New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 836710 link

Starred by 2 users
Status: Assigned
Owner:
infe...@chromium.org
Cc:
kbr@chromium.org
brajkumar@chromium.org
infe...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Regression

Blocking:
issue 851833



Sign in to add a comment

Pointer-overflow in Convert<blink::WebGLImageConversion::kDataFormatBGRA8,

Project Member Reported by ClusterFuzz, Apr 25 2018 
Detailed report: https://clusterfuzz.com/testcase?key=5171963606335488

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Pointer-overflow
Crash Address: 
Crash State:
  Convert<blink::WebGLImageConversion::kDataFormatBGRA8,
  Convert<blink::WebGLImageConversion::kDataFormatBGRA8,
  void blink::FormatConverter::Convert<
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=551565:551567

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5171963606335488

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Apr 25 2018

Components: Blink>WebGL
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by brajkumar@chromium.org, Apr 25 2018

Cc: brajkumar@chromium.org
Labels: -Type-Bug M-68 Test-Predator-Wrong CF-NeedsTriage Type-Bug-Regression
> Predator was unable to identify any culprit changelists for this test case. 

> Unable to find actual suspect through code search and also observing no possible suspect CL under regression range, hence adding appropriate label and requesting someone from blink team to look in to this issue.

Thanks!

Comment 3 by reve...@chromium.org, Apr 27 2018

Owner: junov@chromium.org
Status: Assigned (was: Untriaged)
junov@, any idea what might be going wrong here? looks canvas related

Comment 4 by kbr@chromium.org, Apr 27 2018 

This is probably a bug in WebGL code.

Comment 5 by junov@chromium.org, Apr 30 2018

Owner: zmo@chromium.org
Looks like a problem with format conversion in texImage2D. Re-assigning to zmo@ for further triage.

Comment 6 by zmo@chromium.org, May 1 2018

Cc: kbr@chromium.org
Labels: -Pri-1 Pri-2
Owner: infe...@chromium.org
Status: Untriaged (was: Assigned)
I don't think there is a bug in the code. Instead, I think it's a bug in ubsan reporting.

The situation is pointer + offset = new_pointer

So ubsan reports pointer overflow if new_pointer < pointer

However, in our case, offset is negative.

We should make ubsan reporting handle this case correctly.

inferno@: can you triage?

Comment 7 by khushals...@chromium.org, May 4 2018

Status: Assigned (was: Untriaged)

Comment 8 by kbr@chromium.org, Jun 26 2018

Blocking: 851833

Comment 9 by infe...@chromium.org, Dec 4

Cc: infe...@chromium.org
 Issue 851833  has been merged into this issue.

Sign in to add a comment