Crash in TIntermAggregate::replaceChildNodeWithMultiple |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5107704660230144 Fuzzer: libfuzzer_angle_translator_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000080 Crash State: TIntermAggregate::replaceChildNodeWithMultiple TIntermTraverser::updateTree PruneEmptyDeclarationsTraverser::apply Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=423381:423433 Minimized Testcase (0.53 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94g8eoCz_WeNM6O0W3650kI6zKZsnogm9ugyoAa7MBL2U7POyInFwg1jo56vxa4KYo2NrUY_SzEsF7bQ5leZ-D5fopQh3OIrJ1knBcJxXyn86y_s_Zalm_U9eDvV0os8bmOSKfZrbiS3tNoqHNCgeLLzlNVgQ?testcase_id=5107704660230144 Issue manually filed by: ajha See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 19 2016
Taking a look, it is probably related the Olli's refactoring of TIntermAggregate.
,
Oct 19 2016
The crash repros with "void main() {for(int; false;);}". Sent this minimal repro to Olli so he can investigate. It is caused by PruneDeclaration wanting to prune the int; declaration and assuming its parent is a TIntermBlock when it really is a TIntermLoop.
,
Oct 23 2016
ClusterFuzz has detected this issue as fixed in range 426965:426983. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5107704660230144 Fuzzer: libfuzzer_angle_translator_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000080 Crash State: TIntermAggregate::replaceChildNodeWithMultiple TIntermTraverser::updateTree PruneEmptyDeclarationsTraverser::apply Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=423381:423433 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=426965:426983 Minimized Testcase (0.53 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94g8eoCz_WeNM6O0W3650kI6zKZsnogm9ugyoAa7MBL2U7POyInFwg1jo56vxa4KYo2NrUY_SzEsF7bQ5leZ-D5fopQh3OIrJ1knBcJxXyn86y_s_Zalm_U9eDvV0os8bmOSKfZrbiS3tNoqHNCgeLLzlNVgQ?testcase_id=5107704660230144 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 23 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by ajha@chromium.org
, Oct 18 2016Components: Internals>GPU>ANGLE
Labels: M-56 Te-Logged
Owner: cwallez@chromium.org
Status: Assigned (was: Untriaged)