-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy path10488.json
207 lines (207 loc) · 17.2 KB
/
10488.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
{
"fix": "https://skia.googlesource.com/skia.git/+/8d6b2b6f6161c8a1d44d191dd68e75f0347d7cc1%5E%21/",
"verify": "0",
"localId": 10488,
"project": "skia",
"fuzzer": "libfuzzer",
"sanitizer": "msan",
"crash_type": "UNKNOWN WRITE",
"severity": "High",
"report": {
"comments": [
{
"projectName": "oss-fuzz",
"localId": 10488,
"commenter": {
"userId": "382749006",
"displayName": "ClusterFuzz-External"
},
"timestamp": 1537332006,
"content": "Detailed report: https://oss-fuzz.com/testcase?key=5768819205734400\n\nProject: skia\nFuzzer: libFuzzer_skia_api_raster_n32_canvas\nFuzz target binary: api_raster_n32_canvas\nJob Type: libfuzzer_msan_skia\nPlatform Id: linux\n\nCrash Type: UNKNOWN WRITE\nCrash Address: 0x7fff9a307b28\nCrash State:\n void add_coverage_delta_segment<false, SkCoverageDeltaList>\n SkScan::DAAFillPath\n SkScan::AntiFillPath\n \nSanitizer: memory (MSAN)\n\nRecommended Security Severity: High\n\nRegressed: https://oss-fuzz.com/revisions?job=libfuzzer_msan_skia&range=201809130306:201809140315\n\nReproducer Testcase: https://oss-fuzz.com/download?testcase_id=5768819205734400\n\nIssue filed automatically.\n\nSee https://skia.org/dev/testing/fuzz for more information.\n\nThis bug is subject to a 90 day disclosure deadline. If 90 days elapse\nwithout an upstream patch, then the bug report will automatically\nbecome visible to the public.\n\nWhen you fix this bug, please\n * mention the fix revision(s).\n * state whether the bug was a short-lived regression or an old bug in any stable releases.\n * add any other useful information.\nThis information can help downstream consumers.\n\nIf you need to contact the OSS-Fuzz team with a question, concern, or any other feedback, please file an issue at https://github.com/google/oss-fuzz/issues.",
"descriptionNum": 1
},
{
"projectName": "oss-fuzz",
"localId": 10488,
"sequenceNum": 1,
"commenter": {
"userId": "382749006",
"displayName": "ClusterFuzz-External"
},
"timestamp": 1537332569,
"amendments": [
{
"fieldName": "Labels",
"newOrDeltaValue": "OS-Linux"
}
]
},
{
"projectName": "oss-fuzz",
"localId": 10488,
"sequenceNum": 2,
"commenter": {
"userId": "2195585128",
"displayName": "[email protected]"
},
"timestamp": 1537792074,
"content": "Looks like a possible bug in the DAA algorithm?\r\n\r\nASAN says:\r\nout/ASAN/fuzz -b ~/Downloads/clusterfuzz-testcase-minimized-api_raster_n32_canvas-5768819205734400 \r\nFuzzing RasterN32Canvas...\r\nASAN:DEADLYSIGNAL\r\n=================================================================\r\n==183208==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffe30edb280 (pc 0x0000029ffd59 bp 0x7ffe30e9a730 sp 0x7ffe30e9a5c0 T0)\r\n==183208==The signal is caused by a WRITE memory access.\r\n #0 0x29ffd58 in SkCoverageDeltaList::push_back(int, SkCoverageDelta const&) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../src/core/SkCoverageDelta.h:104:32\r\n #1 0x29ffd58 in SkCoverageDeltaList::addDelta(int, int, int) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../src/core/SkCoverageDelta.h:61\r\n #2 0x29ffd58 in void add_coverage_delta_segment<false, SkCoverageDeltaList>(int, int, SkAnalyticEdge const*, int, SkCoverageDeltaList*) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../src/core/SkScan_DAAPath.cpp:99\r\n #3 0x29f15da in void gen_alpha_deltas<SkCoverageDeltaList>(SkPath const&, SkIRect const&, SkIRect const&, SkCoverageDeltaList&, SkBlitter*, bool, bool) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../src/core/SkScan_DAAPath.cpp:306:17\r\n #4 0x29f15da in SkScan::DAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool, SkDAARecord*) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../src/core/SkScan_DAAPath.cpp:372\r\n #5 0x155ace0 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../src/core/SkScan_AntiPath.cpp:827:9\r\n #6 0x28af542 in SkAAClip::setPath(SkPath const&, SkRegion const*, bool) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../src/core/SkAAClip.cpp:1343:9\r\n #7 0x149a106 in SkRasterClip::setPath(SkPath const&, SkRegion const&, bool) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../src/core/SkRasterClip.cpp:239:19\r\n #8 0x149a84f in SkRasterClip::op(SkPath const&, SkMatrix const&, SkIRect const&, SkRegion::Op, bool) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../src/core/SkRasterClip.cpp:280:26\r\n #9 0x28d37cc in SkRasterClipStack::clipPath(SkMatrix const&, SkPath const&, SkClipOp, bool) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../src/core/SkRasterClipStack.h:115:29\r\n #10 0x127c9e2 in SkCanvas::onClipPath(SkPath const&, SkClipOp, SkCanvas::ClipEdgeStyle) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../src/core/SkCanvas.cpp:1415:5\r\n #11 0x127c43c in SkCanvas::clipPath(SkPath const&, SkClipOp, bool) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../src/core/SkCanvas.cpp:1407:11\r\n #12 0xf18140 in fuzz_canvas(Fuzz*, SkCanvas*, int) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../fuzz/FuzzCanvas.cpp:1191:25\r\n #13 0xf1e5a1 in fuzz_RasterN32Canvas(Fuzz*) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../fuzz/FuzzCanvas.cpp:1658:5\r\n #14 0xf57531 in fuzz_api(sk_sp<SkData>, SkString) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../fuzz/FuzzMain.cpp:314:13\r\n #15 0xf5522e in fuzz_file(SkString, SkString) /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../fuzz/FuzzMain.cpp:144:9\r\n #16 0xf54d9f in main /usr/local/google/home/kjlubick/skia/skia/out/ASAN/../../fuzz/FuzzMain.cpp:106:16\r\n #17 0x7f111bc302b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n #18 0xe28399 in _start (/usr/local/google/home/kjlubick/skia/skia/out/ASAN/fuzz+0xe28399)\r\n",
"amendments": [
{
"fieldName": "Owner",
"newOrDeltaValue": "a_deleted_user"
},
{
"fieldName": "Cc",
"newOrDeltaValue": "[email protected]"
}
],
"attachments": [
{
"attachmentId": "359615",
"filename": "clusterfuzz-testcase-minimized-api_raster_n32_canvas-5768819205734400",
"size": "864",
"contentType": "text/plain",
"viewUrl": "/p/oss-fuzz/issues/attachmentText?aid=359615",
"downloadUrl": "attachment?aid=359615&signed_aid=i_dDJZ1HNlLt1aWpy0fqUA=="
}
]
},
{
"projectName": "oss-fuzz",
"localId": 10488,
"sequenceNum": 3,
"commenter": {
"userId": "1",
"displayName": "a_deleted_user"
},
"timestamp": 1537809091,
"content": "In Debug mode I tracked this down to FuzzPath, specifically case 31 where we\r\n\r\n fuzz_nice_floaT(fuzz, &a,&b);\r\n path->setLastPt(a,b);\r\n\r\nIf we add SkASSERT(path->pathRefIsValid()); after setLastPt(), it triggers with this input. The floats don't look particularly bad:\r\n\r\n(lldb) p a\r\n(SkScalar) $0 = 0.0000000000000000000000000000381128085\r\n(lldb) p b\r\n(SkScalar) $3 = 0.0000000000000000000000000000284113667\r\n\r\n(lldb) p/x a\r\n(SkScalar) $1 = 0x10414141\r\n(lldb) p/x b\r\n(SkScalar) $2 = 0x10101010\r\n\r\n(lldb) p/t a\r\n(SkScalar) $5 = 0b00010000010000010100000101000001\r\n(lldb) p/t b\r\n(SkScalar) $6 = 0b00010000000100000001000000010000"
},
{
"projectName": "oss-fuzz",
"localId": 10488,
"sequenceNum": 4,
"commenter": {
"userId": "1",
"displayName": "a_deleted_user"
},
"timestamp": 1537836635,
"content": "Looks like setLastPt() doesn't invalidate path bounds at all. I have a bunch of CLs in flight to help diagnose this sort of problem in the future, fix this, and prevent this specific problem from regressing.\r\n\r\nThe fix is https://skia-review.googlesource.com/c/skia/+/156700.\r\n\r\nThis is a real bug, in the sense that an ordinary sequence of SkPath calls can trip us up pretty seriously. I think this unit test reproduces the problem minimally: https://skia-review.googlesource.com/c/skia/+/156661"
},
{
"projectName": "oss-fuzz",
"localId": 10488,
"sequenceNum": 5,
"commenter": {
"userId": "3275348242",
"displayName": "[email protected]"
},
"timestamp": 1537851701,
"content": "The following revision refers to this bug:\n https://skia.googlesource.com/skia/+/4ef464cd3c2e4cecddf2441cc44b0c0eb8b90e8e\n\ncommit 4ef464cd3c2e4cecddf2441cc44b0c0eb8b90e8e\nAuthor: Mike Klein <[email protected]>\nDate: Tue Sep 25 05:00:30 2018\n\nFuzzPath() should probably make a valid path\n\nThis will point out if something's gone screwy earlier in Debug builds.\n\nBug: oss-fuzz:10488\n\nChange-Id: Ib091ada75344140bbe2932e5c2f1e2257f05019b\nReviewed-on: https://skia-review.googlesource.com/156660\nAuto-Submit: Mike Klein <[email protected]>\nReviewed-by: Kevin Lubick <[email protected]>\nCommit-Queue: Mike Klein <[email protected]>\n\n[modify] https://crrev.com/4ef464cd3c2e4cecddf2441cc44b0c0eb8b90e8e/fuzz/FuzzCommon.cpp\n"
},
{
"projectName": "oss-fuzz",
"localId": 10488,
"sequenceNum": 6,
"commenter": {
"userId": "3275348242",
"displayName": "[email protected]"
},
"timestamp": 1538058197,
"content": "The following revision refers to this bug:\n https://skia.googlesource.com/skia/+/c021e37864ecb0f0d87128c8ce92485de43b107b\n\ncommit c021e37864ecb0f0d87128c8ce92485de43b107b\nAuthor: Mike Klein <[email protected]>\nDate: Thu Sep 27 14:22:30 2018\n\nupdate SkPathRef bounds validation\n\n 1) print out that there is a problem and\n what that problem is\n 2) switch to %g so we can see very small points\n 3) return false when the bounds aren't valid\n\nBug: oss-fuzz:10488\nChange-Id: I2a8a5611ba6459f1bd45e29a1f20510401e86f76\nReviewed-on: https://skia-review.googlesource.com/156662\nReviewed-by: Brian Salomon <[email protected]>\nCommit-Queue: Brian Salomon <[email protected]>\nAuto-Submit: Mike Klein <[email protected]>\n\n[modify] https://crrev.com/c021e37864ecb0f0d87128c8ce92485de43b107b/src/core/SkPathRef.cpp\n"
},
{
"projectName": "oss-fuzz",
"localId": 10488,
"sequenceNum": 7,
"commenter": {
"userId": "3275348242",
"displayName": "[email protected]"
},
"timestamp": 1538058344,
"content": "The following revision refers to this bug:\n https://skia.googlesource.com/skia/+/8d6b2b6f6161c8a1d44d191dd68e75f0347d7cc1\n\ncommit 8d6b2b6f6161c8a1d44d191dd68e75f0347d7cc1\nAuthor: Mike Klein <[email protected]>\nDate: Thu Sep 27 14:24:50 2018\n\ninvalidate pathref bounds when we attach an editor\n\nIt's possible to change path bounds by changing path points using\nSkPath::setLastPt(), but we don't invalidate the bounds when we do.\n\nSeems like the best thing to do is to invalidate the bounds when\nwe attach an editor, the same way we invalidate the gen ID.\n\nBug: oss-fuzz:10488, oss-fuzz:10698\nChange-Id: Idd04d37f9e39979aac135d675aa4e5949c55a453\nReviewed-on: https://skia-review.googlesource.com/156700\nReviewed-by: Brian Salomon <[email protected]>\nCommit-Queue: Brian Salomon <[email protected]>\nAuto-Submit: Mike Klein <[email protected]>\n\n[modify] https://crrev.com/8d6b2b6f6161c8a1d44d191dd68e75f0347d7cc1/src/core/SkPathRef.cpp\n"
},
{
"projectName": "oss-fuzz",
"localId": 10488,
"sequenceNum": 8,
"commenter": {
"userId": "1",
"displayName": "a_deleted_user"
},
"timestamp": 1538058435,
"amendments": [
{
"fieldName": "Status",
"newOrDeltaValue": "Fixed",
"oldValue": "New"
}
]
},
{
"projectName": "oss-fuzz",
"localId": 10488,
"sequenceNum": 9,
"commenter": {
"userId": "3275348242",
"displayName": "[email protected]"
},
"timestamp": 1538059782,
"content": "The following revision refers to this bug:\n https://skia.googlesource.com/skia/+/9de721655c1fddcb08d766dc1ad7af27bc5855cc\n\ncommit 9de721655c1fddcb08d766dc1ad7af27bc5855cc\nAuthor: Mike Klein <[email protected]>\nDate: Thu Sep 27 14:48:34 2018\n\nadd test that setLastPt() invalidates path bounds\n\nSpoiler alert... it doesn't.\n\nBug: oss-fuzz:10488\nChange-Id: Ifafd92f40aed55ff14a5198ea7d79a20751e40aa\nReviewed-on: https://skia-review.googlesource.com/156661\nReviewed-by: Brian Salomon <[email protected]>\nCommit-Queue: Mike Klein <[email protected]>\n\n[modify] https://crrev.com/9de721655c1fddcb08d766dc1ad7af27bc5855cc/tests/PathTest.cpp\n"
},
{
"projectName": "oss-fuzz",
"localId": 10488,
"sequenceNum": 10,
"commenter": {
"userId": "382749006",
"displayName": "ClusterFuzz-External"
},
"timestamp": 1538118660,
"content": "ClusterFuzz has detected this issue as fixed in range 201809270318:201809280313.\n\nDetailed report: https://oss-fuzz.com/testcase?key=5768819205734400\n\nProject: skia\nFuzzer: libFuzzer_skia_api_raster_n32_canvas\nFuzz target binary: api_raster_n32_canvas\nJob Type: libfuzzer_msan_skia\nPlatform Id: linux\n\nCrash Type: UNKNOWN WRITE\nCrash Address: 0x7fff9a307b28\nCrash State:\n void add_coverage_delta_segment<false, SkCoverageDeltaList>\n SkScan::DAAFillPath\n SkScan::AntiFillPath\n \nSanitizer: memory (MSAN)\n\nRecommended Security Severity: High\n\nRegressed: https://oss-fuzz.com/revisions?job=libfuzzer_msan_skia&range=201809130306:201809140315\nFixed: https://oss-fuzz.com/revisions?job=libfuzzer_msan_skia&range=201809270318:201809280313\n\nReproducer Testcase: https://oss-fuzz.com/download?testcase_id=5768819205734400\n\nSee https://skia.org/dev/testing/fuzz for more information.\n\nIf you suspect that the result above is incorrect, try re-doing that job on the test case report page."
},
{
"projectName": "oss-fuzz",
"localId": 10488,
"sequenceNum": 11,
"commenter": {
"userId": "382749006",
"displayName": "ClusterFuzz-External"
},
"timestamp": 1538119001,
"content": "ClusterFuzz testcase 5768819205734400 is verified as fixed, so closing issue as verified.\n\nIf this is incorrect, please file a bug on https://github.com/google/oss-fuzz/issues/new",
"amendments": [
{
"fieldName": "Status",
"newOrDeltaValue": "Verified",
"oldValue": "Fixed"
},
{
"fieldName": "Labels",
"newOrDeltaValue": "ClusterFuzz-Verified"
}
]
},
{
"projectName": "oss-fuzz",
"localId": 10488,
"sequenceNum": 12,
"commenter": {
"userId": "4164592774",
"displayName": "[email protected]"
},
"timestamp": 1540653947,
"content": "This bug has been fixed for 30 days. It has been opened to the public.\n\n- Your friendly Sheriffbot",
"amendments": [
{
"fieldName": "Labels",
"newOrDeltaValue": "-restrict-view-commit"
}
]
}
]
},
"fix_commit": "8d6b2b6f6161c8a1d44d191dd68e75f0347d7cc1",
"repo_addr": "https://skia.googlesource.com/skia.git"
}