New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 908049 link

Starred by 2 users
Status: Assigned
Owner:
rharrison@chromium.org
Cc:
fjhenigman@chromium.org
cwallez@chromium.org
kainino@chromium.org
dsinclair@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug



Sign in to add a comment

Out-of-memory in dawn_spirv_cross_glsl_fast_fuzzer

Project Member Reported by ClusterFuzz, Nov 23 
Detailed report: https://clusterfuzz.com/testcase?key=6431235930587136

Fuzzer: libFuzzer_dawn_spirv_cross_glsl_fast_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Out-of-memory (exceeds 2048 MB)
Crash Address: 
Crash State:
  dawn_spirv_cross_glsl_fast_fuzzer
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=609741:609751

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6431235930587136

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
Project Member

Comment 1 by ClusterFuzz, Nov 23

Labels: OS-Windows
Project Member

Comment 2 by ClusterFuzz, Nov 23

Cc: kainino@chromium.org cwallez@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Comment 3 by cwallez@chromium.org, Nov 23

Cc: dsinclair@chromium.org fjhenigman@chromium.org
Components: Internals>GPU>Dawn
Owner: rharrison@chromium.org
Status: Assigned (was: Untriaged)

Comment 4 by rharrison@chromium.org, Nov 23 

These all boil down to a very high bound id being set, i.e. the SPIRV binary says it is going to use a ton of ids, so the cross compiler is pre-allocating storage for them. If you crank up the memory limit the operation does succeed, so it isn't actually a real world crasher.

I am looking into if these large bounds are valid, I suspect they are. And if they are is this a completely intended behaviour, or is there something else that should be being done wrt allocating id data structures.
Project Member

Comment 5 by ClusterFuzz, Nov 24

Labels: OS-Mac
Project Member

Comment 6 by ClusterFuzz, Dec 1

Labels: -Reproducible Unreproducible
ClusterFuzz testcase 6431235930587136 appears to be flaky, updating reproducibility label.

Comment 7 by infe...@chromium.org, Dec 1

Labels: -Unreproducible Reproducible
Please ignore the last comment about testcase being unreproducible. The testcase is still reproducible. This happened due to a code refactoring on ClusterFuzz side, and the underlying root cause is now fixed. Resetting the label back to Reproducible. Sorry about the inconvenience caused from these incorrect notifications.

Comment 8 by rharrison@chromium.org, Dec 4 

This will either be resolved by performing some sort of optimization to pack ids in the new shaderc wrapper for this code or directly resolving https://github.com/KhronosGroup/SPIRV-Cross/issues/781.

Sign in to add a comment