Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Passthrough command buffer issue. +geofflang

I have no idea why this is a regression. The regression range seems like it's probably wrong.

I'll see if I can narrow or disprove the regression range.

Trying to repro this case on my machine does cause a crash, but it looks nothing like the stack found by ClusterFuzz, and seems more like I set something up incorrectly.

../../base/threading/thread_collision_warner.h:154:5: runtime error: member call on address 0x01cc79dfa660 which does not point to an object of type 'base::AsserterBase'
0x01cc79dfa660: note: object is of type 'base::DCheckAsserter'
 ff ff ff ff  00 51 ae 5e e1 7f 00 00  08 00 00 00 00 00 00 00  ef be ad de 00 00 00 00  00 00 00 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'base::DCheckAsserter'
    #0 0x7fe15d9a7478 in base::ThreadCollisionWarner::~ThreadCollisionWarner() base/threading/thread_collision_warner.h:154:5
    #1 0x7fe15d9a731b in base::subtle::RefCountedBase::~RefCountedBase() base/memory/ref_counted.h:47:3
    #2 0x7fe15d9efc5b in base::RefCounted<gl::GLShareGroup, base::DefaultRefCountedTraits<gl::GLShareGroup> >::~RefCounted() base/memory/ref_counted.h:327:25
    #3 0x7fe15d9ee5f5 in gl::GLShareGroup::~GLShareGroup() ui/gl/gl_share_group.cc:79:1
    #4 0x7fe15d9a7b10 in void base::RefCounted<gl::GLShareGroup, base::DefaultRefCountedTraits<gl::GLShareGroup> >::DeleteInternal<gl::GLShareGroup>(gl::GLShareGroup const*) base/memory/ref_counted.h:333:5
    #5 0x7fe15d9a7a93 in base::DefaultRefCountedTraits<gl::GLShareGroup>::Destruct(gl::GLShareGroup const*) base/memory/ref_counted.h:299:5
    #6 0x7fe15d9a7a4b in base::RefCounted<gl::GLShareGroup, base::DefaultRefCountedTraits<gl::GLShareGroup> >::Release() const base/memory/ref_counted.h:322:7
    #7 0x7fe15d9a79a3 in scoped_refptr<gl::GLShareGroup>::Release(gl::GLShareGroup*) base/memory/scoped_refptr.h:269:8
    #8 0x7fe15d9a5f1b in scoped_refptr<gl::GLShareGroup>::~scoped_refptr() base/memory/scoped_refptr.h:197:7
    #9 0x7fe15d99a51e in gl::GLContext::~GLContext() ui/gl/gl_context.cc:72:1
    #10 0x7fe15d9a52a9 in gl::GLContextReal::~GLContextReal() ui/gl/gl_context.cc:408:1
    #11 0x7fe15da7d5f8 in gl::GLContextEGL::~GLContextEGL() ui/gl/gl_context_egl.cc:318:1
    #12 0x7fe15da7d62f in gl::GLContextEGL::~GLContextEGL() ui/gl/gl_context_egl.cc:316:31
    #13 0x7fe15da35471 in void base::RefCounted<gl::GLContext, base::DefaultRefCountedTraits<gl::GLContext> >::DeleteInternal<gl::GLContext>(gl::GLContext const*) base/memory/ref_counted.h:333:5
    #14 0x7fe15da35333 in base::DefaultRefCountedTraits<gl::GLContext>::Destruct(gl::GLContext const*) base/memory/ref_counted.h:299:5
    #15 0x7fe15da352f4 in base::RefCounted<gl::GLContext, base::DefaultRefCountedTraits<gl::GLContext> >::Release() const base/memory/ref_counted.h:322:7
    #16 0x7fe15da35187 in scoped_refptr<gl::GLContext>::Release(gl::GLContext*) base/memory/scoped_refptr.h:269:8
    #17 0x7fe15da350cb in scoped_refptr<gl::GLContext>::~scoped_refptr() base/memory/scoped_refptr.h:197:7
    #18 0x7fe15da9254a in gl::GLSurfaceEGL::InitializeOneOffCommon() ui/gl/gl_surface_egl.cc:657:3
    #19 0x7fe15da9108d in gl::GLSurfaceEGL::InitializeOneOff(_XDisplay*) ui/gl/gl_surface_egl.cc:569:10
    #20 0x7fe15867eb91 in gl::init::InitializeGLOneOffPlatform() ui/gl/init/gl_initializer_x11.cc:169:12
    #21 0x7fe158669d7f in gl::init::InitializeGLOneOffImplementation(gl::GLImplementation, bool, bool, bool, bool) ui/gl/init/gl_factory.cc:88:43
    #22 0x2b18f8 in gpu::(anonymous namespace)::CommandBufferSetup::CommandBufferSetup() gpu/command_buffer/tests/fuzzer_main.cc:291:5
    #23 0x2b55ab in __cxx_global_var_init gpu/command_buffer/tests/fuzzer_main.cc:498:35
    #24 0x2b55d4 in _GLOBAL__sub_I_fuzzer_main.cc gpu/command_buffer/tests/fuzzer_main.cc
    #25 0x47818c in __libc_csu_init (/usr/local/google/home/kainino/src/chrome/src/out/libfuzzer/gpu_angle_passthrough_fuzzer+0x47818c)
    #26 0x7fe15459f23f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2023f)
    #27 0x292029 in _start (/usr/local/google/home/kainino/src/chrome/src/out/libfuzzer/gpu_angle_passthrough_fuzzer+0x292029)

CC'ing +mmoroz@ for further inputs.

The most reliable way to reproduce the issue would be to use reproduce tool. There is a text with links on ClusterFuzz report page (https://clusterfuzz.com/v2/testcase-detail/6676412072460288?noredirect=1):

You can reproduce this crash painlessly with our reproduce tool. For Googlers, install the required libraries and run prodaccess && /google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 6676412072460288. For non-Googlers, see the installation section. Report any issues at clusterfuzz-dev@chromium.org.


In case you want to reproduce it manually, please make sure you copied enviroment variables and the command from the ClusterFuzz page.

You might need suppressions file for UBSan configuration, it's available here: https://chrome-internal.googlesource.com/chrome/tools/clusterfuzz/+/master/scripts/suppressions/ubsan_suppressions.txt

Please note that we've seen cases where crash reproducibility was also depending on number of CPU cores or RAM memory available :(

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d4e22f508556f04f027b196d786c8a4d2d3b4024

commit d4e22f508556f04f027b196d786c8a4d2d3b4024
Author: Geoff Lang <geofflang@chromium.org>
Date: Fri Jan 05 21:50:01 2018

Check for null texture objects when deleting textures.

The zero texture is a valid client ID but has no associated texture
object.

BUG= 797233 
BUG= 797251 

Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: Ia8dce1d8b03b16560f06d9b3203ffc0c53459919
Reviewed-on: https://chromium-review.googlesource.com/852432
Reviewed-by: Antoine Labour <piman@chromium.org>
Commit-Queue: Geoff Lang <geofflang@chromium.org>
Cr-Commit-Position: refs/heads/master@{#527395}
[modify] https://crrev.com/d4e22f508556f04f027b196d786c8a4d2d3b4024/gpu/command_buffer/service/gles2_cmd_decoder_passthrough_doers.cc

ClusterFuzz has detected this issue as fixed in range 527388:527403.

Detailed report: https://clusterfuzz.com/testcase?key=6676412072460288

Fuzzer: libFuzzer_gpu_angle_passthrough_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  gpu::gles2::TextureBase::target
  gpu::gles2::GLES2DecoderPassthroughImpl::DoDeleteTextures
  gpu::gles2::GLES2DecoderPassthroughImpl::HandleDeleteTexturesImmediate
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=525358:525376
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=527388:527403

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6676412072460288

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6676412072460288 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.