Bad-cast to gl::Object from es2::Context;egl::Display::createContext;gl::GLContextEGL::Initialize |
|||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4722047279431680 Fuzzer: libFuzzer_gpu_swiftshader_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Bad-cast Crash Address: 0x2816243d3000 Crash State: Bad-cast to gl::Object from es2::Context egl::Display::createContext gl::GLContextEGL::Initialize Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=489841:489889 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4722047279431680 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jul 28 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28 2017
,
Jul 28 2017
,
Jul 31 2017
,
Jul 31 2017
capn@chromium.org -- assigning you since you are the author of the line on top of the call stack. Please help triage this bug if you are not the right person to own this. Thanks.
,
Jul 31 2017
,
Jul 31 2017
This is a false positive, similiar to Issue 736624 and Issue 722058 . UBSan doesn't know the types of objects created in another module. Oddly enough this should already be suppressed by this line: https://cs.chromium.org/chromium/src/tools/ubsan/vptr_blacklist.txt?q=vptr_blacklist.txt&sq=package:chromium&dr&rcl=2fc84faa525735f69bcf2ecdf1ca03f542d5fc73&l=112
,
Jul 31 2017
I've reuploaded the testcase (https://clusterfuzz.com/v2/testcase-detail/4863094676520960), so that it works with the reproduce tool. Sorry about the brittleness.
,
Sep 7 2017
ClusterFuzz has detected this issue as fixed in range 500168:500210. Detailed report: https://clusterfuzz.com/testcase?key=4722047279431680 Fuzzer: libFuzzer_gpu_swiftshader_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Bad-cast Crash Address: 0x2816243d3000 Crash State: Bad-cast to gl::Object from es2::Context egl::Display::createContext gl::GLContextEGL::Initialize Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=489841:489889 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=500168:500210 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4722047279431680 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 7 2017
ClusterFuzz testcase 4722047279431680 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 7 2017
[Auto-generated comment by a script] We noticed that this issue is targeted for M-62; it appears the fix may have landed after branch point, meaning a merge might be required. Please confirm if a merge is required here - if so add Merge-Request-62 label, otherwise remove Merge-TBD label. Thanks.
,
Sep 7 2017
This has no impact on users, and is a false positive, so no merge required.
,
Sep 7 2017
ClusterFuzz has detected this issue as fixed in range 500168:500210. Detailed report: https://clusterfuzz.com/testcase?key=4722047279431680 Fuzzer: libFuzzer_gpu_swiftshader_fuzzer Job Type: libfuzzer_chrome_ubsan Platform Id: linux Crash Type: Bad-cast Crash Address: 0x2816243d3000 Crash State: Bad-cast to gl::Object from es2::Context egl::Display::createContext gl::GLContextEGL::Initialize Sanitizer: undefined (UBSAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=489841:489889 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=500168:500210 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4722047279431680 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 14 2017
Issue 764231 has been merged into this issue.
,
Sep 14 2017
ClusterFuzz testcase 5182276072898560 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Sep 14 2017
This is a false positive, caused by passing pointers between libEGL.so and libGLESv2.so. These are simple upcasts, but UBSAN doesn't appear to have the type information to verify it, despite our attempts to make it available: https://swiftshader-review.googlesource.com/10728
,
Oct 1 2017
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
,
Nov 7 2017
|
|||||||||||||||
►
Sign in to add a comment |
|||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Jul 28 2017