This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

capn@, could you take a look at this issue?

The ClusterFuzz report is a bit confusing because the indicated line doesn't actually read anything (it just takes a reference, i.e. it's a bit of pointer arithmetic). I guess this is due to it being optimized release build code. 

Anyway, it points to memory that was allocated without setting it to zero (intentionally), so it's possible something in it got read before being written to. It's just hard to guess what. The vertices' clipFlags get read a few lines lower, but those always get written so if those would be left uninitialized that would possibly indicate a race condition. </thinkingoutloud>

The regression range doesn't contain anything directly SwiftShader related either. I'll run the reproduce tool to see if I can get any more info...

The reproduce tool is giving me an error:

MinimizationNotFinishedError: The testcase hasn't been minimized yet or cannot be minimized.
If the testcase is new, please wait for a few more hours.
If we can't minimize the testcase, it means the testcase is unreproducible and, thus, not supported by this tool.

But the report has a link to the minimized testcase (also, it's been five days). Interestingly the un-minimized testcase download is the same as the minimized. Tanin, is this something you can look into?

The stacktrace in https://clusterfuzz.com/testcase?key=5101018986840064 isn't compatible with the reproduce tool.


I've reuploaded the testcase, and this one is good: https://clusterfuzz.com/v2/testcase-detail/6611717563088896

Please use this testcase with the reproduce tool instead.

Detailed report: https://clusterfuzz.com/testcase?key=6611717563088896

Fuzzer: gpu_swiftshader_fuzzer
Job Type: libfuzzer_chrome_msan
Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  sw::Renderer::setupSolidTriangles
  sw::Renderer::executeTask
  sw::Renderer::taskLoop
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6611717563088896


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Thanks Tanin! I see what's going on now. The data in this buffer gets written and read by JIT-compiled code, which doesn't get instrumented by MSan. The clipFlags also get read by C++ code, so it's unaware that it got initialized by JIT code.

I can simply zero clear the buffer at allocation to silence this.

Detailed report: https://clusterfuzz.com/testcase?key=6611717563088896

Fuzzer: gpu_swiftshader_fuzzer
Job Type: libfuzzer_chrome_msan
Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  sw::Renderer::setupSolidTriangles
  sw::Renderer::executeTask
  sw::Renderer::taskLoop
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=479223:479293

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6611717563088896


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

The recommended severity is different from what was assigned to the bug. Please double check the accuracy of the assigned severity.

The following revision refers to this bug:
  https://swiftshader.googlesource.com/SwiftShader.git/+/027288cc059bf507bc8bfb692344d6e6369c38ed

commit 027288cc059bf507bc8bfb692344d6e6369c38ed
Author: Nicolas Capens <capn@google.com>
Date: Fri Jul 07 13:54:30 2017

Intialize memory to zero to silence MSan.

The MemorySanitizer tool can't instrument JIT-compiled code, so it's
unaware that the vertex processing routine writes the clip flags before
they're being read by triangle setup. This false positive can be
silenced by zeroing the memory at allocation. For good measure, zero
out all intermediate buffers.

 Bug chromium:737875 

Change-Id: Ic37ff5c64cb63bbddb151744af1d7dff0a254c2d
Reviewed-on: https://swiftshader-review.googlesource.com/10431
Tested-by: Nicolas Capens <capn@google.com>
Reviewed-by: Alexis Hétu <sugoi@google.com>
Reviewed-by: Nicolas Capens <capn@google.com>

[modify] https://crrev.com/027288cc059bf507bc8bfb692344d6e6369c38ed/src/Common/Memory.cpp
[modify] https://crrev.com/027288cc059bf507bc8bfb692344d6e6369c38ed/src/Common/Memory.hpp
[modify] https://crrev.com/027288cc059bf507bc8bfb692344d6e6369c38ed/src/Common/Resource.cpp
[modify] https://crrev.com/027288cc059bf507bc8bfb692344d6e6369c38ed/src/Renderer/Surface.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e3a8263c6440700f8eb91b3c00b844784c3665cc

commit e3a8263c6440700f8eb91b3c00b844784c3665cc
Author: Nicolas Capens <capn@google.com>
Date: Mon Jul 10 16:13:50 2017

Roll SwiftShader 83a6bb9..a781af7

https://swiftshader.googlesource.com/SwiftShader.git/+log/83a6bb9..a781af7

BUG= 737875 

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel,linux_chromium_cfi_rel_ng;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Change-Id: Ib4a779492cd09ba17bd6dda86cb1b0ef9685a756
Reviewed-on: https://chromium-review.googlesource.com/564665
Reviewed-by: Alexis Hétu <sugoi@chromium.org>
Commit-Queue: Nicolas Capens <nicolascapens@google.com>
Cr-Commit-Position: refs/heads/master@{#485286}
[modify] https://crrev.com/e3a8263c6440700f8eb91b3c00b844784c3665cc/DEPS

ClusterFuzz has detected this issue as fixed in range 485244:485288.

Detailed report: https://clusterfuzz.com/testcase?key=5101018986840064

Fuzzer: libFuzzer_gpu_swiftshader_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  sw::Renderer::setupSolidTriangles
  sw::Renderer::executeTask
  sw::Renderer::taskLoop
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=479223:479293
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=485244:485288

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5101018986840064


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6611717563088896 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

ClusterFuzz has detected this issue as fixed in range 485244:485288.

Detailed report: https://clusterfuzz.com/testcase?key=6611717563088896

Fuzzer: gpu_swiftshader_fuzzer
Job Type: libfuzzer_chrome_msan
Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  sw::Renderer::setupSolidTriangles
  sw::Renderer::executeTask
  sw::Renderer::taskLoop
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=479223:479293
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=485244:485288

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6611717563088896


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.