New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 873225 link

Starred by 4 users
Status: Started
Owner:
stevenperron@google.com
Cc:
stevenperron@google.com
metzman@google.com
alanbaker@google.com
vmi...@chromium.org
kkaluri@chromium.org
piman@chromium.org
metzman@chromium.org
dnovillo@google.com
dn...@google.com
dsinclair@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug



Sign in to add a comment

Null-dereference READ in spvtools::opt::Instruction::HasResultId

Project Member Reported by ClusterFuzz, Aug 10 
Detailed report: https://clusterfuzz.com/testcase?key=6148541010149376

Fuzzer: afl_spvtools_opt_legalization_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x00000000002d
Crash State:
  spvtools::opt::Instruction::HasResultId
  spvtools::opt::analysis::DefUseManager::WhileEachUser
  spvtools::opt::LocalSingleBlockLoadStoreElimPass::HasOnlySupportedRefs
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=580304:580305

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6148541010149376

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
Project Member

Comment 1 by ClusterFuzz, Aug 10

Components: Internals>GPU>Internals
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Aug 10

Cc: 31666...@users.noreply.github.com d...@everburning.com
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

Update OpPhi instructions after splitting block. (#1783) by 31666470+s-perron@users.noreply.github.com - https://chromium.googlesource.com/external/github.com/KhronosGroup/SPIRV-Tools/+/ce644d4a2484fe66e53f5b744ebc4d0d5d49e1ca

Remove using std::<foo> statements. (#1756) by dj2@everburning.com - https://chromium.googlesource.com/external/github.com/KhronosGroup/SPIRV-Tools/+/a5a5ea0e2dfce9c755a88af1074ebe68a44d2ed9

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

Comment 3 by samans@chromium.org, Aug 10

Cc: piman@chromium.org vmi...@chromium.org
Owner: alanbaker@google.com
Status: Assigned (was: Untriaged)
cc'ing owners.
Assigning to alanbaker@ because he made several recent contributions to this directory.

Comment 4 by piman@chromium.org, Aug 10

Labels: -Pri-1 Pri-2
Note, this is not used in prod, so no need for P1.

Comment 5 by dsinclair@chromium.org, Aug 13

Cc: -31666...@users.noreply.github.com -d...@everburning.com dsinclair@chromium.org
Owner: stevenperron@google.com

Comment 6 by stevenperron@google.com, Aug 13 

The id bound in the spirv file is to to INT_MAX.  Which means there are no new ids for the optimizer to use.  The first time the optimizer asks for a new id, it gets 0.  Then it asserts because it tries to use 0, which is an invalid id.

There is no easy solution to this.  spirv-opt is not equipped to handle this type of error.  We will need to work out a design for handling this type of error.

Comment 7 by stevenperron@google.com, Aug 13

Cc: stevenperron@google.com
 Issue 873281  has been merged into this issue.

Comment 8 by stevenperron@google.com, Aug 14 

 Issue 874022  has been merged into this issue.

Comment 9 by kkaluri@chromium.org, Aug 24

Cc: kkaluri@chromium.org d...@everburning.com
 Issue 876698  has been merged into this issue.

Comment 10 by stevenperron@google.com, Aug 27

Cc: dsinclair@google.com
 Issue 875609  has been merged into this issue.

Comment 11 by stevenperron@google.com, Aug 27 

Issue 875797 has been merged into this issue.

Comment 12 by stevenperron@google.com, Aug 27 

 Issue 876199  has been merged into this issue.

Comment 13 by stevenperron@google.com, Aug 28 

Issue 878030 has been merged into this issue.
Project Member

Comment 14 by ClusterFuzz, Aug 29

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6358639972188160 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 15 by stevenperron@google.com, Sep 4

Cc: alanbaker@google.com
 Issue 878699  has been merged into this issue.

Comment 16 by stevenperron@google.com, Sep 4

Labels: ClusterFuzz-Wrong
Status: Assigned (was: Verified)

Comment 17 by stevenperron@google.com, Sep 4 

I have opened https://github.com/KhronosGroup/SPIRV-Tools/issues/1841 to track this issue in github.

The first PR is up for review.

Comment 18 by stevenperron@google.com, Sep 7 

 Issue 880040  has been merged into this issue.

Comment 19 by stevenperron@google.com, Sep 7 

 Issue 880778  has been merged into this issue.

Comment 20 by stevenperron@google.com, Sep 7 

 Issue 880887  has been merged into this issue.

Comment 21 by dsinclair@chromium.org, Sep 10

Cc: -dsinclair@google.com -d...@everburning.com dnovillo@google.com
Project Member

Comment 22 by ClusterFuzz, Oct 6

Labels: OS-Mac

Comment 23 by kkaluri@chromium.org, Oct 17 

 Issue 895231  has been merged into this issue.

Comment 24 by stevenperron@google.com, Oct 17 

 Issue 895232  has been merged into this issue.

Comment 25 by stevenperron@google.com, Nov 5

Status: Started (was: Assigned)

Comment 26 by stevenperron@google.com, Nov 5 

 Issue 897408  has been merged into this issue.

Comment 27 by stevenperron@google.com, Nov 5 

 Issue 897528  has been merged into this issue.

Comment 28 by stevenperron@google.com, Nov 6 

I just merged https://github.com/KhronosGroup/SPIRV-Tools/pull/2031 into spirv-tools.  A lot of these cases will not be identified as invalid, and will no longer causes a crash.  However, this issue should remain open for the cases where the id bound ends up being very close to the max id bound.
Project Member

Comment 29 by ClusterFuzz, Nov 8 

ClusterFuzz has detected this issue as fixed in range 606045:606061.

Detailed report: https://clusterfuzz.com/testcase?key=6148541010149376

Fuzzer: afl_spvtools_opt_legalization_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x00000000002d
Crash State:
  spvtools::opt::Instruction::HasResultId
  spvtools::opt::analysis::DefUseManager::WhileEachUser
  spvtools::opt::LocalSingleBlockLoadStoreElimPass::HasOnlySupportedRefs
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=580304:580305
Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=606045:606061

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6148541010149376

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 30 by stevenperron@google.com, Nov 14 

 Issue 903530  has been merged into this issue.

Comment 31 by stevenperron@google.com, Nov 14

Cc: dn...@google.com
 Issue 903828  has been merged into this issue.

Comment 32 by stevenperron@google.com, Nov 14 

 Issue 904090  has been merged into this issue.

Comment 33 by stevenperron@google.com, Nov 14

Cc: metzman@google.com
 Issue 904096  has been merged into this issue.

Comment 34 by stevenperron@google.com, Nov 14 

 Issue 904121  has been merged into this issue.

Comment 35 by stevenperron@google.com, Nov 14 

 Issue 904654  has been merged into this issue.

Comment 36 by stevenperron@google.com, Nov 19 

 Issue 906399  has been merged into this issue.

Comment 37 by stevenperron@google.com, Nov 19 

 Issue 906423  has been merged into this issue.

Comment 38 by stevenperron@google.com, Nov 19 

 Issue 906617  has been merged into this issue.

Comment 39 by stevenperron@google.com, Nov 20 

 Issue 906792  has been merged into this issue.

Comment 40 by stevenperron@google.com, Nov 26

Cc: metzman@chromium.org
 Issue 907387  has been merged into this issue.
Project Member

Comment 41 by ClusterFuzz, Nov 26

Labels: OS-Windows

Comment 42 by stevenperron@google.com, Dec 3 

 Issue 910248  has been merged into this issue.
Project Member

Comment 43 by ClusterFuzz, Dec 6

Labels: OS-Chrome

Comment 44 by stevenperron@google.com, Jan 16 (6 days ago) 

 Issue 915002  has been merged into this issue.

Sign in to add a comment