Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/18afd13d94183587e05cb04031f2ee7d56ba98d9 (gpu fuzzers: AddRef on null pointers).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Good one. Error comes from here:

#0  (anonymous namespace)::Context::handleError (this=0x3a8ebb6fe020, error=...) at ../../third_party/angle/src/libANGLE/Context.cpp:2149
#1  0x00007ffff0abc9b8 in (anonymous namespace)::ValidImageDataSize (context=0x3a8ebb6fe020, textureTarget=3553, width=1, height=1, depth=1, format=33321, type=5121, pixels=0x7fffffffc187, imageSize=-1)
    at ../../third_party/angle/src/libANGLE/validationES.cpp:1034
#2  0x00007ffff0af4d81 in (anonymous namespace)::ValidateES3TexImageParametersBase (context=0x3a8ebb6fe020, target=3553, level=0, internalformat=33321, isCompressed=false, isSubImage=false, xoffset=0, 
    yoffset=0, zoffset=0, width=1, height=1, depth=1, border=0, format=6403, type=5121, imageSize=-1, pixels=0x7fffffffc187) at ../../third_party/angle/src/libANGLE/validationES3.cpp:441
#3  0x00007ffff0af55dc in (anonymous namespace)::ValidateES3TexImage2DParameters (context=0x3a8ebb6fe020, target=3553, level=0, internalformat=33321, isCompressed=false, isSubImage=false, xoffset=0, yoffset=0, 
    zoffset=0, width=1, height=1, depth=1, border=0, format=6403, type=5121, imageSize=-1, pixels=0x7fffffffc187) at ../../third_party/angle/src/libANGLE/validationES3.cpp:502
#4  0x00007ffff0adca76 in (anonymous namespace)::ValidateTexImage2D (context=0x3a8ebb6fe020, target=3553, level=0, internalformat=33321, width=1, height=1, border=0, format=6403, type=5121, 
    pixels=0x7fffffffc187) at ../../third_party/angle/src/libANGLE/validationES2.cpp:2597
#5  0x00007ffff081a162 in (anonymous namespace)::TexImage2D (target=3553, level=0, internalformat=33321, width=1, height=1, border=0, format=6403, type=5121, pixels=0x7fffffffc187)
    at ../../third_party/angle/src/libGLESv2/entry_points_gles_2_0_autogen.cpp:1959
#6  0x00007ffff0837d1a in glTexImage2D (target=3553, level=0, internalformat=33321, width=1, height=1, border=0, format=6403, type=5121, pixels=0x7fffffffc187)
    at ../../third_party/angle/src/libGLESv2/libGLESv2.cpp:634
#7  0x00007ffff6de32e8 in (anonymous namespace)::GLApiBase::glTexImage2DFn (this=0x3a8ebb64a200, target=3553, level=0, internalformat=33321, width=1, height=1, border=0, format=6403, type=5121, 
    pixels=0x7fffffffc187) at ../../ui/gl/gl_bindings_autogen_gl.cc:4372
#8  0x00007ffff6e410ce in (anonymous namespace)::RealGLApi::glTexImage2DFn (this=0x3a8ebb64a200, target=3553, level=0, internalformat=6403, width=1, height=1, border=0, format=6403, type=5121, 
    pixels=0x7fffffffc187) at ../../ui/gl/gl_gl_api_implementation.cc:371
#9  0x00007ffff75e8e5c in (anonymous namespace)::(anonymous namespace)::IsGL_REDSupportedOnFBOs () at ../../gpu/command_buffer/service/feature_info.cc:287
#10 0x00007ffff75e7ef0 in (anonymous namespace)::(anonymous namespace)::FeatureInfo::InitializeFeatures (this=0x3a8ebb756820) at ../../gpu/command_buffer/service/feature_info.cc:1293
#11 0x00007ffff75e3cf6 in (anonymous namespace)::(anonymous namespace)::FeatureInfo::Initialize (this=0x3a8ebb756820, context_type=(anonymous namespace)::(anonymous namespace)::CONTEXT_TYPE_OPENGLES2, 
    disallowed_features=...) at ../../gpu/command_buffer/service/feature_info.cc:257
#12 0x00007ffff770714b in (anonymous namespace)::(anonymous namespace)::GLES2DecoderPassthroughImpl::DoRequestExtensionCHROMIUM (this=0x3a8ebb64d6a0, extension=0x7fffffffd011 "")
    at ../../gpu/command_buffer/service/gles2_cmd_decoder_passthrough_doers.cc:3390
#13 0x00007ffff7722066 in (anonymous namespace)::(anonymous namespace)::GLES2DecoderPassthroughImpl::HandleRequestExtensionCHROMIUM (this=0x3a8ebb64d6a0, immediate_data_size=0, cmd_data=0x3a8ebb6f7034)
    at ../../gpu/command_buffer/service/gles2_cmd_decoder_passthrough_handlers.cc:1443
#14 0x00007ffff76deb4d in (anonymous namespace)::(anonymous namespace)::GLES2DecoderPassthroughImpl::DoCommandsImpl<false> (this=0x3a8ebb64d6a0, num_commands=20, buffer=0x3a8ebb6f7020, num_entries=7, 
    entries_processed=0x7fffffffd2dc) at ../../gpu/command_buffer/service/gles2_cmd_decoder_passthrough.cc:529
#15 0x00007ffff76cd5a5 in (anonymous namespace)::(anonymous namespace)::GLES2DecoderPassthroughImpl::DoCommands (this=0x3a8ebb64d6a0, num_commands=20, buffer=0x3a8ebb6f7020, num_entries=7, 
    entries_processed=0x7fffffffd2dc) at ../../gpu/command_buffer/service/gles2_cmd_decoder_passthrough.cc:467
#16 0x00007ffff75b927d in (anonymous namespace)::CommandBufferService::Flush (this=0x3a8ebb694e48, put_offset=7, handler=0x3a8ebb64d6a0) at ../../gpu/command_buffer/service/command_buffer_service.cc:90
#17 0x00007ffff75b7b33 in (anonymous namespace)::CommandBufferDirect::Flush (this=0x3a8ebb694e30, put_offset=7) at ../../gpu/command_buffer/service/command_buffer_direct.cc:99
#18 0x0000000000218e25 in (anonymous namespace)::(anonymous namespace)::CommandBufferSetup::RunCommandBuffer (this=0x3a8ebb640a20, data=0x3a8ebb66c3c0 "\003", size=25)
    at ../../gpu/command_buffer/tests/fuzzer_main.cc:399
#19 0x0000000000218b24 in LLVMFuzzerTestOneInput (data=0x3a8ebb66c3a0 "\002\001", size=57) at ../../gpu/command_buffer/tests/fuzzer_main.cc:477
#20 0x000000000021cd6e in main (argc=2, argv=0x7fffffffddd8) at ../../testing/libfuzzer/unittest_main.cc:57

It looks like we have a PBO bound when we apply the IsGL_REDSupportedOnFBOs logic when doing RequestExtensionCHROMIUM, which doesn't expect it. That affects both decoders, should be a fairly easy fix.

mmh, we should already have logic for this. Investigating further.

Ok, that's passthrough-specific. This happens when we requested an es2 context. Passthrough/ANGLE lets glBindBuffer(GL_PIXEL_UNPACK_BUFFER, *) through, but FeatureInfo unbinds the unpack buffer based on whether we *enabled* es3, not whether or not it's *supported*. This code was written with the assumption that es3 state wouldn't be set on an es2 context.
We could easily fix this instance, though I'm not sure if there might be other assumptions. It seems like ANGLE implicitly upgrading an es2 context (or WebGL1 context) to an es3 context (or WebGL2 context) could lead to unexpected behavior.
@Geoff: should we disallow es3 features in ANGLE when we ask for an es2 context?

In this case, it believe it's allowing the ES3 buffer target because ANGLE is exposing GL_NV_pixel_buffer_object.  For now, I think we should update the condition of ScopedPixelUnpackBufferOverride to use 'has_pixel_buffers' (https://cs.chromium.org/chromium/src/gpu/command_buffer/service/feature_info.cc?l=1202) and decide if we want to specifically validate these buffer binding points in the passthrough command decoder (can't disable the extension because it's used for the async read pixels).

Got it. Yeah, we should update the condition for now, but we should think about whether or not we want to expose the feature to clients. I don't believe we expose the capability in the client's extension string, so we're inconsistent at the very least.

ClusterFuzz has detected this issue as fixed in range 525188:525211.

Detailed report: https://clusterfuzz.com/testcase?key=5042243034677248

Fuzzer: libFuzzer_gpu_angle_passthrough_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  glGetError() == GL_NO_ERROR in feature_info.cc
  gpu::gles2::IsGL_REDSupportedOnFBOs
  gpu::gles2::FeatureInfo::InitializeFeatures
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=512880:512907
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=525188:525211

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5042243034677248

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5042243034677248 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0bc7995b0c9b92373c834105431a0b9142229d90

commit 0bc7995b0c9b92373c834105431a0b9142229d90
Author: Geoff Lang <geofflang@chromium.org>
Date: Mon Jan 08 22:38:57 2018

Unbind PBOs if the native PBO extension exists instead of only when exposing ES3.

PBOs are still sometimes bound for internal operations when they are
not exposed.

BUG= 783901 
BUG= 797240 

Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I5243ced145ba518a2fe6a23772b388f8ae5d3e3b
Reviewed-on: https://chromium-review.googlesource.com/769870
Commit-Queue: Geoff Lang <geofflang@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#527790}
[modify] https://crrev.com/0bc7995b0c9b92373c834105431a0b9142229d90/gpu/command_buffer/service/feature_info.cc
[modify] https://crrev.com/0bc7995b0c9b92373c834105431a0b9142229d90/gpu/command_buffer/service/test_helper.cc