Issue metadata
Sign in to add a comment
|
Crash in gldRenderFillPolygonPtr |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5640226822422528 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x00022df79720 Crash State: gldRenderFillPolygonPtr glDrawElements_IMM_GL3Exec gpu::gles2::GLES2DecoderImpl::DoDrawElements Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=419707:419720 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5640226822422528 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 6 2017
,
May 8 2017
piman, could you please take a look or help assign this to the right person? Thanks! Looks very similar to https://bugs.chromium.org/p/chromium/issues/detail?id=719229 and https://bugs.chromium.org/p/chromium/issues/detail?id=719273
,
May 8 2017
Issue 719229 has been merged into this issue.
,
May 8 2017
Issue 719273 has been merged into this issue.
,
May 8 2017
Not sure what to do with this. Unless I'm mistaken, gldRenderFillPolygonPtr is part of the Mac GL stack, so this would point towards a bug in the driver? What configuration is this running in? On VMs we typically run with osmesa (which also has tons of bugs, but doesn't seem to be called here) instead of the native driver.
,
May 8 2017
,
May 8 2017
On Linux, we use osmesa, and we have a report there too ( bug 719273 ) which I duped into this one. This might indicate that the issue is with the way the GL stack is being called by Chrome?
,
May 8 2017
Thanks, I will take a look at that other one and see where the problem lies.
,
May 8 2017
True, gldRenderFillPolygonPtr is part of the Apple part of the Apple GL driver stack.
,
May 8 2017
I investigated bug 719273 , and it's very specific to osmesa (i.e. not a bug in chrome). Separately, given how very different the repro case is (webgl for bug 719273 vs pure css for this one), and no reason this one would generate the condition that triggers bug 719273 (vertex count specifying partial primitives - it doesn't really make sense for us to do that for legit code), I undup'ed. FWIW I couldn't repro this one on osmesa. Can I reiterate the question of what configuration is this running in?
,
May 8 2017
Not sure if this answers your question, but this is the way we're running Chrome on our mac bots: /b/clusterfuzz/slave-bot/builds/chrome-test-builds_media_mac-release_e6940505d6c387d688e04a7feeb7e2019c3efe81/revisions/asan-mac-release-469824/Chromium.app/Contents/MacOS/Chromium --user-data-dir=/b/tmp/user_profile_0 --disable-in-process-stack-traces --ignore-gpu-blacklist --js-flags="--expose-gc --verify-heap" --no-first-run /b/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-524.html
,
May 8 2017
I guess what I'm asking is what is the hardware configuration - e.g. what would about:gpu show if I ran chrome on the same machine?
,
May 15 2017
,
May 16 2017
Looking at the test case, it's setting a CSS property: -webkit-min-logical-height: 268435456px Could this be causing allocation of a lot of tiles, and failure to allocate one or some?
,
May 23 2017
piman: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 26 2017
Unfortunately, despite my best efforts, I can't reproduce locally. This is most likely a driver-specific issue, but I can't really do much without info about the configuration :(
,
Jun 2 2017
ClusterFuzz testcase 4551537438490624 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 2 2017
,
Jun 5 2017
,
Jul 14 2017
ClusterFuzz testcase 6264325298978816 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Jul 20 2017
Issue 746732 has been merged into this issue.
,
Jul 24 2017
,
Jul 24 2017
Verified that Clusterfuzz is still seeing this affect top of tree.
,
Jul 24 2017
piman: Uh oh! This issue still open and hasn't been updated in the last 59 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 19 2017
(Security sheriff rotation ping) piman: is the config of the bot something we could ask someone for? Or is there very little hope of reproducing this without lots of poking around in the dark?
,
Sep 19 2017
I think this is the mac software rasterizer. I will inquire ways to force it and see if I can repro then.
,
Oct 18 2017
,
Nov 15 2017
Friendly ping from security sheriff. Looks like CF cannot reliably reproduce this crash, though it periodically occurs once in a while. I wonder if we can try any speculative fix based on the stack trace?
,
Nov 15 2017
I have not been able to repro locally, even by forcing the software rasterizer. The stack by itself doesn't provide any clue. Keep in mind that this is not a configuration that users run on, so I don't think this is something that is particularly critical to fix.
,
Dec 7 2017
,
Jan 25 2018
,
Feb 5 2018
Issue 797476 has been merged into this issue.
,
Feb 14 2018
Based on c#30 I think it should be fine to close this as WontFix. Feel free to reopen if I missed something and there is additional work worth doing here.
,
Feb 21 2018
,
Mar 1 2018
Issue 817558 has been merged into this issue.
,
Mar 5 2018
Issue 818476 has been merged into this issue.
,
Mar 7 2018
,
Mar 8 2018
Issue 819560 has been merged into this issue.
,
Mar 27 2018
Issue 822601 has been merged into this issue.
,
May 24 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 4
Issue 877006 has been merged into this issue.
,
Sep 4
Issue 877010 has been merged into this issue.
,
Sep 13
Issue 882387 has been merged into this issue.
,
Sep 13
Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 25
This crash occurs very frequently on mac platform and is likely preventing the fuzzer ifratric-browserfuzzer-v3 from making much progress. Fixing this will allow more bugs to be found. Marking this bug as a blocker for next Beta release. If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.
,
Oct 31
Issue 895944 has been merged into this issue.
,
Nov 30
Issue 910415 has been merged into this issue.
,
Dec 1
ClusterFuzz has detected this issue as fixed in range 532613:532705. Detailed report: https://clusterfuzz.com/testcase?key=5640226822422528 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x000236901720 Crash State: gldRenderFillPolygonPtr glDrawElements_IMM_GL3Exec gpu::gles2::GLES2DecoderImpl::DoDrawElements Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=419707:419720 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=532613:532705 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5640226822422528 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 3
Issue 911197 has been merged into this issue. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, May 6 2017