Issue metadata
Sign in to add a comment
|
Crash in blink::WebGLRenderingContextBase::validateWebGLObject |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5049067421040640 Fuzzer: mbarbella_webgl Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::WebGLRenderingContextBase::validateWebGLObject blink::WebGLDebugShaders::getTranslatedShaderSource blink::WebGLDebugShadersV8Internal::getTranslatedShaderSourceMethodCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=430153:430158 Minimized Testcase (0.49 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96DRbMiM1rFQ8xinQyc6BrkJmYcKTVv7fQsUmBuyV1OHqeh4aJafId6Hj_cpLckDAf3hTuqECQvm6oYN00Z0Tf5DhkNg4kwriRf1NK6m5-yqBIn843qwBAD2rydGkkhuTD54EBlOE7kFOtyr4VOu8J4PvHRMg?testcase_id=5049067421040640 <script> function create_program() { } function runTests() { for (i=0; i<5; i++) { var canvas = document.createElement('canvas'); var gl = canvas.getContext('experimental-webgl'); runTest(gl); } } function runTest(gl) { try { translatedSource = ext.getTranslatedShaderSource(shader) } catch(e) {; } var shader = gl.createShader(gl.VERTEX_SHADER) ext = gl.getExtension("WEBGL_debug_shaders") } </script> <body onload="runTests()"> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 11 2016
Is the IDL for getTranslatedShaderSource() just a bit off?
,
Nov 12 2016
,
Nov 12 2016
This is caused by we DCHECK the shader object to be non-null in validateWebGLObject(), but a few extensions still have nullable WebGLObject args where they shouldn't. The spec change and tests is in: https://github.com/KhronosGroup/WebGL/pull/2146 The CL to fix this is in: https://codereview.chromium.org/2492343003/
,
Nov 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/71e7b573616138859c7f9c76acae969be39a4f17 commit 71e7b573616138859c7f9c76acae969be39a4f17 Author: zmo <zmo@chromium.org> Date: Mon Nov 14 23:08:02 2016 Fix the WebGLObject arg non-nullable behaviors. BUG= 662677 TEST=webgl_conformance,webgl2_conformance R=kbr@chromium.org CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Review-Url: https://codereview.chromium.org/2492343003 Cr-Commit-Position: refs/heads/master@{#431948} [modify] https://crrev.com/71e7b573616138859c7f9c76acae969be39a4f17/third_party/WebKit/Source/modules/webgl/EXTDisjointTimerQuery.cpp [modify] https://crrev.com/71e7b573616138859c7f9c76acae969be39a4f17/third_party/WebKit/Source/modules/webgl/EXTDisjointTimerQuery.idl [modify] https://crrev.com/71e7b573616138859c7f9c76acae969be39a4f17/third_party/WebKit/Source/modules/webgl/EXTDisjointTimerQueryWebGL2.cpp [modify] https://crrev.com/71e7b573616138859c7f9c76acae969be39a4f17/third_party/WebKit/Source/modules/webgl/WebGLDebugShaders.idl
,
Nov 14 2016
,
Nov 16 2016
ClusterFuzz has detected this issue as fixed in range 431896:432151. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5049067421040640 Fuzzer: mbarbella_webgl Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: blink::WebGLRenderingContextBase::validateWebGLObject blink::WebGLDebugShaders::getTranslatedShaderSource blink::WebGLDebugShadersV8Internal::getTranslatedShaderSourceMethodCallback Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=430153:430158 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=431896:432151 Minimized Testcase (0.49 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96DRbMiM1rFQ8xinQyc6BrkJmYcKTVv7fQsUmBuyV1OHqeh4aJafId6Hj_cpLckDAf3hTuqECQvm6oYN00Z0Tf5DhkNg4kwriRf1NK6m5-yqBIn843qwBAD2rydGkkhuTD54EBlOE7kFOtyr4VOu8J4PvHRMg?testcase_id=5049067421040640 <script> function create_program() { } function runTests() { for (i=0; i<5; i++) { var canvas = document.createElement('canvas'); var gl = canvas.getContext('experimental-webgl'); runTest(gl); } } function runTest(gl) { try { translatedSource = ext.getTranslatedShaderSource(shader) } catch(e) {; } var shader = gl.createShader(gl.VERTEX_SHADER) ext = gl.getExtension("WEBGL_debug_shaders") } </script> <body onload="runTests()"> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by nyerramilli@chromium.org
, Nov 7 2016Labels: -Pri-1 -Type-Bug M-56 Test-Predator-Correct-CLs Pri-2 Type-Bug-Regression
Owner: zmo@chromium.org
Status: Assigned (was: Untriaged)