Null-dereference WRITE in Ice::CfgNode::appendInst |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4826870077718528 Fuzzer: metzman_graphicsfuzz_crash_fuzzer Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x000000000020 Crash State: Ice::CfgNode::appendInst sw::PixelProgram::RET sw::PixelProgram::applyShader Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=543343:543344 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4826870077718528 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 6
Possibly a dup of issue 912435
,
Dec 6
Sorry for the unminimized testcases. I will post a smaller one if possible.
,
Dec 6
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5732497469734912.
,
Dec 7
Detailed report: https://clusterfuzz.com/testcase?key=5732497469734912 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x000000000020 Crash State: Ice::CfgNode::appendInst sw::PixelProgram::RET sw::PixelProgram::applyShader Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=543343:543344 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5732497469734912 See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 7
(another SwiftShader clusterfuzz issue)
,
Dec 7
,
Dec 7
I'm going on paternity leave imminently, so reassigning to Alexis. Also CC'ing Jamie and Geoff since there's only an ANGLE change in the regression range. At first glance it looks like a stack overflow to me: The PC is one byte after the SEGV address, and it's a write, so probably a push rbp instruction. Not sure where the the extra stack space is being consumed, but it doesn't look like SwiftShader's fault to me.
,
Dec 8
Detailed report: https://clusterfuzz.com/testcase?key=5095333333565440 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x000000000020 Crash State: Ice::CfgNode::appendInst rr::Nucleus::createLoad Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=543343:543344 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5095333333565440 See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 10
Actually, a stack overflow would happen near a multiple of the page size, and the stack pointer here is far from that boundary. Also it wouldn't indicate SEGV at 0x000000000020. Instead I think it's doing the InstCountEstimate increment, on a null CfgNode pointer. That would happen if the global ::basicBlock variable at SubzeroReactor.cpp is reset to null. These crashes seem to happen in the middle of Reactor routine generation. It's possible that createBasicBlock() returned null at some point because we're out of memory.
,
Dec 12
CCing Hugues from GraphicsFuzz
,
Dec 13
Detailed report: https://clusterfuzz.com/testcase?key=6235159025942528 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x000000000020 Crash State: Ice::CfgNode::appendInst rr::Nucleus::createLoad rr::Float4::operator= Sanitizer: undefined (UBSAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6235159025942528 See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 13
#13 has the GraphicsFuzz-minimized testcase. It isn't minimized by much which I think is evidence for the theory that this bugs is caused by running out of memory.
,
Dec 13
Detailed report: https://clusterfuzz.com/testcase?key=6235159025942528 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x000000000020 Crash State: Ice::CfgNode::appendInst rr::Nucleus::createLoad rr::Float4::operator= Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=543343:543344 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6235159025942528 See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 21
,
Jan 19
(3 days ago)
ClusterFuzz has detected this issue as fixed in range 624266:624267. Detailed report: https://clusterfuzz.com/testcase?key=4826870077718528 Fuzzer: metzman_graphicsfuzz_crash_fuzzer Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x000000000020 Crash State: Ice::CfgNode::appendInst sw::PixelProgram::RET sw::PixelProgram::applyShader Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=543343:543344 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=624266:624267 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4826870077718528 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 19
(3 days ago)
ClusterFuzz has detected this issue as fixed in range 624266:624267. Detailed report: https://clusterfuzz.com/testcase?key=6235159025942528 Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x000000000020 Crash State: Ice::CfgNode::appendInst rr::Nucleus::createLoad rr::Float4::operator= Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=543343:543344 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=624266:624267 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6235159025942528 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 19
(3 days ago)
ClusterFuzz has detected this issue as fixed in range 624262:624279. Detailed report: https://clusterfuzz.com/testcase?key=5732497469734912 Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference WRITE Crash Address: 0x000000000020 Crash State: Ice::CfgNode::appendInst sw::PixelProgram::RET sw::PixelProgram::applyShader Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=543343:543344 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=624262:624279 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5732497469734912 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 19
(3 days ago)
ClusterFuzz testcase 5732497469734912 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Dec 6Labels: Test-Predator-Auto-Components