New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 727582 link

Starred by 2 users

Issue metadata

Status: Verified
Owner: ----
Closed: Mar 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Bug in storeColor

Project Member Reported by ClusterFuzz, May 30 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5304417640513536

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Bus
Crash Address: 0x603000250000
Crash State:
  storeColor
  glgProcessColor
  __glgProcessPixelsWithProcessor_block_invoke
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=429839:429929

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5304417640513536


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, May 30 2017

Labels: M-60
Project Member

Comment 2 by sheriffbot@chromium.org, May 30 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, May 30 2017

Labels: Pri-1
Labels: -Restrict-View-SecurityTeam -Security_Impact-Head -Security_Severity-High Type-Bug
Bulk edit: removing sigbus crashes from the security queue.
Components: Internals>GPU
Cc: ligim...@chromium.org
Components: Internals>Skia
Labels: -ReleaseBlock-Beta
From the regression range , this looks like an old issue. 

Possible suspect: https://chromium.googlesource.com/chromium/src/+/db4fdf181e7064a8c7ab45aa29e19f3d07c56eb7

Adding respective component.

Comment 7 by hcm@chromium.org, Jun 13 2017

Owner: hcm@chromium.org
trying to see report...

Comment 8 by hcm@chromium.org, Jun 13 2017

Cc: hcm@chromium.org sunn...@chromium.org vmi...@chromium.org
Components: -Internals>Skia
Owner: ----
I don't see any indicators that this is Skia.. perhaps someone on GPU more familiar with these command buffer calls might see something. will stay on cc but removing component for now.

Comment 9 by shrike@chromium.org, Jun 13 2017

Summary: Bug in storeColor (was: Bus in storeColor)
[Guessing this should be "bug", not "bus"]
Owner: weiliangc@chromium.org
Need to be owner of bug to look at clusterfuzz report.
Cc: kbr@chromium.org
Owner: ----
Nothing stands out in the regression range. The test case is mostly a WebGL canvas.

Also adding some stack tracing to provide more information:
#3 0x7fff89222028 in _dispatch_client_callout2
#4 0x7fff892268c0 in _dispatch_apply_serial
#5 0x7fff8921040a in _dispatch_client_callout
#6 0x7fff892215a3 in _dispatch_sync_f_invoke
#7 0x7fff89221c4b in dispatch_apply_f
#8 0x7fff8d05641d in glgProcessPixelsWithProcessor
#9 0x7fff83bc7b02 in gldDoScalingBlit
#10 0x7fff83bc556b in gldBlitFramebufferData
#11 0x7fff90432a0a in gleBlitFramebuffer
#12 0x7fff9037010a in glBlitFramebufferEXT_Exec
#13 0x7fff8ba2805c in glBlitFramebuffer
#14 0x10ee0046d in gl::GLApiBase::glBlitFramebufferFn(int, int, int, int, int, int, int, int, unsigned int, unsigned int) ui/gl/gl_bindings_autogen_gl.cc:2627:3
#15 0x1103dd3f7 in gpu::gles2::GLES2DecoderImpl::DoBlitFramebufferCHROMIUM(int, int, int, int, int, int, int, int, unsigned int, unsigned int) gpu/command_buffer/service/gles2_cmd_decoder.cc:8327:5
#16 0x11036c86f in gpu::gles2::GLES2DecoderImpl::HandleBlitFramebufferCHROMIUM(unsigned int, void const volatile*) gpu/command_buffer/service/gles2_cmd_decoder_autogen.h:4135:3
#17 0x1103c180e in gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false>(unsigned int, void const volatile*, int, int*) gpu/command_buffer/service/gles2_cmd_decoder.cc:5276:18

Comment 12 by kbr@chromium.org, Jun 16 2017

Cc: sadrul@chromium.org ranjitkan@chromium.org jmad...@chromium.org
 Issue 729337  has been merged into this issue.

Comment 13 by kbr@chromium.org, Jun 16 2017

Cc: -sunn...@chromium.org zmo@chromium.org
Components: -Internals>GPU Blink>WebGL Internals>GPU>Internals
Labels: -Pri-1 Pri-2
Status: Available (was: Untriaged)
This is a bug in Apple's OpenGL driver in BlitFramebuffer / glBlitFramebuffer. If the values passed are too large then this can happen. zmo@ investigated this and we were considering generating GL_INVALID_OPERATION instead even though this might not be spec compliant.

It's not a regression. It's also not a P1. There are plenty of ways the GPU process can be crashed (like via out-of-memory). Downgrading and marking Available.

Project Member

Comment 14 by ClusterFuzz, Jul 16 2017

Status: WontFix (was: Available)
ClusterFuzz testcase 5304417640513536 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 15 by ClusterFuzz, Jul 23 2017

Labels: Needs-Feedback
ClusterFuzz testcase 6495326642110464 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.
Labels: -Needs-Feedback
Status: Available (was: WontFix)
Project Member

Comment 17 by ClusterFuzz, Mar 21 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 6495326642110464 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Cc: brajkumar@chromium.org
 Issue 830312  has been merged into this issue.

Sign in to add a comment