Issue metadata
Sign in to add a comment
|
Crash in glvmRasterOpRead |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5735040506658816 Fuzzer: inferno_layout_test_unmodified Job Type: mac_asan_chrome Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x0002475307a0 Crash State: glvmRasterOpRead glvmInterpretFPTransformFour gldLLVMFPTransform Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=568152:568171 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5735040506658816 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 8
,
Sep 8
,
Sep 14
senorblanco: Is it possible for https://chromium.googlesource.com/chromium/src/+/df18b96b443774d232e39ead6cbd81c848b8563c to have triggered this? I can't tell if it's an issue in Apple's OpenGL or the calling code.
,
Sep 14
A bit more of the stack:
#0 0x7fff89370e6c in glvmRasterOpRead
#1 0x7fff8936b145 in glvmInterpretFPTransformFour
#2 0x7fff8a15f3d7 in gldLLVMFPTransform
#3 0x7fff8a173ad4 in gldLLVMVecPolyRender
#4 0x7fff8a1594ec in gldRenderFillPolygonPtr
#5 0x1369fed2f (<unknown module>)
#5 0x7fff87912331 in gleFlushAtomicFunc
#6 0x7fff879a37b5 in glDrawArrays_GL3Exec
This is in Apples software renderer IIUC (gldLLVM is "gl driver llvm"). So this is an Apple bug.
,
Sep 17
Out of interest, when does the Apple software renderer get used? I thought Macs were always either accelerated or blacklisted (no GL).
,
Sep 17
I should emphasize the IIUC part of #5, but we use Apple's SW renderer in VMWare at times.
,
Oct 2
senorblanco: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2
Given that it's a bug in the Apple software renderer, I don't think there's much I can do. I have had no reports of instability on real GPUs from this change. If no GPU is available (e.g., VMWare) we should really be using the Skia software renderer and software compositor for 2D content, not GL with the Apple software renderer. It would likely be much faster, as well.
,
Oct 2
,
Oct 9
ClusterFuzz testcase 5735040506658816 is still reproducing on tip-of-tree build (trunk). If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase. Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.
,
Jan 9
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Sep 8Labels: Test-Predator-Auto-Components