This is crashing ubsan vptr all over the place.
Regression from https://swiftshader.googlesource.com/SwiftShader.git/+/31c07a304f3247c26ba72eff0cb0a74eb05366e8.

Is this expected, does https://cs.chromium.org/chromium/src/tools/ubsan/vptr_blacklist.txt?rcl=a6efd0193c3ba9d75da93694df4e0441c82dd12d&l=103 need update

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This is another false positive. Patch https://chromium-review.googlesource.com/c/547670

ClusterFuzz has detected this issue as fixed in range 482426:482520.

Detailed report: https://clusterfuzz.com/testcase?key=6718678690430976

Fuzzer: lcamtuf_cross_fuzz
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x02ed37975a80
Crash State:
  Bad-cast to gl::Surface from egl::PBufferSurface
  es2::Context::makeCurrent
  egl::MakeCurrent
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=482055:482089
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=482426:482520

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6718678690430976


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6718678690430976 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The patch to suppress this UBSan false positive hasn't landed yet (https://chromium-review.googlesource.com/c/547670). So I'm not sure why ClusterFuzz thinks this is fixed. Unless there was a change that affects UBSan's ability to check these cross-library class inheritances. Or, the signature has changed due to another change and there will soon be a new issue filed for the same root cause.

I'll keep a close eye on this...

Yes it is showing up again in https://clusterfuzz.com/v2/testcase-detail/6394444764151808, but since it is same crash state, CF wont autofile it until next 2 days (there is a rule for it). So, cqed your change, thanks for fix.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/487d29d5ead7e88b49a8e193bb1d7a3513e86d8e

commit 487d29d5ead7e88b49a8e193bb1d7a3513e86d8e
Author: Nicolas Capens <capn@google.com>
Date: Wed Jun 28 02:38:35 2017

Suppress UBSan false positive.

https://swiftshader-review.googlesource.com/10129 caused egl::Surface to
be derived from gl::Surface, but libGLESv2 doesn't know the vptr tables
for the concrete classes because they're created within libEGL, which
trips up UBSan.

BUG= 736624 

Change-Id: I1a8f53322f5a2ce2ad031f3b72f89a11150dec5e
Reviewed-on: https://chromium-review.googlesource.com/547670
Commit-Queue: Abhishek Arya <inferno@chromium.org>
Reviewed-by: Abhishek Arya <inferno@chromium.org>
Reviewed-by: Dirk Pranke <dpranke@chromium.org>
Cr-Commit-Position: refs/heads/master@{#482857}
[modify] https://crrev.com/487d29d5ead7e88b49a8e193bb1d7a3513e86d8e/tools/ubsan/vptr_blacklist.txt

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot