How to reproduce a clusterfuzz case on Android

[Primiano Tucci]

Hi,

I got assigned a clusterfuzz bug (crbug.com/573316, https://cluster-fuzz.appspot.com/testcase?key=6141604676501504) but I'm failing to reproduce it.

First of all, I couldn't find any instructions that explain how I am supposed to reproduce a case on Android. Is there any doc out there?

I tried using the best of my knowledge, but evidently that is not enough.

This is what I am doing:

1. tools/android/asan/third_party/asan_device_setup.sh --lib ~/Downloads/asan/libclang_rt.asan-arm-android.so  (using libclang_rt...so from the case case "Build" link)
   
2. adb install Chrome.apk (from the case "Build" link)
3. Setup the command line to match the one in the config.ini of the case (tip: the command line seems irrelevant here. Crashes even with the default one):
   /build/android/adb_chrome_public_command_line --disable-gpu-watchdog ... etc etc

At this point if I open chrome, it crashes immediately.

This is what I get in the logcat:

=================================================================
I/        (24970): ==24970==ERROR: AddressSanitizer: SEGV on unknown address 0x00000007 (pc 0x7a79d308 bp 0xbeadbb80 sp 0xbeadbb60 T0)
I/        (24970):     #0 0x7a79d309  (/data/app-lib/com.google.android.apps.chrome-1/libc++_shared.so+0xc4309)
I/        (24970):     #1 0x7a79fb79  (/data/app-lib/com.google.android.apps.chrome-1/libc++_shared.so+0xc6b79)
I/        (24970):     #2 0x7a7a0f9d  (/data/app-lib/com.google.android.apps.chrome-1/libc++_shared.so+0xc7f9d)
I/        (24970):     #3 0x7adf488d  (/data/app-lib/com.google.android.apps.chrome-1/libchrome.so+0x5f688d)
I/        (24970):     #4 0x4073ae25  (/system/lib/libz.so+0x10e25)
I/        (24970):     #5 0x4073b355  (/system/lib/libz.so+0x11355)
I/        (24970): AddressSanitizer can not provide additional info.
I/        (24970): SUMMARY: AddressSanitizer: SEGV (/data/app-lib/com.google.android.apps.chrome-1/libc++_shared.so+0xc430

I symbolized those addresses and they don't match the case. They are all about unwind/unw_get_reg/__gnu_Unwind_Backtrace.

[Abhishek Arya]

I have left a comment in the bug. This was an ASAN breakage which is fixed yesterday. We should have a good build by EOD.

[Primiano Tucci]

I see, that explains, thanks.

As a more general comment, my original question about documentation still holds.

I happen to know about asan_device_setup.sh and how to use addr2line & bintools by almost accident because I worked on breakpad for a while. And I know about adb_chrome_public_command_line because I am an Android developer.

I don't expect  a general chromium developer to have that background. How are they supposed to deal with those clusterfuzz bugs?

[Abhishek Arya]

go/clusterfuzz-repro has instructions, also the link is in the "Local reproduction config" section. For any issues with this script, ping bjo...@chromium.org.