2020-10-21 15:19:38,485 - root - INFO - Using address sanitizer. 2020-10-21 15:19:40,166 - root - INFO - Fuzzer skruntimeeffect, started. 2020-10-21 15:19:41,055 - root - INFO - Running command: docker run --rm --privileged --volumes-from 5836b095cfc8 -e OUT=/mnt/pd0/s/w/ir/cifuzz_work/cifuzz/out -e FUZZING_ENGINE=libfuzzer -e SANITIZER=address -e RUN_FUZZER_MODE=interactive gcr.io/oss-fuzz-base/base-runner bash -c run_fuzzer skruntimeeffect -seed=1337 -len_control=0 -max_total_time=17 /mnt/pd0/s/w/ir/cifuzz_work/cifuzz/out/backup_corpus/skruntimeeffect 2020-10-21 15:19:42,836 - root - INFO - Fuzzer skruntimeeffect, ended before timeout. 2020-10-21 15:19:42,840 - root - INFO - Running reproduce command: docker run --rm --privileged --volumes-from 5836b095cfc8 -e OUT=/mnt/pd0/s/w/ir/cifuzz_work/cifuzz/out -e TESTCASE=/mnt/pd0/s/w/ir/cifuzz_work/cifuzz/out/crash-828019c636200590fdb38f848693556f2aa9c104 -t gcr.io/oss-fuzz-base/base-runner reproduce skruntimeeffect -runs=100. 2020-10-21 15:19:44,361 - root - INFO - Reproduce command returned: 1. Reproducible on /mnt/pd0/s/w/ir/cifuzz_work/cifuzz/out/skruntimeeffect. 2020-10-21 15:20:20,753 - root - INFO - Running reproduce command: docker run --rm --privileged --volumes-from 5836b095cfc8 -e OUT=/mnt/pd0/s/w/ir/cifuzz_work/cifuzz/out/oss_fuzz_latest/skia -e TESTCASE=/mnt/pd0/s/w/ir/cifuzz_work/cifuzz/out/crash-828019c636200590fdb38f848693556f2aa9c104 -t gcr.io/oss-fuzz-base/base-runner reproduce skruntimeeffect -runs=100. 2020-10-21 15:20:48,349 - root - INFO - Reproduce command returned 0. Not reproducible on /mnt/pd0/s/w/ir/cifuzz_work/cifuzz/out/oss_fuzz_latest/skia/skruntimeeffect. 2020-10-21 15:20:48,350 - root - INFO - The crash is reproducible. The crash doesn't reproduce on old builds. This pull request probably introduced the crash. 2020-10-21 15:20:48,350 - root - INFO - b'Fuzzer skruntimeeffect, detected error: b"INFO: Seed: 1337\nINFO: Loaded 1 modules (204728 inline 8-bit counters): 204728 [0x23ff7b8, 0x2431770), \nINFO: Loaded 1 PC tables (204728 PCs): 204728 [0x2431770,0x27512f0), \nINFO: 5659 files found in /mnt/pd0/s/w/ir/cifuzz_work/cifuzz/out/backup_corpus/skruntimeeffect\nINFO: 32 files found in /tmp/skruntimeeffect_corpus\nINFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1048576 bytes\nINFO: seed corpus: files: 5691 min: 1b max: 5239831b total: 12431426b rss: 118Mb\n=================================================================\n==12==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f719707a810 at pc 0x0000008ef7ac bp 0x7ffcd786f350 sp 0x7ffcd786f348\nREAD of size 8 at 0x7f719707a810 thread T0\nSCARINESS: 51 (8-byte-read-heap-use-after-free)\n #0 0x8ef7ab in std::__1::default_delete::operator()(SkSL::Symbol const*) const /usr/local/bin/../include/c++/v1/memory:2209:5\n #1 0x8ef69c in std::__1::unique_ptr >::reset(SkSL::Symbol const*) /usr/local/bin/../include/c++/v1/memory:2470:7\n #2 0x8ef612 in std::__1::unique_ptr >::~unique_ptr() /usr/local/bin/../include/c++/v1/memory:2424:19\n #3 0x8ef5e3 in std::__1::allocator > >::destroy(std::__1::unique_ptr >*) /usr/local/bin/../include/c++/v1/memory:1811:92\n #4 0x8ef5b0 in void std::__1::allocator_traits > > >::__destroy > >(std::__1::integral_constant, std::__1::allocator > >&, std::__1::unique_ptr >*) /usr/local/bin/../include/c++/v1/memory:1703:21\n #5 0x8ef580 in void std::__1::allocator_traits > > >::destroy > >(std::__1::allocator > >&, std::__1::unique_ptr >*) /usr/local/bin/../include/c++/v1/memory:1544:14\n #6 0x8ef501 in std::__1::__vector_base >, std::__1::allocator > > >::__destruct_at_end(std::__1::unique_ptr >*) /usr/local/bin/../include/c++/v1/vector:428:9\n #7 0x8ef423 in std::__1::__vector_base >, std::__1::allocator > > >::clear() /usr/local/bin/../include/c++/v1/vector:371:29\n #8 0x8ef19b in std::__1::__vector_base >, std::__1::allocator > > >::~__vector_base() /usr/local/bin/../include/c++/v1/vector:465:9\n #9 0x8ee140 in std::__1::vector >, std::__1::allocator > > >::~vector() /usr/local/bin/../include/c++/v1/vector:557:5\n #10 0x8ee044 in SkSL::SymbolTable::~SymbolTable() /src/skia/out/Fuzz/../../src/sksl/ir/SkSLSymbolTable.h:26:7\n #11 0x8ecc6c in std::__1::__shared_ptr_emplace >::__on_zero_shared() /usr/local/bin/../include/c++/v1/memory:3456:23\n #12 0x1abd08d in std::__1::__shared_weak_count::__release_shared() (/mnt/pd0/s/w/ir/cifuzz_work/cifuzz/out/skruntimeeffect+0x1abd08d)\n #13 0x77d593 in std::__1::shared_ptr::~shared_ptr() /usr/local/bin/../include/c++/v1/memory:4022:19\n #14 0x8c6b02 in std::__1::shared_ptr::operator=(std::__1::shared_ptr const&) /usr/local/bin/../include/c++/v1/memory:4030:5\n #15 0x963c18 in SkSL::IRGenerator::convertProgram(SkSL::Program::Kind, SkSL::Program::Settings const*, SkSL::ParsedModule const&, bool, char const*, unsigned long, std::__1::vector >, std::__1::allocator > > > const*) /src/skia/out/Fuzz/../../src/sksl/SkSLIRGenerator.cpp:2925:18\n #16 0x8d0ffe in SkSL::Compiler::convertProgram(SkSL::Program::Kind, SkSL::String, SkSL::Program::Settings const&, std::__1::vector >, std::__1::allocator > > > const*) /src/skia/out/Fuzz/../../src/sksl/SkSLCompiler.cpp:1559:27\n #17 0x750f30 in SkRuntimeEffect::Make(SkString) /src/skia/out/Fuzz/../../src/core/SkRuntimeEffect.cpp:123:30\n #18 0x565a57 in FuzzSkRuntimeEffect_Once(sk_sp) /src/skia/out/Fuzz/../../fuzz/oss_fuzz/FuzzSkRuntimeEffect.cpp:39:43\n #19 0x5657da in FuzzSkRuntimeEffect(sk_sp) /src/skia/out/Fuzz/../../fuzz/oss_fuzz/FuzzSkRuntimeEffect.cpp:72:14\n #20 0x565ee1 in LLVMFuzzerTestOneInput /src/skia/out/Fuzz/../../fuzz/oss_fuzz/FuzzSkRuntimeEffect.cpp:83:5\n #21 0x486811 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15\n #22 0x485d5a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:503:3\n #23 0x487e24 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:810:7\n #24 0x488039 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:841:3\n #25 0x477ab4 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:902:6\n #26 0x49ee82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10\n #27 0x7f719c98c83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)\n #28 0x44d238 in _start (/mnt/pd0/s/w/ir/cifuzz_work/cifuzz/out/skruntimeeffect+0x44d238)\n\nDEDUP_TOKEN: std::__1::default_delete::operator()(SkSL::Symbol const*) const--std::__1::unique_ptr >::reset(SkSL::Symbol const*)--std::__1::unique_ptr >::~unique_ptr()\n0x7f719707a810 is located 16 bytes inside of 336016-byte region [0x7f719707a800,0x7f71970cc890)\nfreed by thread T0 here:\n #0 0x5399f2 in free /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3\n #1 0xa03ed3 in SkSL::Pool::~Pool() /src/skia/out/Fuzz/../../src/sksl/SkSLPool.cpp:107:5\n #2 0x77f4b4 in std::__1::default_delete::operator()(SkSL::Pool*) const /usr/local/bin/../include/c++/v1/memory:2209:5\n #3 0x77f3ec in std::__1::unique_ptr >::reset(SkSL::Pool*) /usr/local/bin/../include/c++/v1/memory:2470:7\n #4 0x77d542 in std::__1::unique_ptr >::~unique_ptr() /usr/local/bin/../include/c++/v1/memory:2424:19\n #5 0x77d0fa in SkSL::Program::~Program() /src/skia/out/Fuzz/../../src/sksl/ir/SkSLProgram.h:191:5\n #6 0x77d024 in std::__1::default_delete::operator()(SkSL::Program*) const /usr/local/bin/../include/c++/v1/memory:2209:5\n #7 0x77cf5c in std::__1::unique_ptr >::reset(SkSL::Program*) /usr/local/bin/../include/c++/v1/memory:2470:7\n #8 0x753ad2 in std::__1::unique_ptr >::~unique_ptr() /usr/local/bin/../include/c++/v1/memory:2424:19\n #9 0x8d1178 in SkSL::Compiler::convertProgram(SkSL::Program::Kind, SkSL::String, SkSL::Program::Settings const&, std::__1::vector >, std::__1::allocator > > > const*) /src/skia/out/Fuzz/../../src/sksl/SkSLCompiler.cpp:1582:1\n #10 0x750f30 in SkRuntimeEffect::Make(SkString) /src/skia/out/Fuzz/../../src/core/SkRuntimeEffect.cpp:123:30\n #11 0x565a57 in FuzzSkRuntimeEffect_Once(sk_sp) /src/skia/out/Fuzz/../../fuzz/oss_fuzz/FuzzSkRuntimeEffect.cpp:39:43\n #12 0x5657ac in FuzzSkRuntimeEffect(sk_sp) /src/skia/out/Fuzz/../../fuzz/oss_fuzz/FuzzSkRuntimeEffect.cpp:68:19\n #13 0x565ee1 in LLVMFuzzerTestOneInput /src/skia/out/Fuzz/../../fuzz/oss_fuzz/FuzzSkRuntimeEffect.cpp:83:5\n #14 0x486811 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15\n #15 0x485d5a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:503:3\n #16 0x487e24 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:810:7\n #17 0x488039 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:841:3\n #18 0x477ab4 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:902:6\n #19 0x49ee82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10\n #20 0x7f719c98c83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)\n\nDEDUP_TOKEN: free--SkSL::Pool::~Pool()--std::__1::default_delete::operator()(SkSL::Pool*) const\npreviously allocated by thread T0 here:\n #0 0x539c5d in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3\n #1 0xa041bf in SkSL::create_pool_data(int) /src/skia/out/Fuzz/../../src/sksl/SkSLPool.cpp:64:49\n #2 0xa03f5f in SkSL::Pool::CreatePoolOnThread(int) /src/skia/out/Fuzz/../../src/sksl/SkSLPool.cpp:112:19\n #3 0x8d0f65 in SkSL::Compiler::convertProgram(SkSL::Program::Kind, SkSL::String, SkSL::Program::Settings const&, std::__1::vector >, std::__1::allocator > > > const*) /src/skia/out/Fuzz/../../src/sksl/SkSLCompiler.cpp:1557:34\n #4 0x750f30 in SkRuntimeEffect::Make(SkString) /src/skia/out/Fuzz/../../src/core/SkRuntimeEffect.cpp:123:30\n #5 0x565a57 in FuzzSkRuntimeEffect_Once(sk_sp) /src/skia/out/Fuzz/../../fuzz/oss_fuzz/FuzzSkRuntimeEffect.cpp:39:43\n #6 0x5657ac in FuzzSkRuntimeEffect(sk_sp) /src/skia/out/Fuzz/../../fuzz/oss_fuzz/FuzzSkRuntimeEffect.cpp:68:19\n #7 0x565ee1 in LLVMFuzzerTestOneInput /src/skia/out/Fuzz/../../fuzz/oss_fuzz/FuzzSkRuntimeEffect.cpp:83:5\n #8 0x486811 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:595:15\n #9 0x485d5a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:503:3\n #10 0x487e24 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:810:7\n #11 0x488039 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:841:3\n #12 0x477ab4 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:902:6\n #13 0x49ee82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10\n #14 0x7f719c98c83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)\n\nDEDUP_TOKEN: malloc--SkSL::create_pool_data(int)--SkSL::Pool::CreatePoolOnThread(int)\nSUMMARY: AddressSanitizer: heap-use-after-free /usr/local/bin/../include/c++/v1/memory:2209:5 in std::__1::default_delete::operator()(SkSL::Symbol const*) const\nShadow bytes around the buggy address:\n 0x0feeb2e074b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0feeb2e074c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0feeb2e074d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0feeb2e074e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n 0x0feeb2e074f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n=>0x0feeb2e07500: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0feeb2e07510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0feeb2e07520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0feeb2e07530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0feeb2e07540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\n 0x0feeb2e07550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n==12==ABORTING\nMS: 0 ; base unit: 0000000000000000000000000000000000000000\nartifact_prefix='./'; Test unit written to ./crash-828019c636200590fdb38f848693556f2aa9c104\n".' 2020-10-21 15:20:48,350 - root - INFO - Bug found.