Issue 908068 link

Starred by 2 users

Issue metadata

Status:	Verified
Owner:	stevenperron@google.com
Closed:	Nov 29
Cc:	vmi...@chromium.org piman@chromium.org dsinclair@chromium.org
Components:	Internals>GPU>Internals
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Clusterfuzz ClusterFuzz-Verified Stability-AFL Test-Predator-Auto-CC Test-Predator-Auto-Components ClusterFuzz-Auto-CC

Null-dereference READ in spvtools::opt::Pass::ProcessCallTreeFromRoots

Project Member Reported by ClusterFuzz, Nov 23

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5189479155105792

Fuzzer: afl_spvtools_opt_size_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000018
Crash State:
  spvtools::opt::Pass::ProcessCallTreeFromRoots
  spvtools::opt::Pass::ProcessEntryPointCallTree
  spvtools::opt::InlineExhaustivePass::ProcessImpl
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=580304:580305

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5189479155105792

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

Project Member

Comment 1 by ClusterFuzz, Nov 23

Components: Internals>GPU>Internals
Labels: Test-Predator-Auto-Components

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Project Member

Comment 2 by ClusterFuzz, Nov 23

Cc: dsinclair@chromium.org vmi...@chromium.org piman@chromium.org
Labels: ClusterFuzz-Auto-CC

Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Project Member

Comment 3 by ClusterFuzz, Nov 23

Cc: 31666...@users.noreply.github.com d...@everburning.com
Labels: Test-Predator-Auto-CC

Automatically adding ccs based on suspected regression changelists:

Update OpPhi instructions after splitting block. (#1783) by 31666470+s-perron@users.noreply.github.com - https://chromium.googlesource.com/external/github.com/KhronosGroup/SPIRV-Tools/+/ce644d4a2484fe66e53f5b744ebc4d0d5d49e1ca

Remove using std::<foo> statements. (#1756) by dj2@everburning.com - https://chromium.googlesource.com/external/github.com/KhronosGroup/SPIRV-Tools/+/a5a5ea0e2dfce9c755a88af1074ebe68a44d2ed9

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

Comment 4 by dsinclair@chromium.org, Nov 26

Cc: -31666...@users.noreply.github.com -d...@everburning.com
Owner: stevenperron@google.com
Status: Assigned (was: Untriaged)

Comment 5 by stevenperron@google.com, Nov 27

Inlining assumes there are no recursive functions, which is true for vulkan shaders.  However, not all shaders are vulkan shaders.  We will need to add something to inlining to avoid loops.

Comment 6 by stevenperron@google.com, Nov 29

Status: Fixed (was: Assigned)

Fixed with https://github.com/KhronosGroup/SPIRV-Tools/pull/2130.

Project Member

Comment 7 by ClusterFuzz, Nov 30

ClusterFuzz has detected this issue as fixed in range 612443:612474.

Detailed report: https://clusterfuzz.com/testcase?key=5189479155105792

Fuzzer: afl_spvtools_opt_size_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000018
Crash State:
  spvtools::opt::Pass::ProcessCallTreeFromRoots
  spvtools::opt::Pass::ProcessEntryPointCallTree
  spvtools::opt::InlineExhaustivePass::ProcessImpl
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=580304:580305
Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=612443:612474

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5189479155105792

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 8 by ClusterFuzz, Nov 30

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)

ClusterFuzz testcase 5189479155105792 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

►

Issue 908068 link

Issue metadata

Null-dereference READ in spvtools::opt::Pass::ProcessCallTreeFromRoots

Issue description

Comment 1 by ClusterFuzz, Nov 23

Comment 1 Deleted

Comment 2 by ClusterFuzz, Nov 23

Comment 2 Deleted

Comment 3 by ClusterFuzz, Nov 23

Comment 3 Deleted

Comment 4 by dsinclair@chromium.org, Nov 26

Comment 4 Deleted

Comment 5 by stevenperron@google.com, Nov 27

Comment 5 Deleted

Comment 6 by stevenperron@google.com, Nov 29

Comment 6 Deleted

Comment 7 by ClusterFuzz, Nov 30

Comment 7 Deleted

Comment 8 by ClusterFuzz, Nov 30

Comment 8 Deleted

Sign in to add a comment