New issue
Advanced search Search tips

Issue 864358 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jul 18
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security

Blocking:
issue 864467



Sign in to add a comment

Use-of-uninitialized-value in cc::PictureLayerImpl::AppendQuads

Project Member Reported by ClusterFuzz, Jul 17

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4785896566816768

Fuzzer: inferno_flicker
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  cc::PictureLayerImpl::AppendQuads
  cc::RenderSurfaceImpl::TileMaskLayer
  cc::RenderSurfaceImpl::AppendQuads
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Low

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=575461:575463

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4785896566816768

Additional requirements: Requires Gestures

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Jul 17

Components: Internals>Compositing
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Jul 17

Labels: Test-Predator-Auto-Owner
Owner: lethalantidote@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/6be34509e3e7f532e2ebf4f8390be6b094bd819d (Prevents compositor frames from being sent when SurfaceLayer is not visible.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Project Member

Comment 3 by sheriffbot@chromium.org, Jul 17

Labels: Pri-2
Blocking: 864467
Project Member

Comment 5 by bugdroid1@chromium.org, Jul 17

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3f2ddfe66c90bba7480e676e9a34bf37a8241841

commit 3f2ddfe66c90bba7480e676e9a34bf37a8241841
Author: CJ DiMeglio <lethalantidote@chromium.org>
Date: Tue Jul 17 23:03:37 2018

Reland "Prevents compositor frames from being sent when SurfaceLayer is not visible."

This is a reland of 6be34509e3e7f532e2ebf4f8390be6b094bd819d

TBR=dcheng@chromium.org,enne@chromium.org,fsamuel@chromium.org,junov@chromium.org,mlamouri@chromium.org,liberato@chromium.org
Original change's description:
> Prevents compositor frames from being sent when SurfaceLayer is not visible.
>
> This CL is 3/3 in effort to fix the regressions caused by sending
> unneeded compositor frames.
>
> This CL provides a signal from the SurfaceLayerImpl to the VideoFrameSubmitter
> to prevent compositor frames from being sent at undesired times (occlusion, not
> being added into the layer tree).
>
>
> Cq-Include-Trybots: luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel
> Change-Id: I428860047eaf4c50abc2e662914a643158f1276b
> Reviewed-on: https://chromium-review.googlesource.com/1101708
> Commit-Queue: CJ DiMeglio <lethalantidote@chromium.org>
> Reviewed-by: Frank Liberato <liberato@chromium.org>
> Reviewed-by: Justin Novosad <junov@chromium.org>
> Reviewed-by: enne <enne@chromium.org>
> Reviewed-by: Daniel Cheng <dcheng@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#575462}

Change-Id: Idba341813f1202991c8cb5da94ea72d234db56eb
Cq-Include-Trybots: luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel
Bug:  864358 
Reviewed-on: https://chromium-review.googlesource.com/1140458
Reviewed-by: CJ DiMeglio <lethalantidote@chromium.org>
Commit-Queue: CJ DiMeglio <lethalantidote@chromium.org>
Cr-Commit-Position: refs/heads/master@{#575833}
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/layers/heads_up_display_layer_impl.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/layers/heads_up_display_layer_impl_unittest.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/layers/layer_impl.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/layers/layer_impl.h
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/layers/surface_layer.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/layers/surface_layer.h
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/layers/surface_layer_impl.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/layers/surface_layer_impl.h
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/layers/surface_layer_impl_unittest.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/layers/texture_layer_impl.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/layers/texture_layer_unittest.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/layers/video_layer_impl.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/layers/video_layer_impl_unittest.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/test/layer_test_common.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/trees/layer_tree_host_impl.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/cc/trees/layer_tree_host_impl_unittest.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/media/base/bind_to_current_loop.h
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/media/blink/DEPS
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/media/blink/video_frame_compositor.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/media/blink/video_frame_compositor.h
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/media/blink/video_frame_compositor_unittest.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/media/blink/webmediaplayer_impl.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/media/blink/webmediaplayer_impl.h
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/media/blink/webmediaplayer_impl_unittest.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/media/blink/webmediaplayer_params.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/media/blink/webmediaplayer_params.h
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/third_party/blink/public/platform/web_surface_layer_bridge.h
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/third_party/blink/public/platform/web_video_frame_submitter.h
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/third_party/blink/renderer/core/html/canvas/html_canvas_element.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/third_party/blink/renderer/platform/exported/web_surface_layer_bridge.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/third_party/blink/renderer/platform/graphics/surface_layer_bridge.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/third_party/blink/renderer/platform/graphics/surface_layer_bridge.h
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/third_party/blink/renderer/platform/graphics/video_frame_submitter.cc
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/third_party/blink/renderer/platform/graphics/video_frame_submitter.h
[modify] https://crrev.com/3f2ddfe66c90bba7480e676e9a34bf37a8241841/third_party/blink/renderer/platform/graphics/video_frame_submitter_test.cc

Status: Fixed (was: Assigned)
Project Member

Comment 7 by ClusterFuzz, Jul 18

ClusterFuzz has detected this issue as fixed in range 575567:575573.

Detailed report: https://clusterfuzz.com/testcase?key=4785896566816768

Fuzzer: inferno_flicker
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  cc::PictureLayerImpl::AppendQuads
  cc::RenderSurfaceImpl::TileMaskLayer
  cc::RenderSurfaceImpl::AppendQuads
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Low

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=575461:575463
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=575567:575573

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4785896566816768

Additional requirements: Requires Gestures

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Jul 18

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 4785896566816768 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 9 by sheriffbot@chromium.org, Jul 18

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 10 by sheriffbot@chromium.org, Oct 24

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment