This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

inferno: is the ClusterFuzz runner itself crashing?

Let me see if I can reproduce it locally.

Works for me, and I do get a stacktrace locally:

==93425== ERROR: libFuzzer: deadly signal
    #0 0x4ca3d7 in __sanitizer_print_stack_trace (/usr/local/google/home/mmoroz/Projects/new/chromium/src/out/debug/gpu_angle_passthrough_fuzzer+0x4ca3d7)
    #1 0x56f8d3 in fuzzer::Fuzzer::CrashCallback() third_party/libFuzzer/src/FuzzerLoop.cpp:195:5
    #2 0x56f7e6 in fuzzer::Fuzzer::StaticCrashSignalCallback() third_party/libFuzzer/src/FuzzerLoop.cpp:179:6
    #3 0x634e07 in fuzzer::CrashHandler(int, siginfo_t*, void*) third_party/libFuzzer/src/FuzzerUtilPosix.cpp:37:3
    #4 0x7fba26fcc32f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1032f)
    #5 0x7fba2f87ec41 in gpu::gles2::GLES2DecoderPassthroughImpl::DoFramebufferTexture2DMultisampleEXT(unsigned int, unsigned int, unsigned int, unsigned int, int, int) gpu/command_buffer/service/gles2_cmd_decoder_passthrough_doers.cc:2510:3
    #6 0x7fba2f942edb in gpu::gles2::GLES2DecoderPassthroughImpl::HandleFramebufferTexture2DMultisampleEXT(unsigned int, void const volatile*) gpu/command_buffer/service/gles2_cmd_decoder_passthrough_handlers_autogen.cc:3596:24
    #7 0x7fba2f830a0a in gpu::error::Error gpu::gles2::GLES2DecoderPassthroughImpl::DoCommandsImpl<false>(unsigned int, void const volatile*, int, int*) gpu/command_buffer/service/gles2_cmd_decoder_passthrough.cc:171:20
    #8 0x7fba2f81a035 in gpu::gles2::GLES2DecoderPassthroughImpl::DoCommands(unsigned int, void const volatile*, int, int*) gpu/command_buffer/service/gles2_cmd_decoder_passthrough.cc:113:12
    #9 0x7fba2f493829 in gpu::CommandBufferService::Flush(int, gpu::AsyncAPIInterface*) gpu/command_buffer/service/command_buffer_service.cc:90:18
    #10 0x7fba2f48d63b in gpu::CommandBufferDirect::Flush(int) gpu/command_buffer/service/command_buffer_direct.cc:99:12
    #11 0x4f112f in gpu::(anonymous namespace)::CommandBufferSetup::RunCommandBuffer(unsigned char const*, unsigned long) gpu/command_buffer/tests/fuzzer_main.cc:229:22
    #12 0x4f0a06 in LLVMFuzzerTestOneInput gpu/command_buffer/tests/fuzzer_main.cc:307:17
    #13 0x57515b in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:451:13
    #14 0x575ec0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:408:3
    #15 0x4fd6f7 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) third_party/libFuzzer/src/FuzzerDriver.cpp:268:6
    #16 0x50e1dd in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) third_party/libFuzzer/src/FuzzerDriver.cpp:620:9
    #17 0x59a4fe in main third_party/libFuzzer/src/FuzzerMain.cpp:20:10
    #18 0x7fba260aef44 in __libc_start_main /build/eglibc-MjiXCM/eglibc-2.19/csu/libc-start.c:287

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal

There were some fixes on LLVM side ( issue 731130  and issue 734737) recently.

As per https://bugs.chromium.org/p/chromium/issues/detail?id=731130#c16, let me set ASAN_OPTIONS=allow_user_segv_handler=0 for libfuzzer_chrome_asan_debug job and kick off Minimize task on CF.

allow_user_segv_handler=0 didn't help

inferno: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

A friendly reminder that M61 branch is coming soon on 07/20! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix ASAP to trunk. This way we branch M61 from a high quality trunk. Thank you.

inferno: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

URGENT - PTAL.
Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the M61 branch #3163 ASAP to have enough baking time in Beta before Stable promotion. Thank you!

Know that this issue shouldn't block the release?  Remove the ReleaseBlock-Stable label.

This is a valid crash, so I'm changing the summary and adding other necessary flags.

This crash happens in about 70% of runs: https://clusterfuzz.com/v2/performance-report/libFuzzer_gpu_angle_passthrough_fuzzer/libfuzzer_chrome_asan/latest

So it's a blocker for gaining new coverage and performing efficient continuous testing.

Antoine, could you please take a look or help to find another owner?

This code is not (yet) used in production, so removing blocker/severity flags.

@geofflang, are we maybe calling an function/extension that is not supported?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/964462489bf349c5e18f6a70b1773bad15987c83

commit 964462489bf349c5e18f6a70b1773bad15987c83
Author: Geoff Lang <geofflang@chromium.org>
Date: Sat Jul 29 02:55:02 2017

Check for native support before calling glFramebufferTexture2DMultisampleEXT.

BUG= 734278 

Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I850b3810f5df850964e150f4b037f81f726aaf82
Reviewed-on: https://chromium-review.googlesource.com/592245
Reviewed-by: Antoine Labour <piman@chromium.org>
Commit-Queue: Geoff Lang <geofflang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#490599}
[modify] https://crrev.com/964462489bf349c5e18f6a70b1773bad15987c83/gpu/command_buffer/service/gles2_cmd_decoder_passthrough_doers.cc

ClusterFuzz has detected this issue as fixed in range 490544:490609.

Detailed report: https://clusterfuzz.com/testcase?key=4997516490964992

Fuzzer: libFuzzer_gpu_angle_passthrough_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  NULL
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=459173:459235
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=490544:490609

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4997516490964992


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4997516490964992 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot