Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5213338889093120 Fuzzer: libfuzzer_angle_translator_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: pplex pp::Tokenizer::lex pp::DirectiveParser::lex Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=420371:420478 Minimized Testcase (0.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94dZtes6vzhRl3alzjJq1R4Ng7Li-BDOA5zL5GKVfG0Yl5trxEXpC2xuJz7YI3fGMGmtxqeupzM2vKrtzZMggSQfrIDK2I9qERIojDu1bqZUxxgLG_RZyQuBJAOeb9E6fcOA8FpNJt32TZ0pOkr6E3fBhwPyQ?testcase_id=5213338889093120 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
cwallez: Can you investigate or assign to soembody else?
A fix is up at https://chromium-review.googlesource.com/c/435042/ but blocked by a flex bug. I will wait for the next flex release to revisit the patches, this failure being very benign.
The following revision refers to this bug: https://chromium.googlesource.com/angle/angle/+/168d5e805a539945d565808c667f96f2a0d338be commit 168d5e805a539945d565808c667f96f2a0d338be Author: Corentin Wallez <cwallez@chromium.org> Date: Mon Jun 05 15:58:10 2017 compiler: Regenerate parser with latest flex and bison Flex version is 2.6.4 Bison version is 3.0.4 BUG= chromium:668842 Change-Id: Ia05ae338c9b9e588534f8346ff5c59ed747c56bf Reviewed-on: https://chromium-review.googlesource.com/435553 Reviewed-by: Jamie Madill <jmadill@chromium.org> Commit-Queue: Jamie Madill <jmadill@chromium.org> [modify] https://crrev.com/168d5e805a539945d565808c667f96f2a0d338be/src/compiler/preprocessor/Tokenizer.cpp [modify] https://crrev.com/168d5e805a539945d565808c667f96f2a0d338be/src/compiler/translator/glslang_lex.cpp [modify] https://crrev.com/168d5e805a539945d565808c667f96f2a0d338be/src/compiler/translator/glslang_tab.h [modify] https://crrev.com/168d5e805a539945d565808c667f96f2a0d338be/src/compiler/translator/64bit-lexer-safety.patch [modify] https://crrev.com/168d5e805a539945d565808c667f96f2a0d338be/src/compiler/preprocessor/64bit-tokenizer-safety.patch [modify] https://crrev.com/168d5e805a539945d565808c667f96f2a0d338be/src/compiler/translator/glslang_tab.cpp
The following revision refers to this bug: https://chromium.googlesource.com/angle/angle/+/dc0fa46a224d4820b2c77ed08206e577de9d2ecf commit dc0fa46a224d4820b2c77ed08206e577de9d2ecf Author: Corentin Wallez <cwallez@chromium.org> Date: Mon Jun 05 19:48:19 2017 preprocessor: Check for line number overflow Also remove dead code in Tokenizer.l BUG= chromium:668842 Change-Id: Ice18313a64f0bb2242299993bfaa882a6578ad54 Reviewed-on: https://chromium-review.googlesource.com/435042 Reviewed-by: Jamie Madill <jmadill@chromium.org> Reviewed-by: Geoff Lang <geofflang@chromium.org> Commit-Queue: Corentin Wallez <cwallez@chromium.org> [modify] https://crrev.com/dc0fa46a224d4820b2c77ed08206e577de9d2ecf/src/compiler/preprocessor/Tokenizer.cpp [modify] https://crrev.com/dc0fa46a224d4820b2c77ed08206e577de9d2ecf/src/compiler/preprocessor/Tokenizer.l [modify] https://crrev.com/dc0fa46a224d4820b2c77ed08206e577de9d2ecf/src/tests/preprocessor_tests/location_test.cpp [modify] https://crrev.com/dc0fa46a224d4820b2c77ed08206e577de9d2ecf/src/compiler/preprocessor/Token.h [modify] https://crrev.com/dc0fa46a224d4820b2c77ed08206e577de9d2ecf/src/compiler/preprocessor/DiagnosticsBase.h
ClusterFuzz has detected this issue as fixed in range 477633:477688. Detailed report: https://clusterfuzz.com/testcase?key=5213338889093120 Fuzzer: libFuzzer_angle_translator_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: pplex pp::Tokenizer::lex pp::DirectiveParser::lex Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=420371:420478 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=477633:477688 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5213338889093120 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
ClusterFuzz testcase 5213338889093120 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Comment 1 by ajha@chromium.org
, Nov 27 2016