New issue
Advanced search Search tips

Issue 908068 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Nov 29
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in spvtools::opt::Pass::ProcessCallTreeFromRoots

Project Member Reported by ClusterFuzz, Nov 23

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5189479155105792

Fuzzer: afl_spvtools_opt_size_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000018
Crash State:
  spvtools::opt::Pass::ProcessCallTreeFromRoots
  spvtools::opt::Pass::ProcessEntryPointCallTree
  spvtools::opt::InlineExhaustivePass::ProcessImpl
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=580304:580305

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5189479155105792

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Nov 23

Components: Internals>GPU>Internals
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Nov 23

Cc: dsinclair@chromium.org vmi...@chromium.org piman@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.
Project Member

Comment 3 by ClusterFuzz, Nov 23

Cc: 31666...@users.noreply.github.com d...@everburning.com
Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

Update OpPhi instructions after splitting block. (#1783) by 31666470+s-perron@users.noreply.github.com - https://chromium.googlesource.com/external/github.com/KhronosGroup/SPIRV-Tools/+/ce644d4a2484fe66e53f5b744ebc4d0d5d49e1ca

Remove using std::<foo> statements. (#1756) by dj2@everburning.com - https://chromium.googlesource.com/external/github.com/KhronosGroup/SPIRV-Tools/+/a5a5ea0e2dfce9c755a88af1074ebe68a44d2ed9

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.
Cc: -31666...@users.noreply.github.com -d...@everburning.com
Owner: stevenperron@google.com
Status: Assigned (was: Untriaged)
Inlining assumes there are no recursive functions, which is true for vulkan shaders.  However, not all shaders are vulkan shaders.  We will need to add something to inlining to avoid loops.
Status: Fixed (was: Assigned)
Fixed with https://github.com/KhronosGroup/SPIRV-Tools/pull/2130.
Project Member

Comment 7 by ClusterFuzz, Nov 30

ClusterFuzz has detected this issue as fixed in range 612443:612474.

Detailed report: https://clusterfuzz.com/testcase?key=5189479155105792

Fuzzer: afl_spvtools_opt_size_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000018
Crash State:
  spvtools::opt::Pass::ProcessCallTreeFromRoots
  spvtools::opt::Pass::ProcessEntryPointCallTree
  spvtools::opt::InlineExhaustivePass::ProcessImpl
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=580304:580305
Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=612443:612474

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5189479155105792

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Nov 30

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5189479155105792 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment