vertex_attrib_manager_count_ == 0u in vertex_array_manager.cc |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5005969493065728 Fuzzer: libfuzzer_gpu_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: vertex_attrib_manager_count_ == 0u in vertex_array_manager.cc gpu::gles2::VertexArrayManager::~VertexArrayManager gpu::gles2::GLES2DecoderImpl::~GLES2DecoderImpl Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=417888:417914 Minimized Testcase (1.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95sEGJUnMIu-H6cleVKbhYOmELDw89uLpJlUXYT-Dgko9iP8tTBzReL6_uU5UlHZoj45uDk1x1ecnFWkOg0v4EAvjl2imswfJd64NE-tmgADFri6d02cFFwYwmORlPn4rK4allC_yqrjUlbKNJ-sZ5DIx7aIA?testcase_id=5005969493065728 Issue manually filed by: mummareddy See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 16 2016
vertex_array_manager.cc is a red herring, caused by the fuzzer trying to exit correctly after a crash. Full stack: 0 0x00000055cfe6 base::debug::StackTrace::StackTrace() #1 0x0000004acf5a logging::LogMessage::~LogMessage() #2 0x00000096dfc1 gpu::gles2::VertexArrayManager::~VertexArrayManager() #3 0x00000074d81b gpu::gles2::GLES2DecoderImpl::~GLES2DecoderImpl() #4 0x00000074ebe1 gpu::gles2::GLES2DecoderImpl::~GLES2DecoderImpl() #5 0x000000431768 gpu::(anonymous namespace)::CommandBufferSetup::~CommandBufferSetup() #6 0x7f06efdfd1a9 <unknown> #7 0x7f06efdfd1f5 exit #8 0x000000443993 fuzzer::Fuzzer::CrashCallback() #9 0x000000443920 fuzzer::Fuzzer::StaticCrashSignalCallback() #10 0x7f06f03ac330 <unknown> #11 0x000000687108 gpu::gles2::Framebuffer::GetAttachment() #12 0x0000007c9718 gpu::gles2::GLES2DecoderImpl::DoBlitFramebufferCHROMIUM() #13 0x00000070d531 gpu::gles2::GLES2DecoderImpl::HandleBlitFramebufferCHROMIUM() #14 0x000000796786 gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<>() #15 0x000000975192 gpu::CommandParser::ProcessCommands() #16 0x000000647a14 gpu::CommandExecutor::PutChanged() #17 0x00000043308d gpu::(anonymous namespace)::CommandBufferSetup::PumpCommands() #18 0x00000042ff51 LLVMFuzzerTestOneInput #19 0x000000445081 fuzzer::Fuzzer::ExecuteCallback() #20 0x000000444a38 fuzzer::Fuzzer::RunOne() #21 0x00000043473b fuzzer::RunOneTest() #22 0x00000043655e fuzzer::FuzzerDriver() #23 0x000000449bd3 main #24 0x7f06efde2f45 __libc_start_main #25 0x000000413419 <unknown> The real issue is a null pointer in DoBlitFramebufferCHROMIUM, caused by https://codereview.chromium.org/2329453002
,
Sep 16 2016
https://codereview.chromium.org/2347063002/ should do it.
,
Sep 16 2016
,
Sep 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e73c6e4fb70aafcf86d4a0eeca40363974f4a3e6 commit e73c6e4fb70aafcf86d4a0eeca40363974f4a3e6 Author: piman <piman@chromium.org> Date: Fri Sep 16 02:34:02 2016 Fix crash in DoBlitFramebufferCHROMIUM BUG= 646168 CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2347063002 Cr-Commit-Position: refs/heads/master@{#419079} [modify] https://crrev.com/e73c6e4fb70aafcf86d4a0eeca40363974f4a3e6/gpu/command_buffer/service/gles2_cmd_decoder.cc [modify] https://crrev.com/e73c6e4fb70aafcf86d4a0eeca40363974f4a3e6/gpu/command_buffer/service/gles2_cmd_decoder_unittest_framebuffers.cc
,
Sep 16 2016
ClusterFuzz has detected this issue as fixed in range 419032:419094. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5005969493065728 Fuzzer: libfuzzer_gpu_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: vertex_attrib_manager_count_ == 0u in vertex_array_manager.cc gpu::gles2::VertexArrayManager::~VertexArrayManager gpu::gles2::GLES2DecoderImpl::~GLES2DecoderImpl Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=417888:417914 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=419032:419094 Minimized Testcase (1.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95sEGJUnMIu-H6cleVKbhYOmELDw89uLpJlUXYT-Dgko9iP8tTBzReL6_uU5UlHZoj45uDk1x1ecnFWkOg0v4EAvjl2imswfJd64NE-tmgADFri6d02cFFwYwmORlPn4rK4allC_yqrjUlbKNJ-sZ5DIx7aIA?testcase_id=5005969493065728 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 16 2016
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Sep 12 2016Components: Tools>Test>FindIt>NoResult
Labels: M-55 Te-Logged
Owner: zmo@chromium.org
Status: Assigned (was: Untriaged)