New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Dec 16
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment
link

Issue 914641: Null-dereference WRITE in dawn_native::CommandAllocator::Allocate

Reported by ClusterFuzz, Dec 13 Project Member

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4670423217995776

Fuzzer: libFuzzer_dawn_wire_server_and_frontend_fuzzer
Fuzz target binary: dawn_wire_server_and_frontend_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Null-dereference WRITE
Crash Address: 0x000000000000
Crash State:
  dawn_native::CommandAllocator::Allocate
  dawn_native::CommandBufferBuilder::PassEnded
  dawn_native::ProgrammablePassEncoder::EndPass
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=614680:614682

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4670423217995776

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 

Comment 1 by ClusterFuzz, Dec 13

Project Member
Cc: kainino@chromium.org cwallez@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Comment 2 by ClusterFuzz, Dec 13

Project Member
Labels: Test-Predator-Auto-Owner
Owner: cwallez@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://dawn.googlesource.com/dawn/+/6f0e1f9d8235842e3c1130e4133e92e850166584 (Remove BufferView and inline offset/size in BindGroup).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by cwallez@chromium.org, Dec 13

Components: Internals>GPU>Dawn

Comment 4 by bugdroid1@chromium.org, Dec 15

Project Member
The following revision refers to this bug:
  https://dawn.googlesource.com/dawn/+/28c1fba1c02eb0c8fedb9794645e4a2dc06d1904

commit 28c1fba1c02eb0c8fedb9794645e4a2dc06d1904
Author: Corentin Wallez <cwallez@chromium.org>
Date: Sat Dec 15 10:34:42 2018

Validate CommmandBuffers aren't ended mid pass.

Also adds regression tests.

BUG= chromium:914566 
BUG= chromium:914641 

Change-Id: Ic1f9f2440580c3598831c8b2d1310e81aa944133
Reviewed-on: https://dawn-review.googlesource.com/c/3321
Reviewed-by: Austin Eng <enga@chromium.org>
Reviewed-by: Kai Ninomiya <kainino@chromium.org>
Commit-Queue: Corentin Wallez <cwallez@chromium.org>

[modify] https://crrev.com/28c1fba1c02eb0c8fedb9794645e4a2dc06d1904/src/tests/unittests/validation/CommandBufferValidationTests.cpp
[modify] https://crrev.com/28c1fba1c02eb0c8fedb9794645e4a2dc06d1904/src/dawn_native/CommandBuffer.cpp

Comment 5 by bugdroid1@chromium.org, Dec 15

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/83210270d62def978519e834576bd10dd227da6d

commit 83210270d62def978519e834576bd10dd227da6d
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Sat Dec 15 17:36:23 2018

Roll src/third_party/dawn e018292bed9c..28c1fba1c02e (1 commits)

https://dawn.googlesource.com/dawn.git/+log/e018292bed9c..28c1fba1c02e


git log e018292bed9c..28c1fba1c02e --date=short --no-merges --format='%ad %ae %s'
2018-12-15 cwallez@chromium.org Validate CommmandBuffers aren't ended mid pass.


Created with:
  gclient setdep -r src/third_party/dawn@28c1fba1c02e

The AutoRoll server is located here: https://autoroll.skia.org/r/dawn-chromium-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.

CQ_INCLUDE_TRYBOTS=luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel

BUG= chromium:914566 , chromium:914641 
TBR=cwallez@chromium.org

Change-Id: I24d5b0e1608bb4bcdb9252dcf86c4bce87aaba37
Reviewed-on: https://chromium-review.googlesource.com/c/1379339
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#616985}
[modify] https://crrev.com/83210270d62def978519e834576bd10dd227da6d/DEPS

Comment 6 by ClusterFuzz, Dec 16

Project Member
ClusterFuzz has detected this issue as fixed in range 616984:616985.

Detailed report: https://clusterfuzz.com/testcase?key=4670423217995776

Fuzzer: libFuzzer_dawn_wire_server_and_frontend_fuzzer
Fuzz target binary: dawn_wire_server_and_frontend_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Null-dereference WRITE
Crash Address: 0x000000000000
Crash State:
  dawn_native::CommandAllocator::Allocate
  dawn_native::CommandBufferBuilder::PassEnded
  dawn_native::ProgrammablePassEncoder::EndPass
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=614680:614682
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=616984:616985

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4670423217995776

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 7 by ClusterFuzz, Dec 16

Project Member
Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4670423217995776 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment