Issue 915002 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 873225
Owner:	stevenperron@google.com
Closed:	Jan 16
Cc:	vmi...@chromium.org piman@chromium.org dsinclair@chromium.org
Components:	Internals>GPU>ANGLE Internals>GPU>Dawn Internals>GPU>Internals
EstimatedDays:	----
NextAction:	----
OS:	Linux , Chrome
Pri:	1
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Stability-Libfuzzer Clusterfuzz ClusterFuzz-Auto-CC

Null-dereference READ in spvtools::opt::Instruction::TypeResultIdCount

Project Member Reported by ClusterFuzz, Dec 13

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5685621919842304

Fuzzer: libFuzzer_spvtools_opt_size_fuzzer
Fuzz target binary: spvtools_opt_size_fuzzer
Job Type: chromeos_libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x00000000002c
Crash State:
  spvtools::opt::Instruction::TypeResultIdCount
  spvtools::opt::Instruction::GetSingleWordInOperand
  spvtools::opt::ScalarReplacementPass::GetStorageType
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5685621919842304

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Project Member

Comment 1 by ClusterFuzz, Dec 13

Cc: dsinclair@chromium.org vmi...@chromium.org piman@chromium.org
Labels: ClusterFuzz-Auto-CC

Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Project Member

Comment 2 by ClusterFuzz, Dec 15

Labels: OS-Linux

Comment 3 by tsepez@chromium.org, Jan 7

Components: Internals>GPU>Internals

Comment 4 by danakj@google.com, Jan 11

Components: Internals>GPU>ANGLE
Owner: cwallez@chromium.org
Status: Assigned (was: Untriaged)

This is a crash in a SPIRV fuzzer.

 #11 0x55f81fec8827 in spvtools::opt::Pass::Run(spvtools::opt::IRContext*) third_party/SPIRV-Tools/src/source/opt/pass.cpp:39:25
    #12 0x55f81feca074 in spvtools::opt::PassManager::Run(spvtools::opt::IRContext*) third_party/SPIRV-Tools/src/source/opt/pass_manager.cpp:50:35
    #13 0x55f81fe8000a in spvtools::Optimizer::Run(unsigned int const*, unsigned long, std::__Cr::vector<unsigned int, std::__Cr::allocator<unsigned int> >*, spv_optimizer_options_t*) const third_party/SPIRV-Tools/src/source/opt/optimizer.cpp:499:37
    #14 0x55f81fe7fd20 in spvtools::Optimizer::Run(unsigned int const*, unsigned long, std::__Cr::vector<unsigned int, std::__Cr::allocator<unsigned int> >*) const third_party/SPIRV-Tools/src/source/opt/optimizer.cpp:465:10
    #15 0x55f81fdfcd33 in LLVMFuzzerTestOneInput third_party/SPIRV-Tools/src/test/fuzzers/spvtools_opt_size_fuzzer.cpp:35:13

It may need an upstream fix.

Comment 5 by jmadill@google.com, Jan 11

Components: Internals>GPU>Dawn

Comment 6 by piman@chromium.org, Jan 11

Cc: -dsinclair@chromium.org stevenperron@google.com
Owner: dsinclair@chromium.org

Comment 7 by dsinclair@chromium.org, Jan 14

Cc: -stevenperron@google.com dsinclair@chromium.org
Owner: stevenperron@google.com

Comment 8 by stevenperron@google.com, Jan 16 (6 days ago)

Mergedinto: 873225
Status: Duplicate (was: Assigned)

►

Issue 915002 link

Issue metadata

Null-dereference READ in spvtools::opt::Instruction::TypeResultIdCount

Issue description

Comment 1 by ClusterFuzz, Dec 13

Comment 1 Deleted

Comment 2 by ClusterFuzz, Dec 15

Comment 2 Deleted

Comment 3 by tsepez@chromium.org, Jan 7

Comment 3 Deleted

Comment 4 by danakj@google.com, Jan 11

Comment 4 Deleted

Comment 5 by jmadill@google.com, Jan 11

Comment 5 Deleted

Comment 6 by piman@chromium.org, Jan 11

Comment 6 Deleted

Comment 7 by dsinclair@chromium.org, Jan 14

Comment 7 Deleted

Comment 8 by stevenperron@google.com, Jan 16 (6 days ago)

Comment 8 Deleted

Sign in to add a comment