Issue 866804 link

Starred by 2 users

Issue metadata

Status:	Duplicate
Merged:	issue 859623
Owner:	kainino@chromium.org
Closed:	Jul 25
Components:	Blink>WebGL
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Stability-Memory-AddressSanitizer Clusterfuzz Unreproducible ClusterFuzz-Wrong Test-Predator-Auto-Components

Null-dereference READ in blink::WebGLRenderingContextBase::TexImageImpl

Project Member Reported by ClusterFuzz, Jul 24

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5792807198130176

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::WebGLRenderingContextBase::TexImageImpl
  blink::WebGLRenderingContextBase::TexImageHelperHTMLCanvasElement
  blink::WebGL2RenderingContextBase::texImage3D
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=525711:525713

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5792807198130176

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Project Member

Comment 1 by ClusterFuzz, Jul 24

Components: Blink>WebGL
Labels: Test-Predator-Auto-Components

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by kbr@chromium.org, Jul 25

Owner: kainino@chromium.org

Kai, could you please triage this? I think it might be a duplicate of  Issue 859623  or  Issue 859400 .

Comment 3 by kainino@chromium.org, Jul 25

Mergedinto: 859623
Status: Duplicate (was: Untriaged)

Stack points to exactly the same place as  issue 859623 :
int image_width = static_cast<int>(image->width());

However unfortunately I strongly suspect this will be flaky for exactly the same unknown reason that  issue 859623  couldn't be reproduced.

Comment 4 by kainino@chromium.org, Jul 25

clusterfuzz reproduce claims that this reproduced successfully, however the output is suspect:

> New crash type:
> New crash state:
>
> Original crash type:
> Original crash state:
>
> The stacktrace seems similar to the original stacktrace.

I'm looking into it and will continue on the other bug if it turns out to really repro.

Comment 5 by kainino@chromium.org, Jul 26

Labels: ClusterFuzz-Wrong

I'm pretty sure this is not reproducible. I think it is extremely flaky.

+clusterfuzz-wrong, because:

- Marked reproducible despite "Minimize task errored out: Unable to reproduce crash."

- The clusterfuzz reproduce command seems to have a bug where, if it thinks the original-crash-type/state are empty string, then it will report that it was able to reproduce if chrome *doesn't* crash.

Project Member

Comment 6 by ClusterFuzz, Jul 26

Labels: -Reproducible Unreproducible

ClusterFuzz testcase 5792807198130176 appears to be flaky, updating reproducibility label.

►

Issue 866804 link

Issue metadata

Null-dereference READ in blink::WebGLRenderingContextBase::TexImageImpl

Issue description

Comment 1 by ClusterFuzz, Jul 24

Comment 1 Deleted

Comment 2 by kbr@chromium.org, Jul 25

Comment 2 Deleted

Comment 3 by kainino@chromium.org, Jul 25

Comment 3 Deleted

Comment 4 by kainino@chromium.org, Jul 25

Comment 4 Deleted

Comment 5 by kainino@chromium.org, Jul 26

Comment 5 Deleted

Comment 6 by ClusterFuzz, Jul 26

Comment 6 Deleted

Sign in to add a comment