New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 797235 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 2018
Cc:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug

Blocking:
issue angleproject:2994



Sign in to add a comment

Abrt in gpu::CommandBufferSetup::LogGLDebugMessage

Project Member Reported by ClusterFuzz, Dec 22 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5265800796831744

Fuzzer: libFuzzer_gpu_angle_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Abrt
Crash Address: 0x03e90000774a
Crash State:
  gpu::CommandBufferSetup::LogGLDebugMessage
  gl::Debug::insertMessage
  gl::Debug::insertMessage
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=515426:515449

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5265800796831744

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Dec 22 2017

Labels: Test-Predator-Auto-Owner
Owner: geoffl...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/angle/angle/+/ee6884e7be666efc9e06b77eab7f4ead2779f46b (Generate generic error messages for Error objects without messages.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
Cc: geoffl...@chromium.org
Owner: zmo@chromium.org
Mo, could you look at this?

What appears to happen is:
 - Texture is bound (13)
 - TexImage2D, level 0, size 41x1, RGBA UNSIGNED_BYTE
 - Texture level 1 is bound to a framebuffer (3), framebuffer is not complete
 - GenerateMipmap is called, framebuffer becomes complete
 - TexImage2D, level 0, size 256x1, LUMINANCE_ALPHA UNSIGNED_BYTE, framebuffer becomes incomplete because non-zero mip is bound and texture is not mip-complete
 - CopyTexSubImage to level 0 (from level 1), incomplete framebuffer error generated

It appears to be an issue with the framebuffer completeness cache getting out of date or missing a rule.

Comment 3 by zmo@chromium.org, Jan 5 2018

Status: Started (was: Assigned)

Comment 4 by zmo@chromium.org, Jan 5 2018

Cc: kbr@chromium.org piman@chromium.org
This is a very tricky situation.

We have a fbo with a image from Texture level 1.
Texture is generated by GenerateMipmap, so it's mipmap complete, so fbo is complete.

Now we try to call CopyTexImage() to the same Texture level 0, from RGBA to LUMINANCE_ALPHA, which is legal.

Unfortunately, we need to emulate LUMINANCE_ALPHA, so in the emulation, we change the level 0, cause the texture to be NOT mipmap complete, and in turn fbo to be incomplete, and the final CopyTexImage fails at lower level.

Comment 5 by zmo@chromium.org, Jan 5 2018

Per discussion with kbr, a solution to fix this corner case operation is, if we need LUMINANCE_ALPHA emulation in CopyTexImage, and source image and target image are from the same texture, and source image is non-base level, we need to use an intermediate temporary texture to do a TWO step blit.

Comment 6 by zmo@chromium.org, Jan 5 2018

Labels: -Pri-1 Pri-2
Set to Pri-2 because this is really a corner case and not security related.

Comment 7 by piman@chromium.org, Jan 5 2018

During the copy, could we clamp TEXTURE_BASE_LEVEL/TEXTURE_MAX_LEVEL to the source level on the source texture so that the framebuffer stays complete?

Comment 8 by zmo@chromium.org, Jan 5 2018

That does seem like a simpler solution. I'll look into it.
Project Member

Comment 9 by bugdroid1@chromium.org, Jan 9 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5ae4e21f49526535502d8e3abfa8af8868dc9712

commit 5ae4e21f49526535502d8e3abfa8af8868dc9712
Author: Zhenyao Mo <zmo@chromium.org>
Date: Tue Jan 09 17:38:42 2018

Fix CopyTexImage2D corner case where source/target image are the same texture.

BUG= 797235 
TEST=bots,test case in the bug
R=piman@chromium.org

Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I28b7fb1bdba318374140fda116a473d37a8d7c5c
Reviewed-on: https://chromium-review.googlesource.com/853126
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Commit-Queue: Zhenyao Mo <zmo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#528034}
[modify] https://crrev.com/5ae4e21f49526535502d8e3abfa8af8868dc9712/gpu/command_buffer/service/framebuffer_manager.cc
[modify] https://crrev.com/5ae4e21f49526535502d8e3abfa8af8868dc9712/gpu/command_buffer/service/framebuffer_manager.h
[modify] https://crrev.com/5ae4e21f49526535502d8e3abfa8af8868dc9712/gpu/command_buffer/service/gles2_cmd_decoder.cc

Comment 10 by zmo@chromium.org, Jan 9 2018

Status: Fixed (was: Started)
Project Member

Comment 11 by ClusterFuzz, Jan 10 2018

ClusterFuzz has detected this issue as fixed in range 528020:528036.

Detailed report: https://clusterfuzz.com/testcase?key=5265800796831744

Fuzzer: libFuzzer_gpu_angle_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Abrt
Crash Address: 0x03e90000774a
Crash State:
  gpu::CommandBufferSetup::LogGLDebugMessage
  gl::Debug::insertMessage
  gl::Debug::insertMessage
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=515426:515449
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=528020:528036

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5265800796831744

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by ClusterFuzz, Jan 10 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5265800796831744 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Blocking: angleproject:2994

Sign in to add a comment