New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 911700 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit 18 days ago
Closed: Jan 4
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug



Sign in to add a comment

Null-dereference READ in spvtools::val::MemoryPass

Project Member Reported by ClusterFuzz, Dec 4

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6342049013694464

Fuzzer: libFuzzer_spvtools_opt_legalization_fuzzer
Fuzz target binary: spvtools_opt_legalization_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000000003a
Crash State:
  spvtools::val::MemoryPass
  spvtools::val::ValidateBinaryUsingContextAndValidationState
  spvValidateWithOptions
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=611026:611388

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6342049013694464

Issue filed automatically.

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing_on_windows.md for more information.
 
Project Member

Comment 1 by ClusterFuzz, Dec 4

Components: Internals>GPU>Internals
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 4

Labels: Test-Predator-Auto-Owner
Owner: stevenperron@google.com
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/external/github.com/KhronosGroup/SPIRV-Tools/+/4e22b601224b1ddc3eb60ab38d9d1d89e81135e5 (Add validation for OpArrayLength. (#2117)).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
Owner: alanbaker@google.com
Alan, this fails because there is a OpLabel (which does not have a type id) used in the array length instruction.

Do you want to do something similar to what you did for types?
Instructions that can reference an id that does not have a type:
OpType*
decorations
OpFunction
branches
debug
ext instructions
OpPhi
merge instructions

This is a bit of a long list. I'm not sure if its as clear cut as the other case to add the check.
The documentation for reproducing on Windows has been moved to https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md
Cc: alanbaker@google.com piman@chromium.org vmi...@chromium.org dsinclair@chromium.org
 Issue 915117  has been merged into this issue.
Status: Started (was: Assigned)
Project Member

Comment 8 by ClusterFuzz, Jan 2

Labels: OS-Linux
Project Member

Comment 9 by ClusterFuzz, Jan 4

ClusterFuzz has detected this issue as fixed in range 619747:619771.

Detailed report: https://clusterfuzz.com/testcase?key=6342049013694464

Fuzzer: libFuzzer_spvtools_opt_legalization_fuzzer
Fuzz target binary: spvtools_opt_legalization_fuzzer
Job Type: windows_libfuzzer_chrome_asan
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000000003a
Crash State:
  spvtools::val::MemoryPass
  spvtools::val::ValidateBinaryUsingContextAndValidationState
  spvValidateWithOptions
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=611026:611388
Fixed: https://clusterfuzz.com/revisions?job=windows_libfuzzer_chrome_asan&range=619747:619771

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6342049013694464

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Jan 4

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 6342049013694464 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment