Issue metadata
Sign in to add a comment
|
vertex_attrib_manager_count_ == 0u in vertex_array_manager.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6445342627463168 Fuzzer: libfuzzer_gpu_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: vertex_attrib_manager_count_ == 0u in vertex_array_manager.cc gpu::gles2::VertexArrayManager::~VertexArrayManager gpu::gles2::GLES2DecoderImpl::~GLES2DecoderImpl Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=407164:407280 Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96f_Y7jck6qWPh9iNFTZqPWibmM5VYuMPSYJ-_FAQvWltJvVaIRUVkICMN8TB5pI60kRFeu_9ncZE-2HVnxNTWpwygXlPdgggypbKPiv2tUeGGVNGAVWLXW9UYgR0QwA_tSzTj0LLLGsweF_rc-3PyockzcbQ?testcase_id=6445342627463168 Filer: mmohammad See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 25 2016
OK, I'll take a look.
,
Jul 26 2016
Note: the stack trace in the original report is not where the bug is - if you look at the full stack:
#0 0x444369 in __sanitizer_print_stack_trace (/mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-libfuzzer_linux-release-msan_ae530a86793cd6b8b56ce9af9159ac101396e802/revisions/libfuzzer-linux-release-407280/gpu_fuzzer+0x444369)
#1 0x4b6de7 in fuzzer::Fuzzer::CrashCallback() third_party/libFuzzer/src/FuzzerLoop.cpp:209:5
#2 0x4b6cc8 in fuzzer::Fuzzer::StaticCrashSignalCallback() third_party/libFuzzer/src/FuzzerLoop.cpp:198:6
#3 0x44e8b8 in SignalHandler(int) (/mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-libfuzzer_linux-release-msan_ae530a86793cd6b8b56ce9af9159ac101396e802/revisions/libfuzzer-linux-release-407280/gpu_fuzzer+0x44e8b8)
#0 0x7f278cf2a32f in libpthread.so.0
#5 0x7fccef in operator[] buildtools/third_party/libc++/trunk/include/vector:1507:18
#6 0x7fccef in vertex_input_type_written_mask gpu/command_buffer/service/program_manager.h:417
#7 0x7fccef in AttribsTypeMatch gpu/command_buffer/service/gles2_cmd_decoder.cc:9144
#8 0x7fccef in gpu::gles2::GLES2DecoderImpl::DoDrawArrays(char const*, bool, unsigned int, int, int, int) gpu/command_buffer/service/gles2_cmd_decoder.cc:9209
#9 0x672c6e in gpu::gles2::GLES2DecoderImpl::HandleDrawArrays(unsigned int, void const*) gpu/command_buffer/service/gles2_cmd_decoder.cc:9264:10
#10 0x79c806 in gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false>(unsigned int, void const*, int, int*) gpu/command_buffer/service/gles2_cmd_decoder.cc:5035:18
#11 0x52a8c1 in gpu::CommandParser::ProcessCommands(int) gpu/command_buffer/service/cmd_parser.cc:53:35
#12 0x530c21 in gpu::CommandExecutor::PutChanged() gpu/command_buffer/service/command_executor.cc:61:22
#13 0x49c0d9 in gpu::(anonymous namespace)::CommandBufferSetup::PumpCommands() gpu/command_buffer/tests/fuzzer_main.cc:168:16
#14 0x496fb0 in RunCommandBuffer gpu/command_buffer/tests/fuzzer_main.cc:152:22
#15 0x496fb0 in LLVMFuzzerTestOneInput gpu/command_buffer/tests/fuzzer_main.cc:258
#16 0x4c01c1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:488:13
#17 0x4bd0ca in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:444:3
#18 0x49f4c8 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) third_party/libFuzzer/src/FuzzerDriver.cpp:257:6
#19 0x4a4b41 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:379:9
#20 0x4da790 in main third_party/libFuzzer/src/FuzzerMain.cpp:21:10
#21 0x7f278c960f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
#22 0x428934 in _start (/mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-libfuzzer_linux-release-msan_ae530a86793cd6b8b56ce9af9159ac101396e802/revisions/libfuzzer-linux-release-407280/gpu_fuzzer+0x428934)
The problem is in #5.
The rest of the stack is that libfuzzer's signal handler calls exit() which tries to clean up global objects / atexit destructors (which is a bad idea).
,
Jul 26 2016
ClusterFuzz has detected this issue as fixed in range 407562:407705. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6445342627463168 Fuzzer: libfuzzer_gpu_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: vertex_attrib_manager_count_ == 0u in vertex_array_manager.cc gpu::gles2::VertexArrayManager::~VertexArrayManager gpu::gles2::GLES2DecoderImpl::~GLES2DecoderImpl Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=407164:407280 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=407562:407705 Minimized Testcase (0.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96f_Y7jck6qWPh9iNFTZqPWibmM5VYuMPSYJ-_FAQvWltJvVaIRUVkICMN8TB5pI60kRFeu_9ncZE-2HVnxNTWpwygXlPdgggypbKPiv2tUeGGVNGAVWLXW9UYgR0QwA_tSzTj0LLLGsweF_rc-3PyockzcbQ?testcase_id=6445342627463168 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 26 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 26 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 21 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmohammad@chromium.org
, Jul 25 2016Owner: zmo@chromium.org
Status: Assigned (was: Untriaged)