Suspected CLs	The result is a list of CLs that change the crashed files.

Author: xidachen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/11401539431e6ff15901f90f4d1e87033dc77ba5
Time: Tue Jun 07 13:17:10 2016
Lines 4151-4154, 4160-4174, 4598 of file WebGLRenderingContextBase.cpp which potentially caused crash are changed in this cl (frame #4, "blink::WebGLRenderingContextBase::texImageHelperDOMArrayBufferView"; frame #5, "blink::WebGLRenderingContextBase::texSubImage2D").
Minimum distance from crash line to modified line: 0. (file: WebGLRenderingContextBase.cpp, crashed on: 4151, modified: 4151).

Suspected Project: chromium
Suspected Component: Blink>WebGL
--------------------------------

From the above suspected CL assigning it to xidachen: Hey, would you mind checking the above issue and see if related to your change ?

Marking the above issue as RB-Stable, feel free to remove if required.

Appreciate your help.

Thank you!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/422466ba6888ba92906331f2adfe56123d722415

commit 422466ba6888ba92906331f2adfe56123d722415
Author: xidachen <xidachen@chromium.org>
Date: Thu Jun 09 15:32:30 2016

Prevent Null input in texSubImage2D(3D)

In a previous CL which packs some repeated code into helper functions,
I made a mistake so that tex(Sub)Image2D(3D) can always take null input
for DOMArrayBufferView. However, I took a look at the original code
before my change, it turns out that texImage2D and texImage3D is allowed
to take null input, but texSubImage2D and texSubImage3D is not allowed.
The stack trace in the bug also suggests that it crashes
because the input is null.

This CL makes change for that.

BUG= 618299 
CQ_INCLUDE_TRYBOTS=tryserver.chromium.win:win_optional_gpu_tests_rel;tryserver.chromium.mac:mac_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2046223003
Cr-Commit-Position: refs/heads/master@{#398891}

[modify] https://crrev.com/422466ba6888ba92906331f2adfe56123d722415/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp

ClusterFuzz has detected this issue as fixed in range 398833:398986.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6045876892205056

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000030
Crash State:
  gpu::gles2::GLES2Implementation::TexSubImage2DImpl
  gpu::gles2::GLES2Implementation::TexSubImage2D
  blink::WebGLRenderingContextBase::texImageHelperDOMArrayBufferView
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=398017:398351
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=398833:398986

Minimized Testcase (0.47 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95CGuzEBP_zKitxj7OjfeYtYhdTizP6QuhjV6Dv20gv9mVF3ZDMhk9H7MagRI0SBRYd6RsBxulrPY1BusVXYeSpfpSMQpJTymFHm_p__UBIJN4pdoG3ZaEw0_C_LLjtM7AfSJ0kVV62BYOEyIUX7LZtAhoKqA
<script>
      function create_program() {
      }
      function runTests() {
        for (i=0; i<5; i++) {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          runTest(gl);
        }
      }
function runTest(gl) {
 var tex = gl.createTexture() 
 gl.bindTexture(gl.TEXTURE_2D, tex) 
 gl.texSubImage2D(gl.TEXTURE_2D, 0, 0, 0, 4, 4, gl.RGBA, gl.UNSIGNED_BYTE, null) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/422466ba6888ba92906331f2adfe56123d722415

commit 422466ba6888ba92906331f2adfe56123d722415
Author: xidachen <xidachen@chromium.org>
Date: Thu Jun 09 15:32:30 2016

Prevent Null input in texSubImage2D(3D)

In a previous CL which packs some repeated code into helper functions,
I made a mistake so that tex(Sub)Image2D(3D) can always take null input
for DOMArrayBufferView. However, I took a look at the original code
before my change, it turns out that texImage2D and texImage3D is allowed
to take null input, but texSubImage2D and texSubImage3D is not allowed.
The stack trace in the bug also suggests that it crashes
because the input is null.

This CL makes change for that.

BUG= 618299 
CQ_INCLUDE_TRYBOTS=tryserver.chromium.win:win_optional_gpu_tests_rel;tryserver.chromium.mac:mac_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2046223003
Cr-Commit-Position: refs/heads/master@{#398891}

[modify] https://crrev.com/422466ba6888ba92906331f2adfe56123d722415/third_party/WebKit/Source/modules/webgl/WebGLRenderingContextBase.cpp

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot