New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 910851 link

Starred by 1 user
Status: Assigned
Owner:
js...@chromium.org
Cc:
mscherer@google.com
mmoroz@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

ASSERT: count>=0

Project Member Reported by ClusterFuzz, Dec 1 
Detailed report: https://clusterfuzz.com/testcase?key=6206165807267840

Fuzzer: libFuzzer_libxml_xml_read_memory_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  count>=0
  ucnv_UTF8FromUTF8
  ucnv_convertEx_63
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=556938:556952

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6206165807267840

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
Project Member

Comment 1 by ClusterFuzz, Dec 1

Components: Blink>XML
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 1

Cc: mmoroz@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.
Project Member

Comment 3 by ClusterFuzz, Dec 1

Labels: Test-Predator-Auto-Owner
Owner: js...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/deps/icu/+/f61e46dbee9d539a32551493e3bcc1dea92f83ec (Update ICU to 61.1 + local patches).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 4 by js...@chromium.org, Dec 2

Cc: mscherer@google.com
Stack:

libxml_xml_read_memory_fuzzer: ../../third_party/icu/source/common/ucnv_u8.cpp:816: void ucnv_UTF8FromUTF8(UConverterFromUnicodeArgs *, UConverterToUnicodeArgs *, UErrorCode *): Assertion `count>=0' failed.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1764370==ERROR: AddressSanitizer: ABRT on unknown address 0x0539001aec12 (pc 0x7f85476c0428 bp 0x7f8548db38a0 sp 0x7fff1606b8f8 T0)
SCARINESS: 10 (signal)
    #0 0x7f85476c0427 in gsignal /build/glibc-Cl5G7W/glibc-2.23/signal/../sysdeps/unix/sysv/linux/raise.c:54
    #1 0x7f85476c2029 in abort /build/glibc-Cl5G7W/glibc-2.23/stdlib/abort.c:89
    #2 0x7f85476b8bd6 in __assert_fail_base /build/glibc-Cl5G7W/glibc-2.23/assert/assert.c:92
    #3 0x7f85476b8c81 in __assert_fail /build/glibc-Cl5G7W/glibc-2.23/assert/assert.c:101
     #4 0x7f85490cfcf9 in ucnv_UTF8FromUTF8(UConverterFromUnicodeArgs*, UConverterToUnicodeArgs*, UErrorCode*) third_party/icu/source/common/ucnv_u8.cpp:816:5
     #5 0x7f8549055bda in ucnv_convertEx_63 third_party/icu/source/common/ucnv.cpp:2278:13
    #6 0x55bf78fd6c4f in xmlUconvWrapper third_party/libxml/src/encoding.c:1882:9
    #7 0x55bf78fceffb in xmlEncInputChunk third_party/libxml/src/encoding.c:1931:15
    #8 0x55bf78fd05b5 in xmlCharEncInput third_party/libxml/src/encoding.c:2238:11
    #9 0x55bf7918f85d in xmlParserInputBufferGrow third_party/libxml/src/xmlIO.c:3276:12
    #10 0x55bf790d1cb5 in xmlParserInputGrow third_party/libxml/src/parserInternals.c:324:8
    #11 0x55bf7900183c in xmlGROW third_party/libxml/src/parser.c:2096:5
    #12 0x55bf7908fa87 in xmlParseXMLDecl third_party/libxml/src/parser.c:10537:5

Sign in to add a comment