New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 871217 link

Starred by 2 users
Status: Verified
Owner:
alanbaker@google.com
Last visit 18 days ago
Closed: Aug 15
Cc:
kkaluri@chromium.org
dsinclair@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in spvtools::val::Instruction::id

Project Member Reported by ClusterFuzz, Aug 6 
Detailed report: https://clusterfuzz.com/testcase?key=5763962256490496

Fuzzer: afl_spvtools_val_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000044
Crash State:
  spvtools::val::Instruction::id
  bool spvtools::val::idUsage::isValid<
  spvtools::val::idUsage::isValid
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=579912:579914

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5763962256490496

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
Project Member

Comment 1 by ClusterFuzz, Aug 6

Components: Internals>GPU>Internals
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by kkaluri@chromium.org, Aug 7

Cc: kkaluri@chromium.org d...@everburning.com
Labels: M-70
Owner: dsinclair@chromium.org
Status: Assigned (was: Untriaged)
Predator has provided 8 possible suspects.

1. Stats analyzer uses validator by andreyt@google.com
2. Remove source/instruction.cpp by dneto@google.com
3. Stats analyzer aggregates OpConstant usage by andreyt@google.com
4. Make sure all instructions are in the ordered list. by dsinclair@chromium.org
5. Remove unnecessary headers by umar@arrayfire.com
6. Convert validation to use libspriv::Instruction where possible. (#1663) by dj2@everburning.com
7. Change libspirv to spvtools namespace (#1678) by dj2@everburning.com
8. Re-format files in source, source/opt, source/util, source/val and tools. by dnovillo@google.com

Using Code Search for the file, "source/val/instruction.h" suspecting the below Cl might have caused this issue

Assigning to dsinclair@ for his recent work on above file

dsinclair@ -- Could you please look into this issue.


Thanks!

Comment 3 by dsinclair@chromium.org, Aug 7

Cc: -d...@everburning.com stevenperron@google.com
Project Member

Comment 4 by ClusterFuzz, Aug 12

Labels: OS-Mac

Comment 5 by dsinclair@chromium.org, Aug 13

Cc: -stevenperron@google.com dsinclair@chromium.org
Owner: alanbaker@google.com

Comment 6 by alanbaker@google.com, Aug 14

Status: Started (was: Assigned)
Expect this is fixed by https://github.com/KhronosGroup/SPIRV-Tools/commit/e7fdcdba75eda1f5a70d689cf50628389efa3ed0
Project Member

Comment 7 by ClusterFuzz, Aug 15 

ClusterFuzz has detected this issue as fixed in range 583092:583110.

Detailed report: https://clusterfuzz.com/testcase?key=5763962256490496

Fuzzer: afl_spvtools_val_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000044
Crash State:
  spvtools::val::Instruction::id
  bool spvtools::val::idUsage::isValid<
  spvtools::val::idUsage::isValid
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=579912:579914
Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=583092:583110

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5763962256490496

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Aug 15

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 5763962256490496 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment