Null-dereference READ in spvtools::val::MemoryPass |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6342049013694464 Fuzzer: libFuzzer_spvtools_opt_legalization_fuzzer Fuzz target binary: spvtools_opt_legalization_fuzzer Job Type: windows_libfuzzer_chrome_asan Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000000003a Crash State: spvtools::val::MemoryPass spvtools::val::ValidateBinaryUsingContextAndValidationState spvValidateWithOptions Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=611026:611388 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6342049013694464 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing_on_windows.md for more information.
,
Dec 4
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/external/github.com/KhronosGroup/SPIRV-Tools/+/4e22b601224b1ddc3eb60ab38d9d1d89e81135e5 (Add validation for OpArrayLength. (#2117)). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Dec 4
Alan, this fails because there is a OpLabel (which does not have a type id) used in the array length instruction. Do you want to do something similar to what you did for types?
,
Dec 7
Instructions that can reference an id that does not have a type: OpType* decorations OpFunction branches debug ext instructions OpPhi merge instructions This is a bit of a long list. I'm not sure if its as clear cut as the other case to add the check.
,
Dec 14
The documentation for reproducing on Windows has been moved to https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md
,
Jan 2
Issue 915117 has been merged into this issue.
,
Jan 2
,
Jan 2
,
Jan 4
ClusterFuzz has detected this issue as fixed in range 619747:619771. Detailed report: https://clusterfuzz.com/testcase?key=6342049013694464 Fuzzer: libFuzzer_spvtools_opt_legalization_fuzzer Fuzz target binary: spvtools_opt_legalization_fuzzer Job Type: windows_libfuzzer_chrome_asan Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000000003a Crash State: spvtools::val::MemoryPass spvtools::val::ValidateBinaryUsingContextAndValidationState spvValidateWithOptions Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=611026:611388 Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=619747:619771 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6342049013694464 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 4
ClusterFuzz testcase 6342049013694464 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Dec 4Labels: Test-Predator-Auto-Components