This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

kbr@ can you take a look at this or assign to someone who can? Also, do you know why third_party/angle doesn't have an OWNERS file? Thank you.

Geoff, could you please find someone to take this bug?

Separately, could the ANGLE team please add an OWNERS file at the top level to help with automatic assignment of these bugs? Thanks.

Very unlikely to be a new regression.  Going to remove the ReleaseBlock tag.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Snatching this as the bot really wants it to be a release blocker.

I am not able to reproduce this with the compile flags mentioned in the Reproducing.md

What's weird is that the UBSAN error is inside std::ostrinstream::operator<<(float), it looks like it is calling free() with a function pointer that is not a void(*)(void*).

+cc erikchen: https://chromium.googlesource.com/chromium/src/+/eff0ecbf12a6757ebb46438100fef60dff531e43 is in range and touches allocator stuff by adding an extra argument. Could it be related to this failure?

Probably a dupe of https://bugs.chromium.org/p/chromium/issues/detail?id=696986, which was recently fixed. Is this error still reproducible?

Yep the issue is reproducible on the commit's parent and not with the commit applied. Thanks!

ClusterFuzz has detected this issue as fixed in range 453899:453905.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5557601535524864

Fuzzer: libfuzzer_gpu_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Incorrect-function-pointer-type
Crash Address: 
Crash State:
  sh::TInfoSinkBase::operator<<
  sh::TOutputGLSLBase::writeFloat
  sh::TOutputGLSLBase::writeConstantUnion
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=451608:451624
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=453899:453905

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97SLWJVJ_tRnU-d8PL9fHrf1Gl21Ligj1TsNObE2kvdH7jh0brDs0LnWd1VH8Ey0divu128jUNC6vzfjRT_6gr9OZp8yXgooO5Ip9B3rA19pOXzy-i-Csm6BCzGcC16XBdQcHc5fmAN9QGbUUDz2SBSR-dnSRqDEy04YjMtUHRx7f8reNaOwhKWjPji21cZqI7FQZMQwjgMUAQBGIFqQjUyJVLITkfdVO5dWQ8CFYhqGqxCcZCprFE21DF4ewp23Mtmc4oqddSZ94RfEMRHT4ZHyS3RnzoWx7BtPweK6esG2bU2S-lLyhjiKgY73_xubwWpC_ibohDfzoOt87fMf0l9DHl8OyWZ2pX79CpypvOm-nGc5jIxgaGGvsFyv9Zzst2NuGDXvKCNwKlcW0es0D2ZbkDQRQ?testcase_id=5557601535524864


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot