New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 903280 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Nov 27
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in gl::GLFence::IsSupported

Project Member Reported by ClusterFuzz, Nov 8

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5174775275847680

Fuzzer: phoglund_webrtc_peerconnection
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x000000000e66
Crash State:
  gl::GLFence::IsSupported
  gpu::gles2::FeatureInfo::InitializeFeatures
  gpu::gles2::ContextGroup::Initialize
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5174775275847680

Additional requirements: Requires HTTP

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Nov 8

Labels: Fuzz-Blocker ReleaseBlock-Beta M-72
This crash occurs very frequently on windows platform and is likely preventing the fuzzer phoglund_webrtc_peerconnection from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.
Cc: kkaluri@chromium.org
Labels: Test-Predator-Wrong
Owner: sadrul@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL could not provide any possible suspects.

Using Code Search for the file, "gl_fence.cc" suspecting the below Cl might have caused this issue

Suspect CL: https://chromium.googlesource.com/chromium/src/+/3821fdf5c54add24d02adef248a311c293ea0bd0

sadrul@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!
Components: Internals>GPU>ANGLE
Owner: ----
Status: Untriaged (was: Assigned)
The logs contain the following before the null-read:

...
[4844:1016:1109/001040.262:ERROR:angle_platform_impl.cc(47)] reset(614): Could not create additional swap chains or offscreen surfaces, HRESULT: 0x887A0022
[4844:1016:1109/001040.263:ERROR:gl_surface_egl.cc(537)] EGL Driver message (Critical) eglCreateWindowSurface: Context lost.
[4844:1016:1109/001040.264:ERROR:gl_surface_egl.cc(1057)] eglCreateWindowSurface failed with error EGL_CONTEXT_LOST
[4844:1016:1109/001040.264:ERROR:gles2_command_buffer_stub.cc(237)] ContextResult::kSurfaceFailure: Failed to create surface.
[4844:1016:1109/001040.270:ERROR:gl_surface_egl.cc(537)] EGL Driver message (Critical) eglMakeCurrent: Context lost.
[496:5056:1109/001040.272:ERROR:gpu_process_transport_factory.cc(963)] Lost UI shared context.
[4844:1016:1109/001040.549:ERROR:gl_bindings_autogen_gl.cc(13953)] Trying to call glGetIntegerv without current GL context
[4844:1016:1109/001040.549:ERROR:gl_bindings_autogen_gl.cc(13953)] Trying to call glGetString without current GL context
[4844:1016:1109/001040.550:ERROR:gl_bindings_autogen_gl.cc(13953)] Trying to call glGetString without current GL context
[4844:1016:1109/001040.550:ERROR:gl_bindings_autogen_gl.cc(13953)] Trying to call glGetString without current GL context
[4844:1016:1109/001040.550:ERROR:gl_bindings_autogen_gl.cc(13953)] Trying to call glGetString without current GL context
=================================================================
==4844==ERROR: AddressSanitizer: access-violation on unknown address 0x000000000e66 (pc 0x7fff0381a84c bp 0x00507f5f7e60 sp 0x00507f5f62e0 T0)
...

Perhaps angle related?
Owner: zmo@chromium.org
Status: Assigned (was: Untriaged)
Looks like a dupe of  issue 897076 

Assigning to Mo in case this is something new.
Owner: phoglund@chromium.org
Yes, this is a dupe of  crbug.com/897076 , but since I closed that already, let's not dupe because there is an action we need to take.

I expect similar things will surface and disappear until we pass in --use-gl=swiftshader to this fuzzer.

phoglund@: can you do that? since you are the owner of this fuzzer
Cc: geoffl...@chromium.org zmo@chromium.org
Sure.
Status: Started (was: Assigned)
Project Member

Comment 9 by bugdroid1@chromium.org, Nov 19

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chrome/webrtc-internal/webrtc-signal/+/425000b5508e643e951f5c4772cfc1f47581db48

commit 425000b5508e643e951f5c4772cfc1f47581db48
Author: Patrik Höglund <phoglund@chromium.org>
Date: Mon Nov 19 09:25:33 2018

Friendly ping for an update on this.
Status: Fixed (was: Started)
Now we run this fuzzer with SwiftShader, the issue should be fixed.

phoglund@: thanks.
Right, I forgot to mark the bug fixed. The fuzzer is deployed since a couple weeks back so we should be good.
Project Member

Comment 13 by ClusterFuzz, Dec 1

Labels: -Reproducible Unreproducible
ClusterFuzz testcase 5174775275847680 appears to be flaky, updating reproducibility label.
Project Member

Comment 14 by ClusterFuzz, Dec 1

Components: Internals>GPU>Internals
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Sign in to add a comment