Suspected CL from regression range
https://chromium.googlesource.com/chromium/src/+/6408f27c941a3f90119958301b16f3c7cf2ebced
liberato@, could you please take a look and help us to find correct owner if it is not related your changes.

i doubt that it's related to my change, since it's android only and not related to HandeBeginQueryEXT.

i'll take a look.

over to kbr, who has more context on the right fix.

it looks like GLES2DecoderImpl::HandleBeginQueryEXT is being passed a target of GL_SAMPLES_PASSED, which QueryManager::CreateQuery doesn't support since kbr's https://codereview.chromium.org/1335393002 a very long time ago.

neither the cmd decoder nor query_manager have changed in the last year in a way that would prevent this fuzzer error.  i'm not sure what's in the regression range or why this only showed up now.

either way, it seems like those two functions are out of sync, and maybe something else changed elsewhere that was hiding this.  i'm not sure what the right behavior is.

for completeness, GL_SAMPLES_PASSED was added to HandleBeginQueryEXT in https://chromium.googlesource.com/chromium/src/+/221f3e4e56a495c10eb9660eb4249af672c57c6e which was also a very long time ago.

Fix coming in https://codereview.chromium.org/2592253002/ . Looks like a longstanding oversight.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5dadf19d180d9cb216c15f890780757cbdc4f35d

commit 5dadf19d180d9cb216c15f890780757cbdc4f35d
Author: kbr <kbr@chromium.org>
Date: Thu Dec 22 02:14:04 2016

Disallow GL_SAMPLES_PASSED as a query target.

This is from desktop OpenGL. It doesn't exist in OpenGL ES.

BUG= 676140 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2592253002
Cr-Commit-Position: refs/heads/master@{#440313}

[modify] https://crrev.com/5dadf19d180d9cb216c15f890780757cbdc4f35d/gpu/command_buffer/service/gles2_cmd_decoder.cc
[modify] https://crrev.com/5dadf19d180d9cb216c15f890780757cbdc4f35d/gpu/command_buffer/service/gles2_cmd_decoder_unittest.cc

ClusterFuzz has detected this issue as fixed in range 440301:440341.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6095252055392256

Fuzzer: libfuzzer_gpu_angle_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000018
Crash State:
  gpu::gles2::QueryManager::Query::target
  gpu::gles2::GLES2DecoderImpl::HandleBeginQueryEXT
  gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false>
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=437900:437927
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=440301:440341

Minimized Testcase (0.07 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94Hm-0OpKxGH6YfaXLOE6p1dV6OHRbnjrSdoyZFHCD_KAJeA9Yw5i4bx0BCcbdgLVvdZr0PeNR7ohdRpwiwgiX-SmdNMb0fTcqxsvNtkWAOJWKjrPaF6vewggHK_RSK_HO5Yfu6NEu2_yQYovFQIJmc-ffGSg?testcase_id=6095252055392256

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6095252055392256 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.