This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

jbauman: I think this may be from https://chromium.googlesource.com/chromium/src/+/7fd0040966be7c3ba0fc0dda7a6b39e91a845906. Can you take a look?

This shouldn't be a security bug, because it happens on GPU process startup only and isn't controllable by users.

I think the reason it happens after my patch is that previously it always crashed earlier due to the other bug. I don't know what could cause this one, as the function pointer type "void (*)(angle::Platform *)" should match the type of ANGLEPlatformInitialize. Maybe it thinks the two angle::Platforms are separate types because they're referenced from different SOs (and the class isn't exported)?

John, not sure what's going on here. There could be some weirdness with the angle Platform here. We shouldn't be using angle::Platform on Linux currently, because ANGLE isn't available by default. And I believe fuzzing happens always on Linux?

This could be due to Corentin's change to use the ANGLE platform on more configurations. https://codereview.chromium.org/2548253003/

If this fuzzer is running on top of ANGLE on Linux, then it should be using the platform, as Geoff pointed out. We can try exporting the class, not sure if it would help.

Note that for now only jbauman@ can see the detailed clusterfuzz report (only the issue owner can).

I'm not sure how to fix this one, exporting the class isn't enough and if ANGLEPlatformInitialize is changed to used void* then the following error happens:

../../third_party/angle/src/libANGLE/Display.cpp:435:5: runtime error: member call on address 0x00000cd00c08 which does not point to an object of type 'angle::Platform'
0x00000cd00c08: note: object is of type 'gl::ANGLEPlatformImpl'
 00 00 00 00  b0 12 9a 03 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'gl::ANGLEPlatformImpl'
    #0 0x7fc6512a40bd in ScopedHistogramTimer0 third_party/angle/src/libANGLE/Display.cpp:435:5
    #1 0x7fc6512a40bd in egl::Display::initialize() third_party/angle/src/libANGLE/Display.cpp:435
    #2 0x7fc6510ecb11 in egl::Initialize(void*, int*, int*) third_party/angle/src/libGLESv2/entry_points_egl.cpp:65:28
    #3 0x95fb2b in gl::GLSurfaceEGL::InitializeDisplay(_XDisplay*) ui/gl/gl_surface_egl.cc:673:10
    #4 0x95e67f in gl::GLSurfaceEGL::InitializeOneOff(_XDisplay*) ui/gl/gl_surface_egl.cc:488:3
    #5 0x2b8fc00 in gl::init::InitializeGLOneOffPlatform() ui/gl/init/gl_initializer_x11.cc:147:12
    #6 0x2b8f7bc in gl::init::InitializeGLOneOffImplementation(gl::GLImplementation, bool, bool, bool) ui/gl/init/gl_factory.cc:65:43
    #7 0x4b0175 in CommandBufferSetup gpu/command_buffer/tests/fuzzer_main.cc:105:5
    #8 0x4b0175 in __cxx_global_var_init gpu/command_buffer/tests/fuzzer_main.cc:317
    #9 0x4b0175 in _GLOBAL__sub_I_fuzzer_main.cc gpu/command_buffer/tests/fuzzer_main.cc
    #10 0x33d5a0c in __libc_csu_init (/mnt/dev/chromium/src/out/lsan/gpu_angle_fuzzer+0x33d5a0c)
    #11 0x7fc7a008fed4 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:246
    #12 0x4ba97c in _start (/mnt/dev/chromium/src/out/lsan/gpu_angle_fuzzer+0x4ba97c)

ANGLE and Chromium are never linked together and ANGLE is loaded through dlsym only which makes the visibility = "default" do nothing. I'm not sure I understand all of this but seems that the correct fix would be to have a small library containing the angle::Platform typeinfo that gets linked both in ANGLE and Chromium. What do you think?

Repro instruction, the fuzzer case is empty so the failure gets hit directly:

gn args out/lsan with
use_libfuzzer=true
is_lsan=true
is_asan=true
is_debug=false
is_ubsan_security=true
enable_nacl=false

export UBSAN_OPTIONS=halt_on_error=1:print_stacktrace=1:external_symbolizer_path=/path/to/chrome/src/out/Release/llvm-symbolizer
ninja -C out/lsan gpu_angle_fuzzer && ./out/lsan/gpu_angle_fuzzer

I'm not sure making a separate library will work - if it's static, the global platform will be duplicated, and one or the other won't communicate with the second. If it's shared, then we'd have to ship this weird DLL in Chrome.

There must be a way to export a class pointer such that it can be communicated through dlsym. Maybe we can ask someone who's expert with such things on Linux? Nico do you have any experience with this kind of issue?

I lack context here, but while it's possible to dlsym class objects, having an exported c++ API generally is a bad idea for several reasons. Can you summarize what you're trying to do and how you're currently doing it?

We're trying to fix a fuzzer error, I'm not too clear on the details. Something where dlsym is having trouble, but I'm not expert on this.

The class is based on the same design pattern as blink_platform_impl.h, https://cs.chromium.org/chromium/src/content/child/blink_platform_impl.h?q=blink_platform_impl&sq=package:chromium&l=1. I don't know if there's a pure c alternative, except for maybe exposing a struct of function pointers, which isn't too different really.

thakis: Basically we are doing like the blink platform, except that the SOs are not linked together and instead dlsymed. 

We chatted more about this with Geoff this morning, replacing the platform with an ANGLESetGlobalCallback(enum, void (*)()) would probably fix the problem. A table of function pointers would cause problems when ANGLE and Chrome's version don't match.

Can you loop me into the conversation? I don't like the thought of using a global set or something like that for platform calls. Also I'm not worried at all about the version mismatch. That's just something we can live with. I still don't understand the problem with the fuzzer here.

Blink is only built as a .so in shared-library builds, which are developer-only, and both halves of the API are built locally with the same settings. If that's true for your set-up too, then all is good. But having a C++ API where client and library are built separately and the .so is distributed is not good, so if we have that somewhere or want to do that, please talk to me.

I'd like to revisit this when I'm back in front of my Linux machine. I'm 100% sure we don't ever build the client or library differently, so I think we can resolve this without a redesign, but I'd have to be at my Linux machine to verify.

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/b874fe9617c7931775d65005298aac8276d2f65e

commit b874fe9617c7931775d65005298aac8276d2f65e
Author: Jamie Madill <jmadill@chromium.org>
Date: Fri Feb 03 20:39:02 2017

Fix missing trace_event header.

Noticed this while investigating the tracing code.

BUG= chromium:678870 

Change-Id: I016c8532044b8f105ddda67f7e06c6b5ed9c61fb
Reviewed-on: https://chromium-review.googlesource.com/437647
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>

[modify] https://crrev.com/b874fe9617c7931775d65005298aac8276d2f65e/src/libGLESv2.gypi

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c22f8da406c35d6f6579ec86421849063b9cd9bb

commit c22f8da406c35d6f6579ec86421849063b9cd9bb
Author: jmadill <jmadill@chromium.org>
Date: Mon Feb 06 23:58:44 2017

Roll ANGLE ea20d62..34bf2d9

https://chromium.googlesource.com/angle/angle.git/+log/ea20d62..34bf2d9

BUG=667979, chromium:678870 ,  angleproject:1644 , 668223 , chromium:662702 , chromium:688419 

TBR=geofflang@chromium.org

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2675413002
Cr-Commit-Position: refs/heads/master@{#448449}

[modify] https://crrev.com/c22f8da406c35d6f6579ec86421849063b9cd9bb/DEPS

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/b1eeba1f20199497a4951e9e791dbcc862399ca4

commit b1eeba1f20199497a4951e9e791dbcc862399ca4
Author: Jamie Madill <jmadill@chromium.org>
Date: Mon Feb 13 23:12:23 2017

Use a C API for the ANGLE platform.

The main purpose of this change is to fix a fuzzer bug where we would
trigger undefined behaviour calling between Chrome and ANGLE. It's
not specced how virtual function calls work if the shared objects are
not directly linked together, and ANGLE and Chrome are not linked.
Replace the old class-style API with a C dispatch table.

Follow-up work will make the Platform owned by the Display instead of
using global variables, but fixing this is a bit tricky.

BUG=angleproject:1892
BUG= chromium:678870 

Change-Id: Iad188bc2e50f2b5e4a03ce0de233d686f569c705
Reviewed-on: https://chromium-review.googlesource.com/441273
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>

[modify] https://crrev.com/b1eeba1f20199497a4951e9e791dbcc862399ca4/src/libANGLE/renderer/d3d/d3d11/Renderer11.cpp
[modify] https://crrev.com/b1eeba1f20199497a4951e9e791dbcc862399ca4/src/libANGLE/Platform.cpp
[modify] https://crrev.com/b1eeba1f20199497a4951e9e791dbcc862399ca4/src/libGLESv2/entry_points_egl.cpp
[modify] https://crrev.com/b1eeba1f20199497a4951e9e791dbcc862399ca4/src/common/event_tracer.cpp
[modify] https://crrev.com/b1eeba1f20199497a4951e9e791dbcc862399ca4/src/common/event_tracer.h
[modify] https://crrev.com/b1eeba1f20199497a4951e9e791dbcc862399ca4/src/libANGLE/LoggingAnnotator.cpp
[modify] https://crrev.com/b1eeba1f20199497a4951e9e791dbcc862399ca4/src/libANGLE/renderer/d3d/d3d11/renderer11_utils.cpp
[modify] https://crrev.com/b1eeba1f20199497a4951e9e791dbcc862399ca4/src/libANGLE/histogram_macros.h
[modify] https://crrev.com/b1eeba1f20199497a4951e9e791dbcc862399ca4/src/libANGLE/renderer/d3d/d3d9/renderer9_utils.cpp
[modify] https://crrev.com/b1eeba1f20199497a4951e9e791dbcc862399ca4/include/platform/Platform.h

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/dbffdfbda887ee4f34307479fc8c0f707f086cc5

commit dbffdfbda887ee4f34307479fc8c0f707f086cc5
Author: Jamie Madill <jmadill@chromium.org>
Date: Tue Feb 14 01:29:25 2017

Fix counting of the new platform methods.

The context pointer was throwing off the count by one.
Also change the type to void * for ease of use.

BUG=angleproject:1892
BUG= chromium:678870 

Change-Id: Iffac667f0aa896d9247e9ffddfeb3bc447a9692f
Reviewed-on: https://chromium-review.googlesource.com/441931
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Commit-Queue: Jamie Madill <jmadill@chromium.org>

[modify] https://crrev.com/dbffdfbda887ee4f34307479fc8c0f707f086cc5/include/platform/Platform.h
[modify] https://crrev.com/dbffdfbda887ee4f34307479fc8c0f707f086cc5/src/libANGLE/Platform.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/879aaac59dca262da89e57b8048722dd69050ff9

commit 879aaac59dca262da89e57b8048722dd69050ff9
Author: jmadill <jmadill@chromium.org>
Date: Tue Feb 14 02:04:26 2017

Roll ANGLE 875bbba..b1eeba1

https://chromium.googlesource.com/angle/angle.git/+log/875bbba..b1eeba1

BUG= chromium:678870 , 602737 

TBR=geofflang@chromium.org

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2693003002
Cr-Commit-Position: refs/heads/master@{#450197}

[modify] https://crrev.com/879aaac59dca262da89e57b8048722dd69050ff9/DEPS

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/190ccc9054ea38a03149507e29f6d31692470d46

commit 190ccc9054ea38a03149507e29f6d31692470d46
Author: jmadill <jmadill@chromium.org>
Date: Tue Feb 14 04:51:41 2017

Roll ANGLE b1eeba1..ceb1048

https://chromium.googlesource.com/angle/angle.git/+log/b1eeba1..ceb1048

BUG= chromium:678870 

TBR=geofflang@chromium.org

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2695633003
Cr-Commit-Position: refs/heads/master@{#450254}

[modify] https://crrev.com/190ccc9054ea38a03149507e29f6d31692470d46/DEPS

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/98835277ee20b81f876857e87bbb7081a5e722b2

commit 98835277ee20b81f876857e87bbb7081a5e722b2
Author: jmadill <jmadill@chromium.org>
Date: Tue Feb 14 17:27:31 2017

gpu: Update ANGLE Platform integration.

The new methods use a C-style API to fix undefined behaviour across
module boundaries. They also associate the platform with an EGL
display, instead of using an ANGLE-global variable.

Must be landed after https://chromium-review.googlesource.com/c/441273/

BUG= chromium:678870 
R=jbauman@chromium.org, kbr@chromium.org

Review-Url: https://codereview.chromium.org/2697463003
Cr-Commit-Position: refs/heads/master@{#450394}

[modify] https://crrev.com/98835277ee20b81f876857e87bbb7081a5e722b2/ui/gl/DEPS
[modify] https://crrev.com/98835277ee20b81f876857e87bbb7081a5e722b2/ui/gl/angle_platform_impl.cc
[modify] https://crrev.com/98835277ee20b81f876857e87bbb7081a5e722b2/ui/gl/angle_platform_impl.h
[modify] https://crrev.com/98835277ee20b81f876857e87bbb7081a5e722b2/ui/gl/gl_surface_egl.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/abf38572062b91d483e95d01ba7d668faefa0fe8

commit abf38572062b91d483e95d01ba7d668faefa0fe8
Author: Jamie Madill <jmadill@chromium.org>
Date: Wed Feb 15 00:32:55 2017

Remove old C++ ANGLE platform.

Now that the new platform is in place, we can remove the old methods.
Must be landed after https://codereview.chromium.org/2697463003/

BUG=angleproject:1892
BUG= chromium:678870 

Change-Id: Ia29a3b120cf3521fc0409019c2e64e4dbc6f460d
Reviewed-on: https://chromium-review.googlesource.com/441274
Commit-Queue: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>

[modify] https://crrev.com/abf38572062b91d483e95d01ba7d668faefa0fe8/src/tests/test_utils/ANGLETest.h
[modify] https://crrev.com/abf38572062b91d483e95d01ba7d668faefa0fe8/src/tests/egl_tests/EGLDeviceTest.cpp
[modify] https://crrev.com/abf38572062b91d483e95d01ba7d668faefa0fe8/src/tests/egl_tests/EGLX11VisualTest.cpp
[modify] https://crrev.com/abf38572062b91d483e95d01ba7d668faefa0fe8/src/libANGLE/Platform.cpp
[modify] https://crrev.com/abf38572062b91d483e95d01ba7d668faefa0fe8/src/libANGLE/Display.cpp
[modify] https://crrev.com/abf38572062b91d483e95d01ba7d668faefa0fe8/src/libGLESv2/entry_points_egl.cpp
[modify] https://crrev.com/abf38572062b91d483e95d01ba7d668faefa0fe8/src/common/event_tracer.cpp
[modify] https://crrev.com/abf38572062b91d483e95d01ba7d668faefa0fe8/src/tests/perf_tests/EGLInitializePerf.cpp
[modify] https://crrev.com/abf38572062b91d483e95d01ba7d668faefa0fe8/src/libGLESv2/libGLESv2.def
[modify] https://crrev.com/abf38572062b91d483e95d01ba7d668faefa0fe8/src/tests/test_utils/ANGLETest.cpp
[modify] https://crrev.com/abf38572062b91d483e95d01ba7d668faefa0fe8/include/platform/Platform.h
[modify] https://crrev.com/abf38572062b91d483e95d01ba7d668faefa0fe8/src/third_party/trace_event/trace_event.h

ClusterFuzz has detected this issue as fixed in range 450383:450426.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6599899337719808

Fuzzer: libfuzzer_gpu_angle_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Incorrect-function-pointer-type
Crash Address: 
Crash State:
  gl::GLSurfaceEGL::InitializeDisplay
  gl::GLSurfaceEGL::InitializeOneOff
  gl::init::InitializeGLOneOffPlatform
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=441478:441566
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=450383:450426

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv949_42TJOGcM489QrAQq21xrsBMnf-nA58LtGMFTo_oWVV4_1i-56Kx2VQDiSBwrMCpDzCxAxPJbw6FBIrvBzQ6boUoW5SBm70xpHY3WEfcwGfFJDiv5d9wgLWy_zTI_hs7v_ZRE5twoSGX_xeRH8McHJLvpk5iP9ckDv9FSkGhsPRmNMgwqRdTXXRZ-A4Fu1iZeL_yLkb-kA9GuXOfO56OzThbCFV0wXV_JlS_BRE3eSXwsTtDOp4tm4Eik6KnohnuvPb9pbBLtqNN5K3RLc_ONpjsj-SFYfNnR8kyFmta5w4bITWvlq5ADoFt93-WUQX9-9gYZWJ69V3dKz5uL9-O_dDPwPqhnQQaM7qgScVs0Jw_pcE?testcase_id=6599899337719808


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6599899337719808 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/085d96d2ce61f416d03f95f228196f55746e63ed

commit 085d96d2ce61f416d03f95f228196f55746e63ed
Author: cwallez <cwallez@chromium.org>
Date: Wed Feb 15 16:52:29 2017

Roll ANGLE 6137ddc..92db39e

https://chromium.googlesource.com/angle/angle.git/+log/6137ddc..92db39e

BUG= chromium:678870 , 602737 

TBR=geofflang@chromium.org

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2698673002
Cr-Commit-Position: refs/heads/master@{#450725}

[modify] https://crrev.com/085d96d2ce61f416d03f95f228196f55746e63ed/DEPS

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot