=576481:576484

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5358735254618112

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5358735254618112 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.