ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5370139066499072.

jbauman, do you still work on GPU stuff, and SwiftShader in particular? If not, can you please recommend a better person to take this bug? Thanks!

Also, this might affect more platforms besides Windows? Including Fuchsia?

Detailed report: https://clusterfuzz.com/testcase?key=5370139066499072

Job Type: windows_asan_chrome
Crash Type: UNKNOWN READ
Crash Address: 0x0dab2000
Crash State:
  Register
  Register
  Register
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=512219:512265

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5370139066499072

See https://github.com/google/clusterfuzz-tools for more information.

A recommended severity was added to this bug. Please change the severity if it is inaccurate.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Alexis has started looking into this.

The following revision refers to this bug:
  https://swiftshader.googlesource.com/SwiftShader.git/+/7a8ed2e14ad40356a624826df166c41fec7e2525

commit 7a8ed2e14ad40356a624826df166c41fec7e2525
Author: Alexis Hetu <sugoi@google.com>
Date: Thu Nov 02 15:32:24 2017

Prevent initializing outline edges to out of bound values

When multisampling is enabled, outline edges were getting
initialized to one of the  primitive's X position. If the
primitive was out of bounds, then the default position was
out of bounds, which led to an initial out of bounds memory
access.

Added a clamp to fix the issue.

 Bug chromium:779364 

Change-Id: I4661f4229ee28a3032c763ed18dde799d3c3926b
Reviewed-on: https://swiftshader-review.googlesource.com/13528
Tested-by: Alexis Hétu <sugoi@google.com>
Reviewed-by: Nicolas Capens <nicolascapens@google.com>

[modify] https://crrev.com/7a8ed2e14ad40356a624826df166c41fec7e2525/src/Shader/SetupRoutine.cpp

omair@, out of curiosity, what techniques have you used to find that issue?

Hm, it seems to be a duplicate of  issue 779325 .

#c12:
Fuzzing (you can stop reading here) with ML and AI (Cyber). On my own built up, cloud based, state of the art, fuzzing infrastructure aka two instances of Chrome.

Thanks for your answer, I wish we could give rewards for awesome bugs comments.

Regarding duplication, I'll defer to the bug owner to decide that. Either way, looking forward to seeing more reports from you :)

Detailed report: https://clusterfuzz.com/testcase?key=5370139066499072

Job Type: windows_asan_chrome
Crash Type: UNKNOWN READ
Crash Address: 0x0dab2000
Crash State:
  Register
  Register
  Register
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=512219:512265

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5370139066499072

See https://github.com/google/clusterfuzz-tools for more information.

ClusterFuzz has detected this issue as fixed in range 521083:521102.

Detailed report: https://clusterfuzz.com/testcase?key=5370139066499072

Job Type: windows_asan_chrome
Crash Type: UNKNOWN READ
Crash Address: 0x0dab2000
Crash State:
  Register
  Register
  Register
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=512219:512265
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=521083:521102

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5370139066499072

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5370139066499072 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

omair@ - Groovy! The VRP Panel decided to award $1,000 for this report. Thanks!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot