New issue
Advanced search Search tips
Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Dec 15
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment
link

Issue 914808: Null-dereference READ in dawn_native::FenceBase::OnCompletion

Reported by ClusterFuzz, Dec 13 Project Member

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5368220749660160

Fuzzer: libFuzzer_dawn_wire_server_and_frontend_fuzzer
Fuzz target binary: dawn_wire_server_and_frontend_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  dawn_native::FenceBase::OnCompletion
  dawn_wire::server::Server::PostHandleQueueSignal
  dawn_wire::server::Server::HandleQueueSignal
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=615090:615091

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5368220749660160

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 

Comment 1 by ClusterFuzz, Dec 13

Project Member
Cc: kainino@chromium.org cwallez@chromium.org
Labels: ClusterFuzz-Auto-CC
Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Comment 2 by ClusterFuzz, Dec 13

Project Member
Labels: Test-Predator-Auto-Owner
Owner: cwallez@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://dawn.googlesource.com/dawn/+/c3ecb5a77c063f898644fb2fbe51ccf071b827e6 (Temporarily add nullptr checks in frontend).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by cwallez@chromium.org, Dec 13

Components: Internals>GPU>Dawn

Comment 4 by cwallez@chromium.org, Dec 13

Owner: enga@chromium.org
Austin can you TAL?

Comment 5 by bugdroid1@chromium.org, Dec 14

Project Member
The following revision refers to this bug:
  https://dawn.googlesource.com/dawn/+/08aa58f8d6ed07966cc388ed7bde26976be09a07

commit 08aa58f8d6ed07966cc388ed7bde26976be09a07
Author: Austin Eng <enga@chromium.org>
Date: Fri Dec 14 08:29:38 2018

Check if fence is nullptr in PostHandleQueueSignal

PostHandleQueueSignal assumed that fence was not null because QueueSignal
generates an error if it is. The errors are not surfaced immediately so
this additional check is needed before doing the post-handler.

Bug:  chromium:914808 
Change-Id: I2a99f5229712d49d3c9a2d1f3f2dd1009247a24c
Reviewed-on: https://dawn-review.googlesource.com/c/3280
Reviewed-by: Kai Ninomiya <kainino@chromium.org>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Corentin Wallez <cwallez@chromium.org>

[modify] https://crrev.com/08aa58f8d6ed07966cc388ed7bde26976be09a07/generator/templates/dawn_wire/WireServer.cpp
[modify] https://crrev.com/08aa58f8d6ed07966cc388ed7bde26976be09a07/src/dawn_native/Fence.cpp

Comment 6 by cwallez@chromium.org, Dec 14

Cc: metzman@chromium.org
 Issue 914702  has been merged into this issue.

Comment 7 by bugdroid1@chromium.org, Dec 14

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/077627c4b36951e18027659d96f43c3ad45f9cf4

commit 077627c4b36951e18027659d96f43c3ad45f9cf4
Author: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Date: Fri Dec 14 15:55:14 2018

Roll src/third_party/dawn fd3717fa7cbc..08aa58f8d6ed (1 commits)

https://dawn.googlesource.com/dawn.git/+log/fd3717fa7cbc..08aa58f8d6ed


git log fd3717fa7cbc..08aa58f8d6ed --date=short --no-merges --format='%ad %ae %s'
2018-12-14 enga@chromium.org Check if fence is nullptr in PostHandleQueueSignal


Created with:
  gclient setdep -r src/third_party/dawn@08aa58f8d6ed

The AutoRoll server is located here: https://autoroll.skia.org/r/dawn-chromium-autoroll

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.

CQ_INCLUDE_TRYBOTS=luci.chromium.try:linux_optional_gpu_tests_rel;luci.chromium.try:mac_optional_gpu_tests_rel;luci.chromium.try:win_optional_gpu_tests_rel

BUG= chromium:914808 
TBR=cwallez@chromium.org

Change-Id: I043c6aecb7c0f0b9cee7fa1d2d082ab570ee6285
Reviewed-on: https://chromium-review.googlesource.com/c/1378194
Reviewed-by: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Commit-Queue: chromium-autoroll <chromium-autoroll@skia-public.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#616691}
[modify] https://crrev.com/077627c4b36951e18027659d96f43c3ad45f9cf4/DEPS

Comment 8 by ClusterFuzz, Dec 15

Project Member
ClusterFuzz has detected this issue as fixed in range 616675:616692.

Detailed report: https://clusterfuzz.com/testcase?key=5368220749660160

Fuzzer: libFuzzer_dawn_wire_server_and_frontend_fuzzer
Fuzz target binary: dawn_wire_server_and_frontend_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  dawn_native::FenceBase::OnCompletion
  dawn_wire::server::Server::PostHandleQueueSignal
  dawn_wire::server::Server::HandleQueueSignal
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=615090:615091
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_ubsan&range=616675:616692

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5368220749660160

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 9 by ClusterFuzz, Dec 15

Project Member
Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5368220749660160 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment