Issue metadata
Sign in to add a comment
|
Integer-overflow in gpu::gles2::GLES2DecoderImpl::DoDrawArrays |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4873237400125440 Fuzzer: libfuzzer_gpu_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: gpu::gles2::GLES2DecoderImpl::DoDrawArrays gpu::gles2::GLES2DecoderImpl::HandleDrawArrays gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false> Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=405489:405645 Minimized Testcase (8.91 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ntiALTenBO1whtZdiWpao6PpnZuNtWdtR5zMRpfVW_FVWprDPMh-aAfMPKwV5yfh1qg3NB5clxyVFENQZpQauUXRzU39W8bfLQao6pbC3L5-JP8na4QORbrPnjPfvtoer54Ds5qwlt-3qPZjhi3PHDBlpYA?testcase_id=4873237400125440 Filer: rnimmagadda See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 29 2016
I'll take this one.
,
Sep 16 2016
I got this one fixed in https://codereview.chromium.org/2349613002/ I don't think this is a regression, most likely it's always been busted. Luckily, looking at the generated code (x86-64), it doesn't seem to make the compiler do something unexpected.
,
Sep 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cfad0a79e789741d0215022d5ed900a5c68c9328 commit cfad0a79e789741d0215022d5ed900a5c68c9328 Author: piman <piman@chromium.org> Date: Sat Sep 17 00:18:51 2016 Fix int overflow in GLES2DecoderImpl::DoDrawArrays BUG= 632626 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2349613002 Cr-Commit-Position: refs/heads/master@{#419342} [modify] https://crrev.com/cfad0a79e789741d0215022d5ed900a5c68c9328/gpu/command_buffer/service/gles2_cmd_decoder.cc [modify] https://crrev.com/cfad0a79e789741d0215022d5ed900a5c68c9328/gpu/command_buffer/service/gles2_cmd_decoder_unittest_drawing.cc
,
Sep 17 2016
ClusterFuzz has detected this issue as fixed in range 419248:419351. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4873237400125440 Fuzzer: libfuzzer_gpu_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: gpu::gles2::GLES2DecoderImpl::DoDrawArrays gpu::gles2::GLES2DecoderImpl::HandleDrawArrays gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false> Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=405489:405645 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=419248:419351 Minimized Testcase (8.91 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ntiALTenBO1whtZdiWpao6PpnZuNtWdtR5zMRpfVW_FVWprDPMh-aAfMPKwV5yfh1qg3NB5clxyVFENQZpQauUXRzU39W8bfLQao6pbC3L5-JP8na4QORbrPnjPfvtoer54Ds5qwlt-3qPZjhi3PHDBlpYA?testcase_id=4873237400125440 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 17 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by rnimmagadda@chromium.org
, Jul 29 2016Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 -Type-Bug M-54 Findit-for-crash Te-Logged Pri-2 Type-Bug-Regression
Owner: vmi...@chromium.org
Status: Assigned (was: Untriaged)