Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 87548 use after free in skia blitter
Starred by 1 user Project Member Reported by infe...@chromium.org, Jun 26 2011 Back to list
Status: Fixed
Owner:
Closed: Jul 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
found in my fuzzing + Kostya

run the testcase under address sanitizer.

==================================================================
HINT: if your stack trace looks short or garbled, use ASAN_OPTIONS=fast_unwind=0
==27776== ERROR: AddressSanitizer crashed on address 0x00007fcef3612b3c at pc 0x7fcf44836b71 bp 0x7fcf270eedf0 sp 0x7fcf270eed58
WRITE of size 4 at 0x00007fcef3612b3c thread T12
    #0 0x7fcf44836b71 in sk_memset32_SSE2(unsigned int*, unsigned int, int) media/base/yuv_row_table.cc:0
    #1 0x7fcf44751ca6 in walk_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) third_party/skia/src/core/SkScan_Path.cpp:0
    #2 0x7fcf44751634 in sk_fill_path(SkPath const&, SkIRect const*, SkBlitter*, int, int, int, SkRegion const&) media/base/yuv_row_table.cc:0
    #3 0x7fcf44753586 in SkScan::FillPath(SkPath const&, SkRegion const&, SkBlitter*) media/base/yuv_row_table.cc:0
    #4 0x7fcf44747ed5 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*) media/base/yuv_row_table.cc:0
    #5 0x7fcf446de53a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const media/base/yuv_row_table.cc:0
    #6 0x7fcf446cdf26 in SkCanvas::drawPath(SkPath const&, SkPaint const&) ??:0
    #7 0x7fcf46509691 in WebCore::GraphicsContext::fillRoundedRect(WebCore::IntRect const&, WebCore::IntSize const&, WebCore::IntSize const&, WebCore::IntSize const&, WebCore::IntSize const&, WebCore::Color const&, WebCore::ColorSpace) media/base/yuv_row_table.cc:0
    #8 0x7fcf46462e0b in WebCore::GraphicsContext::fillRoundedRect(WebCore::RoundedIntRect const&, WebCore::Color const&, WebCore::ColorSpace) media/base/yuv_row_table.cc:0
    #9 0x7fcf473a9faf in WebCore::RenderBoxModelObject::paintFillLayerExtended(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const*, WebCore::IntRect const&, WebCore::BackgroundBleedAvoidance, WebCore::InlineFlowBox*, WebCore::IntSize const&, WebCore::CompositeOperator, WebCore::RenderObject*) media/base/yuv_row_table.cc:0
    #10 0x7fcf47379742 in WebCore::RenderBox::paintFillLayers(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const*, WebCore::IntRect const&, WebCore::BackgroundBleedAvoidance, WebCore::CompositeOperator, WebCore::RenderObject*) media/base/yuv_row_table.cc:0
    #11 0x7fcf4737a3ac in WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::IntPoint const&) media/base/yuv_row_table.cc:0
    #12 0x7fcf474cd146 in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) media/base/yuv_row_table.cc:0
    #13 0x7fcf473eb178 in WebCore::RenderImage::paint(WebCore::PaintInfo&, WebCore::IntPoint const&) ??:0
    #14 0x7fcf4745b012 in WebCore::RenderLayerBacking::paintIntoLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::GraphicsLayerPaintingPhase, WebCore::RenderObject*) ??:0
    #15 0x7fcf4745c8c4 in WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::GraphicsLayerPaintingPhase, WebCore::IntRect const&) ??:0
    #16 0x7fcf465bc0d2 in WebCore::ContentLayerPainter::paint(WebCore::GraphicsContext&, WebCore::IntRect const&) ??:0
    #17 0x7fcf464baf87 in WebCore::LayerTextureUpdaterBitmap::prepareToUpdate(WebCore::IntRect const&, WebCore::IntSize const&, int) ??:0
    #18 0x7fcf464c1864 in WebCore::LayerTilerChromium::prepareToUpdate(WebCore::IntRect const&, WebCore::LayerTextureUpdater*) media/base/yuv_row_table.cc:0
    #19 0x7fcf465ba2c2 in WebCore::ContentLayerChromium::paintContentsIfDirty(WebCore::IntRect const&) ??:0
    #20 0x7fcf464b081f in WebCore::LayerRendererChromium::paintLayerContents(WTF::Vector<WTF::RefPtr<WebCore::CCLayerImpl>, 0ul> const&) ??:0
    #21 0x7fcf464aa2a1 in WebCore::LayerRendererChromium::updateLayers(WTF::Vector<WTF::RefPtr<WebCore::CCLayerImpl>, 0ul>&) ??:0
    #22 0x7fcf464a8ffd in WebCore::LayerRendererChromium::updateAndDrawLayers() media/base/yuv_row_table.cc:0
    #23 0x7fcf45a6875a in WebKit::WebViewImpl::composite(bool) ??:0
    #24 0x7fcf4835791c in RenderWidget::DoDeferredUpdate() ??:0
    #25 0x7fcf48355bf0 in RenderWidget::InvalidationCallback() ??:0
    #26 0x7fcf441ca329 in (anonymous namespace)::TaskClosureAdapter::Run() base/message_loop.cc:0
    #27 0x7fcf441cf41c in MessageLoop::RunTask(MessageLoop::PendingTask const&) ??:0
    #28 0x7fcf441cfa32 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) ??:0
    #29 0x7fcf441d0c82 in MessageLoop::DoWork() ??:0
    #30 0x7fcf441da228 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ??:0
    #31 0x7fcf441ce386 in MessageLoop::RunInternal() ??:0
    #32 0x7fcf441cc62a in MessageLoop::Run() media/base/yuv_row_table.cc:0
    #33 0x7fcf44240950 in base::Thread::ThreadMain() ??:0
    #34 0x7fcf4423f64c in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:0
    #35 0x7fcf48ebe603 in AsanThread::ThreadStart() /home/kcc/asan/asan/asan_thread.cc:77
    #36 0x7fcf3e5169ca in start_thread ??:0
    #37 0x7fcf3c8b270d in __clone ??:0
0x00007fcef3612b3c is located 404028 bytes inside of 425888-byte region [0x00007fcef35b0100,0x00007fcef36180a0)
freed by thread T12 here:
    #0 0x7fcf48eba11a in free _asan_rtl_
    #1 0x7fcf44805718 in SkARGB32_Shader_Blitter::~SkARGB32_Shader_Blitter() ??:0
    #2 0x7fcf446df26b in SkDraw::drawRect(SkRect const&, SkPaint const&) const media/base/yuv_row_table.cc:0
    #3 0x7fcf446cd5f0 in SkCanvas::drawRect(SkRect const&, SkPaint const&) media/base/yuv_row_table.cc:0
    #4 0x7fcf46501fa3 in WebCore::GraphicsContext::clearRect(WebCore::FloatRect const&) media/base/yuv_row_table.cc:0
    #5 0x7fcf465bc098 in WebCore::ContentLayerPainter::paint(WebCore::GraphicsContext&, WebCore::IntRect const&) ??:0
    #6 0x7fcf464baf87 in WebCore::LayerTextureUpdaterBitmap::prepareToUpdate(WebCore::IntRect const&, WebCore::IntSize const&, int) ??:0
    #7 0x7fcf464c1864 in WebCore::LayerTilerChromium::prepareToUpdate(WebCore::IntRect const&, WebCore::LayerTextureUpdater*) media/base/yuv_row_table.cc:0
    #8 0x7fcf465ba2c2 in WebCore::ContentLayerChromium::paintContentsIfDirty(WebCore::IntRect const&) ??:0
    #9 0x7fcf464b081f in WebCore::LayerRendererChromium::paintLayerContents(WTF::Vector<WTF::RefPtr<WebCore::CCLayerImpl>, 0ul> const&) ??:0
    #10 0x7fcf464aa2a1 in WebCore::LayerRendererChromium::updateLayers(WTF::Vector<WTF::RefPtr<WebCore::CCLayerImpl>, 0ul>&) ??:0
    #11 0x7fcf464a8ffd in WebCore::LayerRendererChromium::updateAndDrawLayers() media/base/yuv_row_table.cc:0
    #12 0x7fcf45a6875a in WebKit::WebViewImpl::composite(bool) ??:0
    #13 0x7fcf4835791c in RenderWidget::DoDeferredUpdate() ??:0
    #14 0x7fcf48355bf0 in RenderWidget::InvalidationCallback() ??:0
    #15 0x7fcf441ca329 in (anonymous namespace)::TaskClosureAdapter::Run() base/message_loop.cc:0
previously allocated by thread T12 here:
    #0 0x7fcf48eba20a in malloc _asan_rtl_
    #1 0x7fcf447c63f9 in sk_malloc_throw(unsigned long) media/base/yuv_row_table.cc:0
    #2 0x7fcf44805318 in SkARGB32_Shader_Blitter::SkARGB32_Shader_Blitter(SkBitmap const&, SkPaint const&) ??:0
    #3 0x7fcf447f54df in SkBlitter::Choose(SkBitmap const&, SkMatrix const&, SkPaint const&, void*, unsigned long) media/base/yuv_row_table.cc:0
    #4 0x7fcf446df0c2 in SkDraw::drawRect(SkRect const&, SkPaint const&) const media/base/yuv_row_table.cc:0
    #5 0x7fcf446cd5f0 in SkCanvas::drawRect(SkRect const&, SkPaint const&) media/base/yuv_row_table.cc:0
    #6 0x7fcf46501fa3 in WebCore::GraphicsContext::clearRect(WebCore::FloatRect const&) media/base/yuv_row_table.cc:0
    #7 0x7fcf465bc098 in WebCore::ContentLayerPainter::paint(WebCore::GraphicsContext&, WebCore::IntRect const&) ??:0
    #8 0x7fcf464baf87 in WebCore::LayerTextureUpdaterBitmap::prepareToUpdate(WebCore::IntRect const&, WebCore::IntSize const&, int) ??:0
    #9 0x7fcf464c1864 in WebCore::LayerTilerChromium::prepareToUpdate(WebCore::IntRect const&, WebCore::LayerTextureUpdater*) media/base/yuv_row_table.cc:0
    #10 0x7fcf465ba2c2 in WebCore::ContentLayerChromium::paintContentsIfDirty(WebCore::IntRect const&) ??:0
    #11 0x7fcf464b081f in WebCore::LayerRendererChromium::paintLayerContents(WTF::Vector<WTF::RefPtr<WebCore::CCLayerImpl>, 0ul> const&) ??:0
    #12 0x7fcf464aa2a1 in WebCore::LayerRendererChromium::updateLayers(WTF::Vector<WTF::RefPtr<WebCore::CCLayerImpl>, 0ul>&) ??:0
    #13 0x7fcf464a8ffd in WebCore::LayerRendererChromium::updateAndDrawLayers() media/base/yuv_row_table.cc:0
    #14 0x7fcf45a6875a in WebKit::WebViewImpl::composite(bool) ??:0
    #15 0x7fcf4835791c in RenderWidget::DoDeferredUpdate() ??:0
Thread T12 created by T0 here:
    #0 0x7fcf48eb9337 in pthread_create _asan_rtl_
    #1 0x7fcf4423f421 in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, unsigned long*) base/threading/platform_thread_posix.cc:0
    #2 0x7fcf4423f2ea in base::PlatformThread::Create(unsigned long, base::PlatformThread::Delegate*, unsigned long*) media/base/yuv_row_table.cc:0
    #3 0x7fcf4423ff20 in base::Thread::StartWithOptions(base::Thread::Options const&) media/base/yuv_row_table.cc:0
    #4 0x7fcf47f9d8c1 in BrowserRenderProcessHost::Init(bool) ??:0
    #5 0x7fcf47fea574 in RenderViewHost::CreateRenderView(std::basic_string<unsigned short, base::string16_char_traits, std::allocator<unsigned short> > const&) ??:0
    #6 0x7fcf480914a7 in TabContents::CreateRenderViewForRenderManager(RenderViewHost*) ??:0
    #7 0x7fcf480918ed in non-virtual thunk to TabContents::CreateRenderViewForRenderManager(RenderViewHost*) ??:0
==27776== ABORTING
Stats: 0M malloced (0M for red zones) by 0 calls
Stats: 1M realloced by 13139 calls
Stats: 0M freed by 0 calls
Stats: 0M really freed by 0 calls
Stats: 0M (0 pages) mmaped in 0 calls
Stats: 73M of shadow memory allocated in 73 clusters
             (1M each, 0 low and 73 high)
Shadow byte and word:
  0x00001ff9de6c2567: fb
  0x00001ff9de6c2560: fb fb fb fb fb fb fb fb
More shadow bytes:
  0x00001ff9de6c2540: fb fb fb fb fb fb fb fb
  0x00001ff9de6c2548: fb fb fb fb fb fb fb fb
  0x00001ff9de6c2550: fb fb fb fb fb fb fb fb
  0x00001ff9de6c2558: fb fb fb fb fb fb fb fb
=>0x00001ff9de6c2560: fb fb fb fb fb fb fb fb
  0x00001ff9de6c2568: fb fb fb fb fb fb fb fb
  0x00001ff9de6c2570: fb fb fb fb fb fb fb fb
  0x00001ff9de6c2578: fb fb fb fb fb fb fb fb
  0x00001ff9de6c2580: fb fb fb fb fb fb fb fb

 
skia.html
1.5 KB View Download
Labels: Stability-AddressSanitizer
ignore the media/base/yuv_row_table.cc in stacktrace. some issue in symbolizer.
Cc: -reed@google.com
Owner: reed@google.com
Status: Assigned
Mike, it does look like the Blitter thingy has come back again or the bug just existed. Atleast we now a reproducible testcase under ASAN (https://sites.google.com/a/chromium.org/dev/developers/testing/addresssanitizer). Can you please help to take a look.

Bot LIN_BOT2 on platform LINUX
Root : http://src.chromium.org/svn
Revision : 90366
Root : http://svn.webkit.org/repository/webkit
Revision : 89665

@inferno: which versions does this affect? M12? trunk? Everything? :)
Labels: -Mstone-12 Mstone-13
Moving all M12 bugs to M13. We won't have another M12 patch.
Mike, ping ??
Comment 6 by reed@google.com, Jul 14 2011
Can't reproduce this with tip-of-tree. Here are my steps:

# build steps
    ASAN=`pwd`/third_party/asan
    ASAN_BIN=$ASAN/asan_clang_Linux/bin
    GYP_DEFINES='clang=1 linux_use_tcmalloc=0 disable_nacl=1 release_extra_cflags="-g -O1 -fno-inline-functions -fno-inline" ' gclient runhooks
    make -j32 BUILDTYPE=Release CXX="$ASAN_BIN/clang++ -fasan" CC="$ASAN_BIN/clang -fasan" base_unittests chrome

# run
    RUNNING_ON_VALGRIND=1 out/Release/chrome
# then I open skia.html
# I get no errors reported on the page, or on the console

1. Do you see this on tip-of-tree (I sank today)
2. Should I be building a debug version?

Ok, this is not reproducing on trunk either for me on ASAN. 

The bug was found on 
Bot LIN_BOT2 on platform LINUX
Root : http://src.chromium.org/svn
Revision : 90366
Root : http://svn.webkit.org/repository/webkit
Revision : 89665

Dont know which skia related blitter patch fixed it. I will close the bug upload seeing if m13 is affected.
Ok, this bug reproduce on m13(782) branch

Luckily, hits a assert debug, so you might know what fixed it.

[26943:26971:1218365678482:FATAL:SkFDot6.h(43)] third_party/skia/include/core/SkFDot6.h:43: failed assertion "(x << 10 >> 10) == x"

Backtrace:
	base::debug::StackTrace::StackTrace() [0x4593bee]
	logging::LogMessage::~LogMessage() [0x45c02d3]
	SkDebugf_FileLine() [0x42756b5]
	SkFDot6ToFixed() [0x4200fa7]
	SkQuadraticEdge::setQuadratic() [0x42ff8b2]
	SkEdgeBuilder::addQuad() [0x42f929f]
	SkEdgeBuilder::build() [0x42f9a31]
	sk_fill_path() [0x4203811]
	SkScan::FillPath() [0x42050f9]
	SkScan::AntiFillPath() [0x41fae5d]
	SkDraw::drawPath() [0x4194c1d]
	SkCanvas::drawPath() [0x4185e11]
	WebCore::GraphicsContext::fillRoundedRect() [0x222aaed]
	WebCore::GraphicsContext::fillRoundedRect() [0x21a92c5]
	WebCore::RenderBoxModelObject::paintFillLayerExtended() [0x232c7bb]
	WebCore::RenderBox::paintFillLayer() [0x230ac17]
	WebCore::RenderBox::paintBoxDecorationsWithSize() [0x2309ee5]
	WebCore::RenderBox::paintBoxDecorations() [0x2309b93]
	WebCore::RenderReplaced::paint() [0x23c270b]
	WebCore::RenderImage::paint() [0x253f508]
	WebCore::RenderLayerBacking::paintIntoLayer() [0x2389a8d]
	WebCore::RenderLayerBacking::paintContents() [0x238a412]
	WebCore::ContentLayerPainter::paint() [0x50ae4a4]
	WebCore::LayerTextureUpdaterCanvas::paintContents() [0x21ea927]
	WebCore::LayerTextureUpdaterBitmap::prepareToUpdate() [0x21eac3b]
	WebCore::LayerTilerChromium::prepareToUpdate() [0x21ef06f]
	WebCore::ContentLayerChromium::paintContentsIfDirty() [0x50acb38]
	WebCore::LayerRendererChromium::paintLayerContents() [0x21dc95e]
	WebCore::LayerRendererChromium::updateLayers() [0x21d95fc]
	WebCore::LayerRendererChromium::updateAndDrawLayers() [0x21d8c2f]
	WebKit::WebViewImpl::composite() [0x1c4aef4]
	RenderWidget::DoDeferredUpdate() [0x1985c1b]
	RenderWidget::DoDeferredUpdateAndSendInputAck() [0x1982715]
	RenderWidget::OnUpdateRectAck() [0x197fb2f]
	IPC::Message::Dispatch<>() [0x198abb4]
	RenderWidget::OnMessageReceived() [0x197f3e3]
	RenderView::OnMessageReceived() [0x1948e7f]
	MessageRouter::RouteMessage() [0x1b26b6d]
	MessageRouter::OnMessageReceived() [0x1b26af5]
	ChildThread::OnMessageReceived() [0x1a52c2a]
	IPC::ChannelProxy::Context::OnDispatchMessage() [0x3f1df32]
	(anonymous namespace)::TaskClosureAdapter::Run() [0x45c3279]
	MessageLoop::RunTask() [0x45c5443]
	MessageLoop::DeferOrRunPendingTask() [0x45c57a4]
	MessageLoop::DoWork() [0x45c5a53]
	base::MessagePumpDefault::Run() [0x45d2cd8]
	MessageLoop::RunInternal() [0x45c4e6b]
	MessageLoop::Run() [0x45c4204]
	base::Thread::ThreadMain() [0x4635e80]
	base::(anonymous namespace)::ThreadFunc() [0x462f282]
	AsanThread::ThreadStart() [0x5292493]
	start_thread [0x7fcb8a7829ca]
	0x7fcb8840f70d

Here is the ASAN output
arya@fuzzer:/usr/local/google/home/aarya/782/src$ ./out/Release/chrome --single-process --user-data-dir=/tmp/tt2 /auto/FuzzInfrastructure/test.html 2>&1 | third_party/asan/scripts/asan_symbolize.py | c++filt
[27167:27181:1218475582038:ERROR:proxy_service_factory.cc(66)] Cannot use V8 Proxy resolver in single process mode.
==================================================================
==27167== ERROR: AddressSanitizer crashed on address 0x00007fc3ff50cb3c at pc 0x4135cb1 bp 0x7fc40fd7bd50 sp 0x7fc40fd7bcc8
WRITE of size 4 at 0x00007fc3ff50cb3c thread T13
    #0 0x4135cb1 in sk_memset32_SSE2(unsigned int*, unsigned int, int) /usr/local/google/home/aarya/782/src/third_party/skia/src/opts/SkUtils_opts_SSE2.cpp:59
    #1 0x3c6a361 in walk_edges /usr/local/google/home/aarya/782/src/third_party/skia/src/core/SkScan_Path.cpp:151
    #2 0x3c69d4e in sk_fill_path(SkPath const&, SkIRect const*, SkBlitter*, int, int, int, SkRegion const&) /usr/local/google/home/aarya/782/src/third_party/skia/src/core/SkScan_Path.cpp:520
    #3 0x3c6b079 in SkScan::FillPath(SkPath const&, SkRegion const&, SkBlitter*) /usr/local/google/home/aarya/782/src/third_party/skia/src/core/SkScan_Path.cpp:606
    #4 0x3c62663 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*) /usr/local/google/home/aarya/782/src/third_party/skia/src/core/SkScan_AntiPath.cpp:410
    #5 0x3c18200 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/aarya/782/src/third_party/skia/src/core/SkDraw.cpp:982
    #6 0x3c0d4b1 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/aarya/782/src/third_party/skia/src/core/SkCanvas.cpp:1253
    #7 0x1f3467d in WebCore::GraphicsContext::fillRoundedRect(WebCore::IntRect const&, WebCore::IntSize const&, WebCore::IntSize const&, WebCore::IntSize const&, WebCore::IntSize const&, WebCore::Color const&, WebCore::ColorSpace) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/skia/GraphicsContextSkia.cpp:867
    #8 0x1ec9295 in WebCore::GraphicsContext::fillRoundedRect(WebCore::RoundedIntRect const&, WebCore::Color const&, WebCore::ColorSpace) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/GraphicsContext.cpp:619
    #9 0x20b1fd3 in WebCore::RenderBoxModelObject::paintFillLayerExtended(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const*, WebCore::IntRect const&, WebCore::BackgroundBleedAvoidance, WebCore::InlineFlowBox*, WebCore::IntSize const&, WebCore::CompositeOperator, WebCore::RenderObject*) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/rendering/RenderBoxModelObject.cpp:635
    #10 0x2096b97 in WebCore::RenderBox::paintFillLayer(WebCore::PaintInfo const&, WebCore::Color const&, WebCore::FillLayer const*, WebCore::IntRect const&, WebCore::BackgroundBleedAvoidance, WebCore::CompositeOperator, WebCore::RenderObject*) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:993
    #11 0x2095da5 in WebCore::RenderBox::paintBoxDecorationsWithSize(WebCore::PaintInfo&, WebCore::IntRect) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:868
    #12 0x2095a53 in WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, int, int) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/rendering/RenderBox.cpp:808
    #13 0x21445bb in WebCore::RenderReplaced::paint(WebCore::PaintInfo&, int, int) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/rendering/RenderReplaced.cpp:114
    #14 0x21f4dc8 in WebCore::RenderImage::paint(WebCore::PaintInfo&, int, int) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/rendering/RenderImage.cpp:317
    #15 0x210d322 in WebCore::RenderLayerBacking::paintIntoLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, WebCore::GraphicsLayerPaintingPhase, WebCore::RenderObject*) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/rendering/RenderLayerBacking.cpp:1155
    #16 0x210dc42 in WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::GraphicsLayerPaintingPhase, WebCore::IntRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/rendering/RenderLayerBacking.cpp:1226
    #17 0x4aeaa94 in WebCore::ContentLayerPainter::paint(WebCore::GraphicsContext&, WebCore::IntRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/ContentLayerChromium.cpp:72
    #18 0x1efe137 in WebCore::LayerTextureUpdaterCanvas::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerTextureUpdaterCanvas.cpp:61
    #19 0x1efe47b in WebCore::LayerTextureUpdaterBitmap::prepareToUpdate(WebCore::IntRect const&, WebCore::IntSize const&, int) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerTextureUpdaterCanvas.cpp:83
    #20 0x1f03230 in WebCore::LayerTilerChromium::prepareToUpdate(WebCore::IntRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerTilerChromium.cpp:262
    #21 0x4ae9371 in WebCore::ContentLayerChromium::paintContentsIfDirty(WebCore::IntRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/ContentLayerChromium.cpp:112
    #22 0x1ef3c9c in WebCore::LayerRendererChromium::paintLayerContents(WTF::Vector<WTF::RefPtr<WebCore::CCLayerImpl>, 0ul> const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerRendererChromium.cpp:386
    #23 0x1ef03ce in WebCore::LayerRendererChromium::updateLayers(WTF::Vector<WTF::RefPtr<WebCore::CCLayerImpl>, 0ul>&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerRendererChromium.cpp:332
    #24 0x1eef755 in WebCore::LayerRendererChromium::updateAndDrawLayers() /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerRendererChromium.cpp:241
    #25 0x1a02e2a in WebKit::WebViewImpl::composite(bool) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebKit/chromium/src/WebViewImpl.cpp:1153
    #26 0x17c046b in RenderWidget::DoDeferredUpdate() /usr/local/google/home/aarya/782/src/content/renderer/render_widget.cc:788
    #27 0x17bd175 in RenderWidget::DoDeferredUpdateAndSendInputAck() /usr/local/google/home/aarya/782/src/content/renderer/render_widget.cc:657
    #28 0x17beea6 in RenderWidget::InvalidationCallback() /usr/local/google/home/aarya/782/src/content/renderer/render_widget.cc:652
    #29 0x3eebf79 in (anonymous namespace)::TaskClosureAdapter::Run() /usr/local/google/home/aarya/782/src/base/message_loop.cc:102
    #30 0x3eee4c2 in MessageLoop::RunTask(MessageLoop::PendingTask const&) /usr/local/google/home/aarya/782/src/base/message_loop.cc:483
    #31 0x3eee904 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /usr/local/google/home/aarya/782/src/base/message_loop.cc:500
    #32 0x3eeec93 in MessageLoop::DoWork() /usr/local/google/home/aarya/782/src/base/message_loop.cc:691
    #33 0x3efa04b in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /usr/local/google/home/aarya/782/src/base/message_pump_default.cc:23
    #34 0x3eedeb8 in MessageLoop::RunInternal() /usr/local/google/home/aarya/782/src/base/message_loop.cc:449
    #35 0x3eece14 in MessageLoop::Run() /usr/local/google/home/aarya/782/src/base/message_loop.cc:347
    #36 0x3f49581 in base::Thread::ThreadMain() /usr/local/google/home/aarya/782/src/base/threading/thread.cc:164
    #37 0x3f47ddc in base::(anonymous namespace)::ThreadFunc(void*) /usr/local/google/home/aarya/782/src/base/threading/platform_thread_posix.cc:51
    #38 0x4cbfe53 in AsanThread::ThreadStart() /home/kcc/asan/asan/asan_thread.cc:77
    #39 0x7fc42793c9ca in start_thread ??:0
    #40 0x7fc425cd870d in __clone ??:0
0x00007fc3ff50cb3c is located 3716 bytes to the right of 400312-byte region [0x00007fc3ff4aa100,0x00007fc3ff50bcb8)
freed by thread T13 here:
    #0 0x4cbb906 in free _asan_rtl_
    #1 0x3d1f77e in SkARGB32_Shader_Blitter::~SkARGB32_Shader_Blitter() /usr/local/google/home/aarya/782/src/third_party/skia/src/core/SkBlitter_ARGB32.cpp:511
    #2 0x3c18852 in SkDraw::drawRect(SkRect const&, SkPaint const&) const /usr/local/google/home/aarya/782/src/third_party/skia/src/core/SkDraw.cpp:809
    #3 0x3c0d0ab in SkCanvas::drawRect(SkRect const&, SkPaint const&) /usr/local/google/home/aarya/782/src/third_party/skia/src/core/SkCanvas.cpp:1234
    #4 0x1f31542 in WebCore::GraphicsContext::clearRect(WebCore::FloatRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/skia/GraphicsContextSkia.cpp:344
    #5 0x4aeaa58 in WebCore::ContentLayerPainter::paint(WebCore::GraphicsContext&, WebCore::IntRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/ContentLayerChromium.cpp:70
    #6 0x1efe137 in WebCore::LayerTextureUpdaterCanvas::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerTextureUpdaterCanvas.cpp:61
    #7 0x1efe47b in WebCore::LayerTextureUpdaterBitmap::prepareToUpdate(WebCore::IntRect const&, WebCore::IntSize const&, int) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerTextureUpdaterCanvas.cpp:83
    #8 0x1f03230 in WebCore::LayerTilerChromium::prepareToUpdate(WebCore::IntRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerTilerChromium.cpp:262
    #9 0x4ae9371 in WebCore::ContentLayerChromium::paintContentsIfDirty(WebCore::IntRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/ContentLayerChromium.cpp:112
    #10 0x1ef3c9c in WebCore::LayerRendererChromium::paintLayerContents(WTF::Vector<WTF::RefPtr<WebCore::CCLayerImpl>, 0ul> const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerRendererChromium.cpp:386
    #11 0x1ef03ce in WebCore::LayerRendererChromium::updateLayers(WTF::Vector<WTF::RefPtr<WebCore::CCLayerImpl>, 0ul>&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerRendererChromium.cpp:332
    #12 0x1eef755 in WebCore::LayerRendererChromium::updateAndDrawLayers() /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerRendererChromium.cpp:241
    #13 0x1a02e2a in WebKit::WebViewImpl::composite(bool) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebKit/chromium/src/WebViewImpl.cpp:1153
    #14 0x17c046b in RenderWidget::DoDeferredUpdate() /usr/local/google/home/aarya/782/src/content/renderer/render_widget.cc:788
    #15 0x17bd175 in RenderWidget::DoDeferredUpdateAndSendInputAck() /usr/local/google/home/aarya/782/src/content/renderer/render_widget.cc:657
previously allocated by thread T13 here:
    #0 0x4cbb9f6 in malloc _asan_rtl_
    #1 0x3ccab91 in sk_malloc_flags(unsigned long, unsigned int) /usr/local/google/home/aarya/782/src/skia/ext/SkMemory_new_handler.cpp:58
    #2 0x3d1f58f in SkARGB32_Shader_Blitter::SkARGB32_Shader_Blitter(SkBitmap const&, SkPaint const&) /usr/local/google/home/aarya/782/src/third_party/skia/src/core/SkBlitter_ARGB32.cpp:493
    #3 0x3d10d37 in SkBlitter::Choose(SkBitmap const&, SkMatrix const&, SkPaint const&, void*, unsigned long) /usr/local/google/home/aarya/782/src/third_party/skia/src/core/SkBlitter.cpp:859
    #4 0x3c248f4 in SkAutoBlitterChoose::SkAutoBlitterChoose(SkBitmap const&, SkMatrix const&, SkPaint const&) /usr/local/google/home/aarya/782/src/third_party/skia/src/core/SkDraw.cpp:76
    #5 0x3c1879c in SkDraw::drawRect(SkRect const&, SkPaint const&) const /usr/local/google/home/aarya/782/src/third_party/skia/src/core/SkDraw.cpp:777
    #6 0x3c0d0ab in SkCanvas::drawRect(SkRect const&, SkPaint const&) /usr/local/google/home/aarya/782/src/third_party/skia/src/core/SkCanvas.cpp:1234
    #7 0x1f31542 in WebCore::GraphicsContext::clearRect(WebCore::FloatRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/skia/GraphicsContextSkia.cpp:344
    #8 0x4aeaa58 in WebCore::ContentLayerPainter::paint(WebCore::GraphicsContext&, WebCore::IntRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/ContentLayerChromium.cpp:70
    #9 0x1efe137 in WebCore::LayerTextureUpdaterCanvas::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerTextureUpdaterCanvas.cpp:61
    #10 0x1efe47b in WebCore::LayerTextureUpdaterBitmap::prepareToUpdate(WebCore::IntRect const&, WebCore::IntSize const&, int) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerTextureUpdaterCanvas.cpp:83
    #11 0x1f03230 in WebCore::LayerTilerChromium::prepareToUpdate(WebCore::IntRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerTilerChromium.cpp:262
    #12 0x4ae9371 in WebCore::ContentLayerChromium::paintContentsIfDirty(WebCore::IntRect const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/ContentLayerChromium.cpp:112
    #13 0x1ef3c9c in WebCore::LayerRendererChromium::paintLayerContents(WTF::Vector<WTF::RefPtr<WebCore::CCLayerImpl>, 0ul> const&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerRendererChromium.cpp:386
    #14 0x1ef03ce in WebCore::LayerRendererChromium::updateLayers(WTF::Vector<WTF::RefPtr<WebCore::CCLayerImpl>, 0ul>&) /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerRendererChromium.cpp:332
    #15 0x1eef755 in WebCore::LayerRendererChromium::updateAndDrawLayers() /usr/local/google/home/aarya/782/src/third_party/WebKit/Source/WebCore/platform/graphics/chromium/LayerRendererChromium.cpp:241


Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: WillMerge
http://code.google.com/p/skia/source/diff?spec=svn1866&r=1835&format=side&path=/trunk/src/core/SkScan_Path.cpp

This fixed it. I made sure in both Debug and Release branches.

Mike, can you please merge this to 782 branch.
Status: FixUnreleased
Thanks Mike!
Labels: CVE-2011-2796
Labels: SecImpacts-Stable
Batch update.
Comment 13 by cdn@chromium.org, May 15 2012
Status: Fixed
Marking old security bugs Fixed.. 
Project Member Comment 14 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 15 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -SecSeverity-High -Stability-AddressSanitizer -Mstone-13 -SecImpacts-Stable Cr-Content Security-Severity-High Security-Impact-Stable M-13 Type-Bug-Security Performance-Memory-AddressSanitizer
Project Member Comment 16 by bugdroid1@chromium.org, Mar 13 2013
Labels: Restrict-View-EditIssue
Project Member Comment 17 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member Comment 19 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 20 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 21 by bugdroid1@chromium.org, Apr 1 2013
Labels: -Performance-Memory-AddressSanitizer Stability-Memory-AddressSanitizer
Project Member Comment 22 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 23 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 24 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment