Issue metadata
Sign in to add a comment
|
Bad-cast to blink::WebGLObject from invalid vptr;blink::WebGLProgram::deleteObjectImpl;blink::WebGLSharedObject::detachContextGroup |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6160886299623424 Fuzzer: inferno_twister Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x23b1ebf10028 Crash State: Bad-cast to blink::WebGLObject from invalid vptr blink::WebGLProgram::deleteObjectImpl blink::WebGLSharedObject::detachContextGroup Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=385614:385645 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97qNmEj1ohTZGCjqqFEXR6fAjqXspieNZu1jMWpgq_ieXYKf4zbGPY9jEJooUywWK-jmGpyEk_Xt4ZUy59AGjdxeEbwUSfkVJLWJSsANEijmvusu5ZjN3dRTPCnllXwGKN-Vm1R9xgKvYV3jJUDolS4USV_tAOtTa-cHHEy8LkoKLvWZiY?testcase_id=6160886299623424 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 22 2016
It's very unclear from the test case what the fuzzer did to the dependent files to provoke this crash. It looks to me like an unmodified copy of one of the WebGL conformance tests. If the crash is reproducible please provide clear instructions on how to produce a build which reproduces it.
,
Sep 22 2016
,
Sep 22 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 27 2016
ClusterFuzz has detected this issue as fixed in range 420833:420836. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6160886299623424 Fuzzer: inferno_twister Job Type: linux_ubsan_vptr_content_shell_drt Platform Id: linux Crash Type: Bad-cast Crash Address: 0x23b1ebf10028 Crash State: Bad-cast to blink::WebGLObject from invalid vptr blink::WebGLProgram::deleteObjectImpl blink::WebGLSharedObject::detachContextGroup Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=385614:385645 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=420833:420836 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97qNmEj1ohTZGCjqqFEXR6fAjqXspieNZu1jMWpgq_ieXYKf4zbGPY9jEJooUywWK-jmGpyEk_Xt4ZUy59AGjdxeEbwUSfkVJLWJSsANEijmvusu5ZjN3dRTPCnllXwGKN-Vm1R9xgKvYV3jJUDolS4USV_tAOtTa-cHHEy8LkoKLvWZiY?testcase_id=6160886299623424 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 27 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 28 2016
,
Oct 25 2016
,
Jan 3 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Sep 21 2016Components: Blink>WebGL
Labels: Pri-1
Owner: infe...@chromium.org
Status: Assigned (was: Untriaged)