New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 646814 link

Starred by 1 user
Status: Duplicate
Merged: issue 646168
Owner:
qiankun....@intel.com
Email to this user bounced
Closed: Sep 2016
Cc:
kbr@chromium.org
jaslack@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in gpu::gles2::TextureAttachment::IsSameAttachment

Project Member Reported by ClusterFuzz, Sep 14 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5833982715625472

Fuzzer: gpu_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  gpu::gles2::TextureAttachment::IsSameAttachment
  gpu::gles2::GLES2DecoderImpl::DoBlitFramebufferCHROMIUM
  gpu::gles2::GLES2DecoderImpl::HandleBlitFramebufferCHROMIUM
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417985:418093

Minimized Testcase (10.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94OCKOwxbNePLycRx3VVWKq2Oo46RQ4tJ-K30ZW9nRBmdyszxy7mKzzC4lD0oYzSrf8tEj852xGwrSEY2P-sesYgm_c6wA9pWA-GimqEp67Jle7TA1l4Xtb_lhr0cwqxRXGZTjVhSAEdQnmEZIT2BiMVY2d0A?testcase_id=5833982715625472

Issue manually filed by: tkonchada

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by tkonch...@chromium.org, Sep 14 2016

Cc: kbr@chromium.org
Components: Internals>GPU>WebGL
Labels: Findit-for-crash M-55 Te-Logged
Owner: qiankun....@intel.com
Status: Assigned (was: Untriaged)
Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: qiankun.miao
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/db975cd18716681f50db94d36120ba50148604fe
Time: Wed Jul 20 18:00:19 2016
The CL last changed line 234 of file framebuffer_manager.cc, which is stack frame 0.

Author: yunchao.he
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/faeb732edb9e057db922bc1d623dd0a543b91ca0
Time: Mon Sep 12 08:56:41 2016
The CL last changed line 7644 of file gles2_cmd_decoder.cc, which is stack frame 1.

Author: dongseong.hwang
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/5eaf06e85cbde57277e40d9775fe48fef473da60
Time: Thu Nov 06 19:59:07 2014
The CL last changed line 4485 of file gles2_cmd_decoder_autogen.h, which is stack frame 2.

Author: vmiura
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/8266ca7b30020175e2564b9760597672f7f3ad57
Time: Tue Sep 09 21:37:00 2014
The CL last changed line 5050 of file gles2_cmd_decoder.cc, which is stack frame 3.

Author: vmiura
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/8266ca7b30020175e2564b9760597672f7f3ad57
Time: Tue Sep 09 21:37:00 2014
The CL last changed line 53 of file cmd_parser.cc, which is stack frame 4.

Author: vmiura
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/8266ca7b30020175e2564b9760597672f7f3ad57
Time: Tue Sep 09 21:37:00 2014
The CL last changed line 61 of file command_executor.cc, which is stack frame 5.

Author: piman
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/5adadcfc2694ac8b90405f5b82a856adc542d83f
Time: Thu Jul 14 23:52:35 2016
The CL last changed line 211 of file fuzzer_main.cc, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Internals>GPU>Internals

Possible suspect : https://chromium.googlesource.com/chromium/src/+/db975cd18716681f50db94d36120ba50148604fe

Please reassign if this is not related to your change.
Project Member

Comment 2 by ClusterFuzz, Sep 14 2016

Labels: Stability-AFL
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6566929118789632

Fuzzer: afl_gpu_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000028
Crash State:
  gpu::gles2::GLES2DecoderImpl::DoBlitFramebufferCHROMIUM
  gpu::gles2::GLES2DecoderImpl::HandleBlitFramebufferCHROMIUM
  gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false>
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=417884:417900

Minimized Testcase (1.93 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95v2wE-2XRZ2WCYHSgOiuzXqBTOkVLAaAFv8vRtVxFTJ0yALJqXiu5g-pGsQ8cF938hIzMS9sfG9z3hp9XWQFsALYfTi0Dwe6WqGtnzvJF3NdNPJiBYJOmhgejGLzJl-W9DaAuk_jSzf4uMRoV7us4bwDC0DQ?testcase_id=6566929118789632

Additional requirements: Requires Gestures

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 3 by piman@chromium.org, Sep 16 2016

Mergedinto: 646168
Status: Duplicate (was: Assigned)
Project Member

Comment 4 by ClusterFuzz, Sep 16 2016 

ClusterFuzz has detected this issue as fixed in range 418964:419085.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6566929118789632

Fuzzer: afl_gpu_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000028
Crash State:
  gpu::gles2::GLES2DecoderImpl::DoBlitFramebufferCHROMIUM
  gpu::gles2::GLES2DecoderImpl::HandleBlitFramebufferCHROMIUM
  gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false>
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=417884:417900
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=418964:419085

Minimized Testcase (1.93 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95v2wE-2XRZ2WCYHSgOiuzXqBTOkVLAaAFv8vRtVxFTJ0yALJqXiu5g-pGsQ8cF938hIzMS9sfG9z3hp9XWQFsALYfTi0Dwe6WqGtnzvJF3NdNPJiBYJOmhgejGLzJl-W9DaAuk_jSzf4uMRoV7us4bwDC0DQ?testcase_id=6566929118789632

Additional requirements: Requires Gestures

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 5 by piman@chromium.org, Sep 16 2016 

Actually I missed one of the cases, which should be fixed in https://codereview.chromium.org/2347063002
Project Member

Comment 6 by bugdroid1@chromium.org, Sep 17 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2b52c8624a013e7449e399527a8ee6ddce6aa7f8

commit 2b52c8624a013e7449e399527a8ee6ddce6aa7f8
Author: piman <piman@chromium.org>
Date: Sat Sep 17 00:49:08 2016

Fix crash in BlitFramebufferCHROMIUM with a null read buffer.

BUG= 646814 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2344273003
Cr-Commit-Position: refs/heads/master@{#419351}

[modify] https://crrev.com/2b52c8624a013e7449e399527a8ee6ddce6aa7f8/gpu/command_buffer/service/gles2_cmd_decoder.cc
[modify] https://crrev.com/2b52c8624a013e7449e399527a8ee6ddce6aa7f8/gpu/command_buffer/service/gles2_cmd_decoder_unittest_framebuffers.cc
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by aarya@google.com, Apr 21 2017

Cc: jaslack@google.com

Comment 9 by lafo...@chromium.org, Jun 20 2017

Components: -Internals>GPU>WebGL Blink>WebGL

Sign in to add a comment