New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 870156 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Aug 3
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in spvtools::val::Function::AddFunctionCallTarget

Project Member Reported by ClusterFuzz, Aug 2

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5405305811501056

Fuzzer: afl_spvtools_val_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  spvtools::val::Function::AddFunctionCallTarget
  spvtools::val::ValidationState_t::AddFunctionCallTarget
  spvtools::val::ProcessInstruction
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=579912:579914

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5405305811501056

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Aug 2

Components: Internals>GPU>Internals
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Cc: pnangunoori@chromium.org andreyt@google.com
Labels: M-70 Test-Predator-Wrong
Predator and CL could not provide any possible suspects.
Using the code search for the file, “validation_state.h and function.h” assigning to owner concerned from GIT blame.
Suspecting Commit#
https://chromium.googlesource.com/external/github.com/KhronosGroup/SPIRV-Tools.git/+/3e08a3f71896c1c15bdcbd42a9ba28ddd0075427

@andreyt-- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.

Couldn't assign to andreyt@google.com, hence cc'ing.

Thank You.

Cc: -andreyt@google.com alanbaker@google.com
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
 Issue 870125  has been merged into this issue.
Fixed with: https://github.com/KhronosGroup/SPIRV-Tools/commit/d38a0a3b4476798744c4223acbefab3af97698fd will get picked up with next SPIRV-Tools roll.
Status: Started (was: Assigned)
Project Member

Comment 7 by bugdroid1@chromium.org, Aug 2

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8574fc3bdf0871ef7c1465382128f03940b3231a

commit 8574fc3bdf0871ef7c1465382128f03940b3231a
Author: Dan Sinclair <dsinclair@chromium.org>
Date: Thu Aug 02 22:52:51 2018

Roll SPIRV-Tools to d38a0a3

This pulls in:
 * d38a0a3 Validation within function body when doing a FunctionCall.
 * 6aa8a59 Simplify validation ProcessInstruction

TBR=dsinclair@chromium.org

Bug:  870156 
Change-Id: Ia5fb99a01273b46602aaf49429a2ddc632d61531
Reviewed-on: https://chromium-review.googlesource.com/1161287
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
Cr-Commit-Position: refs/heads/master@{#580362}
[modify] https://crrev.com/8574fc3bdf0871ef7c1465382128f03940b3231a/DEPS

Status: Fixed (was: Started)
Project Member

Comment 9 by ClusterFuzz, Aug 3

ClusterFuzz has detected this issue as fixed in range 580360:580362.

Detailed report: https://clusterfuzz.com/testcase?key=5405305811501056

Fuzzer: afl_spvtools_val_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  spvtools::val::Function::AddFunctionCallTarget
  spvtools::val::ValidationState_t::AddFunctionCallTarget
  spvtools::val::ProcessInstruction
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=579912:579914
Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=580360:580362

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5405305811501056

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Aug 3

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5405305811501056 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment