New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 852182 link

Starred by 1 user
Status: Fixed
Owner:
pwang@chromium.org
Closed: Aug 3
Cc:
pwang@chromium.org
gurcheta...@chromium.org
za...@chromium.org
marc...@chromium.org
ddavenp...@chromium.org
ihf@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 852111



Sign in to add a comment

virglrenderer vrend_set_num_sampler_views and vrend_set_single_sampler_view decode fuzzer errors

Project Member Reported by davidri...@chromium.org, Jun 12 2018 
A pair of similar failures from running fuzzer against ToT virglrenderer (built with checkout of https://chromium-review.googlesource.com/c/chromiumos/overlays/portage-stable/+/1096537) using: 
FEATURES=noclean USE="asan fuzzer" emerge-$BOARD ~/trunk/src/third_party/portage-stable/media-libs/virglrenderer/virglrenderer-9999.ebuild

fuzzy /saved-20180612 # cat fuzz-97.log
INFO: Seed: 727132519
INFO: Loaded 1 modules   (8 inline 8-bit counters): 8 [0x55ba157bef48, 0x55ba157bef50),
INFO: Loaded 1 PC tables (8 PCs): 8 [0x55ba157bef50,0x55ba157befd0),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2	pulse  ft: 4 lim: 4 exec/s: 0 rss: 59Mb
#2	INITED cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 0 rss: 59Mb
#4	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 0 rss: 59Mb
#8	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 0 rss: 59Mb
#16	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 0 rss: 59Mb
#32	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 0 rss: 59Mb
#64	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 0 rss: 59Mb
#128	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 0 rss: 59Mb
#256	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 1 rss: 59Mb
#512	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 2 rss: 59Mb
#1024	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 4 rss: 59Mb
#2048	pulse  cov: 3 ft: 4 corp: 1/1b lim: 6 exec/s: 9 rss: 59Mb
#4096	pulse  cov: 3 ft: 4 corp: 1/1b lim: 8 exec/s: 19 rss: 59Mb
#8192	pulse  cov: 3 ft: 4 corp: 1/1b lim: 11 exec/s: 39 rss: 59Mb
#16384	pulse  cov: 3 ft: 4 corp: 1/1b lim: 17 exec/s: 78 rss: 60Mb
#32768	pulse  cov: 3 ft: 4 corp: 1/1b lim: 33 exec/s: 156 rss: 60Mb
#65536	pulse  cov: 3 ft: 4 corp: 1/1b lim: 68 exec/s: 312 rss: 62Mb
#131072	pulse  cov: 3 ft: 4 corp: 1/1b lim: 128 exec/s: 624 rss: 67Mb
#262144	pulse  cov: 3 ft: 4 corp: 1/1b lim: 261 exec/s: 1242 rss: 77Mb
=================================================================
==24570==ERROR: AddressSanitizer: SEGV on unknown address 0x625ffff92560 (pc 0x7f7acbd61fc3 bp 0x7ffc46a96d50 sp 0x7ffc46a96d10 T0)
==24570==The signal is caused by a READ memory access.
    #0 0x7f7acbd61fc2 in vrend_sampler_view_reference /build/amd64-generic/tmp/portage/media-libs/virglrenderer-9999/work/virglrenderer-9999/src/vrend_renderer.c:571:42
    #1 0x7f7acbd61fc2 in vrend_set_num_sampler_views /build/amd64-generic/tmp/portage/media-libs/virglrenderer-9999/work/virglrenderer-9999/src/vrend_renderer.c:2111

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/amd64-generic/tmp/portage/media-libs/virglrenderer-9999/work/virglrenderer-9999/src/vrend_renderer.c:571:42 in vrend_sampler_view_reference
==24570==ABORTING
MS: 3 InsertRepeatedBytes-ChangeBit-ChangeBinInt-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0xa,0xff,0x2,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xef,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
\x0a\xff\x02\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xef\xff\xff\xff\xff\xff\xff\xff\xff
artifact_prefix='./'; Test unit written to ./crash-46297169297ef66c5ff642f5dc894d7976fd1d6f
Base64: Cv8CAAAAAAAAAP///////////+///////////w==
stat::number_of_executed_units: 312175
stat::average_exec_per_sec:     1479
stat::new_units_added:          0
stat::slowest_unit_time_sec:    0
stat::peak_rss_mb:              81

fuzzy /saved-20180612 # cat fuzz-98.log
INFO: Seed: 757168591
INFO: Loaded 1 modules   (8 inline 8-bit counters): 8 [0x562ba508cf48, 0x562ba508cf50),
INFO: Loaded 1 PC tables (8 PCs): 8 [0x562ba508cf50,0x562ba508cfd0),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2	pulse  ft: 4 lim: 4 exec/s: 0 rss: 59Mb
#2	INITED cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 0 rss: 59Mb
#4	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 0 rss: 59Mb
#8	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 0 rss: 59Mb
#16	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 0 rss: 59Mb
#32	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 0 rss: 59Mb
#64	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 0 rss: 59Mb
#128	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 0 rss: 59Mb
#256	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 1 rss: 59Mb
#512	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 2 rss: 59Mb
#1024	pulse  cov: 3 ft: 4 corp: 1/1b lim: 4 exec/s: 5 rss: 59Mb
#2048	pulse  cov: 3 ft: 4 corp: 1/1b lim: 6 exec/s: 11 rss: 59Mb
#4096	pulse  cov: 3 ft: 4 corp: 1/1b lim: 8 exec/s: 22 rss: 59Mb
#8192	pulse  cov: 3 ft: 4 corp: 1/1b lim: 11 exec/s: 45 rss: 59Mb
#16384	pulse  cov: 3 ft: 4 corp: 1/1b lim: 17 exec/s: 91 rss: 60Mb
#32768	pulse  cov: 3 ft: 4 corp: 1/1b lim: 33 exec/s: 182 rss: 61Mb
#65536	pulse  cov: 3 ft: 4 corp: 1/1b lim: 68 exec/s: 364 rss: 62Mb
#131072	pulse  cov: 3 ft: 4 corp: 1/1b lim: 128 exec/s: 728 rss: 66Mb
#262144	pulse  cov: 3 ft: 4 corp: 1/1b lim: 261 exec/s: 1456 rss: 77Mb
=================================================================
==24572==ERROR: AddressSanitizer: SEGV on unknown address 0x625ff8012560 (pc 0x7f3d737c4c89 bp 0x7ffc788b4650 sp 0x7ffc788b4610 T0)
==24572==The signal is caused by a WRITE memory access.
    #0 0x7f3d737c4c88 in vrend_sampler_view_reference /build/amd64-generic/tmp/portage/media-libs/virglrenderer-9999/work/virglrenderer-9999/src/vrend_renderer.c:575:9
    #1 0x7f3d737c4c88 in vrend_set_single_sampler_view /build/amd64-generic/tmp/portage/media-libs/virglrenderer-9999/work/virglrenderer-9999/src/vrend_renderer.c:2099

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/amd64-generic/tmp/portage/media-libs/virglrenderer-9999/work/virglrenderer-9999/src/vrend_renderer.c:575:9 in vrend_sampler_view_reference
==24572==ABORTING
MS: 5 CopyPart-InsertByte-ChangeByte-CMP-InsertRepeatedBytes- DE: "\x00\x00\x00\x00\x00\x00\x00\x00"-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0xa,0x66,0xa,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
\x0af\x0a\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff
artifact_prefix='./'; Test unit written to ./crash-ef74f875be20a05064fd253604e69eb998adbeb8
Base64: CmYKAAAAAAAAAAD/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
stat::number_of_executed_units: 446252
stat::average_exec_per_sec:     2465
stat::new_units_added:          0
stat::slowest_unit_time_sec:    0
stat::peak_rss_mb:              92

Comment 1 by marc...@chromium.org, Jun 12 2018

Cc: gurcheta...@chromium.org

Comment 2 by gurcheta...@chromium.org, Jun 13 2018

Cc: ddavenp...@chromium.org

Comment 3 by davidri...@chromium.org, Jun 15 2018

Blocking: 852111

Comment 4 by marc...@chromium.org, Jun 19 2018 

David, can you provide instructions on how to reproduce this bug? It might very well be that the error is obvious, but I really can't make sense out of the output...

Comment 5 by davidri...@chromium.org, Jun 20 2018 

I believe if you take a checkout of:
https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1100122

Setup amd64-generic board and build_packages followed by:
USE="asan fuzzer" emerge-$BOARD virglrenderer

Outside of chroot run:
chromite/bin/cros_fuzz_test_env --board=amd64-generic
sudo chroot chroot/build/amd64-generic
cp crash-* chroot/build/amd64-generic

Inside fuzzing-chroot run (can substitute the other attached crash file):
ASAN_OPTIONS="log_path=stderr" /usr/libexec/fuzzers/virgl_fuzzer crash-ef74f875be20a05064fd253604e69eb998adbeb8
Or alternatively:
LIBGL_ALWAYS_SOFTWARE=false ASAN_OPTIONS="log_path=stderr" /usr/libexec/fuzzers/virgl_fuzzer crash-ef74f875be20a05064fd253604e69eb998adbeb8

You should be able to get gdb attached to that.  You might need ASAN_OPTIONS="halt_on_error=false:log_path=stderr" instead.
crash-46297169297ef66c5ff642f5dc894d7976fd1d6f
28 bytes View Download
crash-ef74f875be20a05064fd253604e69eb998adbeb8
132 bytes View Download

Comment 6 by pwang@chromium.org, Jun 21 2018

Owner: pwang@chromium.org
I have a patch fixes these edge cases in vrend_decode.

Comment 7 by pwang@chromium.org, Jun 21 2018 

The patch is sent to the mail-list.
virglrenderer-0001-sanity-check-set-sampler-views.patch
1.1 KB Download

Comment 8 by davidri...@chromium.org, Jul 4 

I don't see that patch on the upstream list.

Comment 9 by pwang@chromium.org, Jul 9 

Asking Dave for the moderator approval. No idea why it is held for such a long time.

Comment 10 by benhenry@chromium.org, Aug 3

Status: Assigned (was: Untriaged)
This bug has an owner, thus, it's been triaged. Changing status to "assigned".

Comment 11 by davidriley@google.com, Aug 3

Status: Fixed (was: Assigned)

Sign in to add a comment