Null-dereference WRITE in base::subtle::RefCountedBase::AddRefImpl |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4824417032208384 Fuzzer: afl_gpu_angle_passthrough_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x000000000008 Crash State: base::subtle::RefCountedBase::AddRefImpl gpu::CommandBufferSetup::InitDecoder gpu::CommandBufferSetup::RunCommandBuffer Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=512662:512689 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4824417032208384 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Oct 31 2017
Test Predator has given the following results: Servicifying ShellHandlerWin. by jcivelli@chromium.org Suspected changelist touched file(s) associated with the component Internals>Core, which we believe is related to this testcase based on information in OWNERS files. Revert "Make resource_coordinator/ strongly typed." by lpy@chromium.org Suspected changelist touched file(s) associated with the component Internals>Core, which we believe is related to this testcase based on information in OWNERS files. cc: Add UKM for checkerboarding from compositor input handling. by khushalsagar@chromium.org Suspected changelist touched file(s) associated with the component Internals>Core, which we believe is related to this testcase based on information in OWNERS files. Adjust overscroll thresholds for touchpad by mohsen@chromium.org Suspected changelist touched file(s) associated with the component Internals>Core, which we believe is related to this testcase based on information in OWNERS files. Revert "Introduce CompostingModeWatcher interface for global coordination." by abdulsyed@google.com Suspected changelist touched file(s) associated with the component Internals>Core, which we believe is related to this testcase based on information in OWNERS files. Reset GPU timeout on retry by boliu@chromium.org Suspected changelist touched file(s) associated with the component Internals>Core, which we believe is related to this testcase based on information in OWNERS files. From the above results suspecting the below changes: Servicifying ShellHandlerWin. by jcivelli@chromium.org Suspected changelist touched file(s) associated with the component Internals>Core, which we believe is related to this testcase based on information in OWNERS files. cc: Add UKM for checkerboarding from compositor input handling. by khushalsagar@chromium.org Suspected changelist touched file(s) associated with the component Internals>Core, which we believe is related to this testcase based on information in OWNERS files. Adjust overscroll thresholds for touchpad by mohsen@chromium.org Suspected changelist touched file(s) associated with the component Internals>Core, which we believe is related to this testcase based on information in OWNERS files. jcivelli/ khushalsagar/ mohsen@ -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes. Thank You.
,
Oct 31 2017
My CL was Windows only code, this is on Linux. Reassigning to khushalsagar@ as his CL looks more GPU related.
,
Oct 31 2017
I don't think its either of these. The crash is happening during command buffer setup in the fuzzer. This change in the range touched that code: gpu fuzzers: take configuration bits from input data https://chromium.googlesource.com/chromium/src/+/72bb29070e415e215e2a0095b9266c3ec1c75599 piman@, could you take a look?
,
Oct 31 2017
Yep, thanks, fix incoming.
,
Oct 31 2017
,
Oct 31 2017
,
Oct 31 2017
,
Oct 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/18afd13d94183587e05cb04031f2ee7d56ba98d9 commit 18afd13d94183587e05cb04031f2ee7d56ba98d9 Author: Antoine Labour <piman@chromium.org> Date: Tue Oct 31 19:06:04 2017 gpu fuzzers: AddRef on null pointers Translators may be null (e.g. for passthrough, or in case of failure), so only AddRef them if they are valid. Bug: 779954 Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel Change-Id: I8f0039eaf2bdaf76a58e74317af68c13d252bdd5 Reviewed-on: https://chromium-review.googlesource.com/746993 Reviewed-by: Victor Miura <vmiura@chromium.org> Commit-Queue: Antoine Labour <piman@chromium.org> Cr-Commit-Position: refs/heads/master@{#512894} [modify] https://crrev.com/18afd13d94183587e05cb04031f2ee7d56ba98d9/gpu/command_buffer/tests/fuzzer_main.cc
,
Nov 1 2017
ClusterFuzz testcase 4598551547215872 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 1 2017
ClusterFuzz has detected this issue as fixed in range 512886:512926. Detailed report: https://clusterfuzz.com/testcase?key=4824417032208384 Fuzzer: afl_gpu_angle_passthrough_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x000000000008 Crash State: base::subtle::RefCountedBase::AddRefImpl gpu::CommandBufferSetup::InitDecoder gpu::CommandBufferSetup::RunCommandBuffer Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=512662:512689 Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=512886:512926 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4824417032208384 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 7 2017
,
Nov 7 2017
,
Nov 7 2017
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ClusterFuzz
, Oct 31 2017Labels: Test-Predator-AutoComponents