New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 866378 link

Starred by 1 user
Status: Verified
Owner:
sffc@chromium.org
Last visit > 30 days ago
Closed: Sep 5
Cc:
js...@chromium.org
sffc@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Indirect-leak in uprv_malloc_62

Project Member Reported by ClusterFuzz, Jul 23 
Detailed report: https://clusterfuzz.com/testcase?key=5590196368965632

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: Indirect-leak
Crash Address: 
Crash State:
  uprv_malloc_62
  icu_62::UMemory::operator new
  icu_62::number::impl::NumberFormatterImpl::fromMacros
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=54375:54376

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5590196368965632

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Jul 23

Labels: Test-Predator-Auto-Owner
Owner: js...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/deps/icu/+/a9a2bd3ee4f1d313651c5272252aaf2a3e7ed529 (Update ICU to 62.1 + local patches).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 2 by js...@chromium.org, Jul 26

Cc: js...@chromium.org sffc@google.com
Owner: sffc@chromium.org
sffc@,  can you take a look?  Let me know if you can reproduce and have a fix.

Comment 3 by sffc@chromium.org, Jul 30 

I'm not set up with V8 development so I haven't spent the time to get the fuzzer reproduce working.  I did look at the stack trace to see if I could reproduce in pure ICU code.  I did find one leak, which may or may not be the same as the one the Chrome fuzzer found:

https://unicode-org.atlassian.net/browse/ICU-20050

The other place I looked was in src/objects/intl-objects.cc.  I do not see where the NumberFormat created by Intl::CreateNumberFormat gets deleted.  The object that the fuzzer is complaining about is owned by that NumberFormat and should be deleted when the NumberFormat is deleted.
Project Member

Comment 4 by ClusterFuzz, Sep 5 

ClusterFuzz has detected this issue as fixed in range 55620:55621.

Detailed report: https://clusterfuzz.com/testcase?key=5590196368965632

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: Indirect-leak
Crash Address: 
Crash State:
  uprv_malloc_62
  icu_62::UMemory::operator new
  icu_62::number::impl::NumberFormatterImpl::fromMacros
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=54375:54376
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=55620:55621

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5590196368965632

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Sep 5

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5590196368965632 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 6 by sffc@chromium.org, Sep 5 

jshin, do you know what might have fixed this?

Sign in to add a comment