Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/4b51d24604846cd3d049946e70e9ccb535a4b0c2 (gpu: disable oop raster on Adreno Lollipop and earlier).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Given this has just come in, let's track for M71 and consider a merge if we land a fix quickly

This looks to be a disconnect between allocating code using size_t and the mapped memory allocator using unsigned int.  The test case has glyphs that end up with 4x 1GB images, for a total of 4296087192 bytes required, which ends up with a mapped memory allocation of 1119896 due to overflow.

I think my conclusion is that we should probably just not allow > 4GB mapped memory allocations rather than switching the allocator over to size_t.  Although maybe we should do both.

Command buffer code is pretty much 32 bits everywhere, so agreed on keeping under 4GB as a first pass.
Mapping and trying to fill up 4GB of memory is probably a bad idea anyway.

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/9dd1e8236afc5e9542d905191391d419f41ac290

commit 9dd1e8236afc5e9542d905191391d419f41ac290
Author: Khushal <khushalsagar@chromium.org>
Date: Tue Oct 09 20:36:59 2018

fonts: Fix nullptr de-reference during fallback path search.

R=herb@google.com

Bug:  892643 
Change-Id: Ia059e784794ff07f654a538186e619fb4f303ec9
Reviewed-on: https://skia-review.googlesource.com/c/160834
Commit-Queue: Khusal Sagar <khushalsagar@chromium.org>
Commit-Queue: Herb Derby <herb@google.com>
Auto-Submit: Khusal Sagar <khushalsagar@chromium.org>
Reviewed-by: Herb Derby <herb@google.com>

[modify] https://crrev.com/9dd1e8236afc5e9542d905191391d419f41ac290/src/core/SkTypeface_remote.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/339ce50d80342304e0d6a19b41ff047203ff6454

commit 339ce50d80342304e0d6a19b41ff047203ff6454
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Tue Oct 09 23:34:05 2018

Roll src/third_party/skia a0dc3d26260b..9dd1e8236afc (2 commits)

https://skia.googlesource.com/skia.git/+log/a0dc3d26260b..9dd1e8236afc


git log a0dc3d26260b..9dd1e8236afc --date=short --no-merges --format='%ad %ae %s'
2018-10-09 khushalsagar@chromium.org fonts: Fix nullptr de-reference during fallback path search.
2018-10-09 fmalita@chromium.org [skottie] Support external annotations


Created with:
  gclient setdep -r src/third_party/skia@9dd1e8236afc

The AutoRoll server is located here: https://autoroll.skia.org/r/skia-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.

CQ_INCLUDE_TRYBOTS=luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux-chromeos-compile-dbg;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel;master.tryserver.blink:linux_trusty_blink_rel

BUG= chromium:892643 
TBR=stani@chromium.org

Change-Id: I369cbe87face93cf0117737717dc96ec5cc12a78
Reviewed-on: https://chromium-review.googlesource.com/c/1271979
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#598133}
[modify] https://crrev.com/339ce50d80342304e0d6a19b41ff047203ff6454/DEPS

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/efb92c7ee64a050754ddfd46e5ae09d1b4ca5275

commit efb92c7ee64a050754ddfd46e5ae09d1b4ca5275
Author: Adrienne Walker <enne@chromium.org>
Date: Wed Oct 10 21:59:12 2018

Don't allow 4GB font mapped memory allocations

The mapped memory allocator only supports unsigned int, so don't allow
arbitrary size_t allocations through.  This seems like a pretty
reasonable limit anyway.

Bug:  892643 
Cq-Include-Trybots: luci.chromium.try:android_optional_gpu_tests_rel;luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel
Change-Id: Iba1d38e339d31de92738046a9301f21e736f49ea
Reviewed-on: https://chromium-review.googlesource.com/c/1271577
Reviewed-by: Antoine Labour <piman@chromium.org>
Commit-Queue: enne <enne@chromium.org>
Cr-Commit-Position: refs/heads/master@{#598530}
[modify] https://crrev.com/efb92c7ee64a050754ddfd46e5ae09d1b4ca5275/gpu/command_buffer/client/raster_implementation.cc

ClusterFuzz has detected this issue as fixed in range 598529:598558.

Detailed report: https://clusterfuzz.com/testcase?key=5760761123831808

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Stack-use-after-return WRITE {*}
Crash Address: 0x00017e413800
Crash State:
  gpu::raster::ClientFontManager::Serialize
  gpu::raster::RasterImplementation::RasterCHROMIUM
  cc::GpuRasterBufferProvider::PlaybackOnWorkerThread
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=586493:586526
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=598529:598558

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5760761123831808

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5760761123831808 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: DEPS changes referenced in bugdroid comments.
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), kbleicher@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

(Already in 71)

Issue 878350 has been merged into this issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot