Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/angle/angle/+/ee6884e7be666efc9e06b77eab7f4ead2779f46b (Generate generic error messages for Error objects without messages.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Mo, could you look at this?

What appears to happen is:
 - Texture is bound (13)
 - TexImage2D, level 0, size 41x1, RGBA UNSIGNED_BYTE
 - Texture level 1 is bound to a framebuffer (3), framebuffer is not complete
 - GenerateMipmap is called, framebuffer becomes complete
 - TexImage2D, level 0, size 256x1, LUMINANCE_ALPHA UNSIGNED_BYTE, framebuffer becomes incomplete because non-zero mip is bound and texture is not mip-complete
 - CopyTexSubImage to level 0 (from level 1), incomplete framebuffer error generated

It appears to be an issue with the framebuffer completeness cache getting out of date or missing a rule.

This is a very tricky situation.

We have a fbo with a image from Texture level 1.
Texture is generated by GenerateMipmap, so it's mipmap complete, so fbo is complete.

Now we try to call CopyTexImage() to the same Texture level 0, from RGBA to LUMINANCE_ALPHA, which is legal.

Unfortunately, we need to emulate LUMINANCE_ALPHA, so in the emulation, we change the level 0, cause the texture to be NOT mipmap complete, and in turn fbo to be incomplete, and the final CopyTexImage fails at lower level.

Per discussion with kbr, a solution to fix this corner case operation is, if we need LUMINANCE_ALPHA emulation in CopyTexImage, and source image and target image are from the same texture, and source image is non-base level, we need to use an intermediate temporary texture to do a TWO step blit.

Set to Pri-2 because this is really a corner case and not security related.

During the copy, could we clamp TEXTURE_BASE_LEVEL/TEXTURE_MAX_LEVEL to the source level on the source texture so that the framebuffer stays complete?

That does seem like a simpler solution. I'll look into it.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5ae4e21f49526535502d8e3abfa8af8868dc9712

commit 5ae4e21f49526535502d8e3abfa8af8868dc9712
Author: Zhenyao Mo <zmo@chromium.org>
Date: Tue Jan 09 17:38:42 2018

Fix CopyTexImage2D corner case where source/target image are the same texture.

BUG= 797235 
TEST=bots,test case in the bug
R=piman@chromium.org

Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I28b7fb1bdba318374140fda116a473d37a8d7c5c
Reviewed-on: https://chromium-review.googlesource.com/853126
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Commit-Queue: Zhenyao Mo <zmo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#528034}
[modify] https://crrev.com/5ae4e21f49526535502d8e3abfa8af8868dc9712/gpu/command_buffer/service/framebuffer_manager.cc
[modify] https://crrev.com/5ae4e21f49526535502d8e3abfa8af8868dc9712/gpu/command_buffer/service/framebuffer_manager.h
[modify] https://crrev.com/5ae4e21f49526535502d8e3abfa8af8868dc9712/gpu/command_buffer/service/gles2_cmd_decoder.cc

ClusterFuzz has detected this issue as fixed in range 528020:528036.

Detailed report: https://clusterfuzz.com/testcase?key=5265800796831744

Fuzzer: libFuzzer_gpu_angle_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Abrt
Crash Address: 0x03e90000774a
Crash State:
  gpu::CommandBufferSetup::LogGLDebugMessage
  gl::Debug::insertMessage
  gl::Debug::insertMessage
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=515426:515449
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=528020:528036

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5265800796831744

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5265800796831744 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.