New issue
Advanced search Search tips

Issue 904211 link

Starred by 2 users

Issue metadata

Status: WontFix
Owner:
Closed: Nov 16
Cc:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

CHECK failure: written_bytes2 > 0u in paint_op_buffer_eq_fuzzer.cc

Project Member Reported by ClusterFuzz, Nov 11

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6019242669113344

Fuzzer: libFuzzer_paint_op_buffer_eq_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: CHECK failure
Crash Address: 
Crash State:
  written_bytes2 > 0u in paint_op_buffer_eq_fuzzer.cc
  __scrt_common_main_seh
  paint_op_buffer_eq_fuzzer.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=606550:606553

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6019242669113344

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing_on_windows.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Nov 11

Labels: Fuzz-Blocker ReleaseBlock-Beta M-72
This crash occurs very frequently on windows platform and is likely preventing the fuzzer paint_op_buffer_eq_fuzzer from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.
Cc: kkaluri@chromium.org
Labels: Test-Predator-Wrong
Owner: enne@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.

Using Code Search for the file, "paint_op_buffer_eq_fuzzer.cc" suspecting the below Cl might have caused this issue

Suspect CL: https://chromium.googlesource.com/chromium/src/+/13de7e3dc62741227c5c27a709251d1a13029491

enne@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

enne@: Could you please take a look at this as this is marked as M-72 Beta blocker.
Labels: -Pri-1 -ReleaseBlock-Beta Pri-2
This is not a blocker.  I just added that check.  It should get fixed so the fuzzer can do a better job, but this is not a p1 release blocker.
Project Member

Comment 5 by bugdroid1@chromium.org, Nov 16

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a2cb97e38cccf5e4c4c3678a48baa1b35976df2b

commit a2cb97e38cccf5e4c4c3678a48baa1b35976df2b
Author: Adrienne Walker <enne@chromium.org>
Date: Fri Nov 16 18:21:57 2018

cc: Remove paint_op_buffer_eq_fuzzer

Fix fuzzer crash by deleting fuzzer.  ;)

This fuzzer attempts to do a convoluted series of deserializing and
reserializing to try to make sure that serializing an op ends up in the
same op that is deserialized.  However, over time, a number of changes
to serialization have been added that modify what is being serialized,
e.g. scaling paint records, adding clips and scales to serialized
PaintRecords, scaling paint records, etc.

I think this fuzzer was useful in early oopr releasing to build
confidence about the number of serialization bugs, but it never caught
any issues that the paint_op_buffer_fuzzer wouldn't have caught.
However, it's no longer that useful.

Bug:  904211 
Change-Id: Ie62e296c9a5246ab74478755d738820e02bf7cc1
Reviewed-on: https://chromium-review.googlesource.com/c/1337817
Commit-Queue: Khushal <khushalsagar@chromium.org>
Reviewed-by: Khushal <khushalsagar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#608858}
[modify] https://crrev.com/a2cb97e38cccf5e4c4c3678a48baa1b35976df2b/cc/paint/BUILD.gn
[modify] https://crrev.com/a2cb97e38cccf5e4c4c3678a48baa1b35976df2b/cc/paint/paint_op_buffer.h
[delete] https://crrev.com/e7c85230ef5c8c4a9e11a1c0e8ba19f6af955239/cc/paint/paint_op_buffer_eq_fuzzer.cc
[modify] https://crrev.com/a2cb97e38cccf5e4c4c3678a48baa1b35976df2b/cc/paint/paint_op_writer.cc

Status: WontFix (was: Assigned)
Project Member

Comment 7 by ClusterFuzz, Nov 17

ClusterFuzz has detected this issue as fixed in range 608850:608866.

Detailed report: https://clusterfuzz.com/testcase?key=6019242669113344

Fuzzer: libFuzzer_paint_op_buffer_eq_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: CHECK failure
Crash Address: 
Crash State:
  written_bytes2 > 0u in paint_op_buffer_eq_fuzzer.cc
  __scrt_common_main_seh
  paint_op_buffer_eq_fuzzer.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=606550:606553
Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=608850:608866

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6019242669113344

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing_on_windows.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
The documentation for reproducing bugs on Windows was moved to: https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md

Sign in to add a comment