Null-dereference READ in spvtools::val::Instruction::opcode |
||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6111469034536960 Fuzzer: libFuzzer_spvtools_val_fuzzer Fuzz target binary: spvtools_val_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x00000000003a Crash State: spvtools::val::Instruction::opcode spvtools::val::ValidateArrayLength spvtools::val::MemoryPass Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=611369:611409 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6111469034536960 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 14
Automatically adding ccs based on OWNERS file / target commit history. If this is incorrect, please add ClusterFuzz-Wrong label.
,
Dec 14
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/external/github.com/KhronosGroup/SPIRV-Tools/+/4e22b601224b1ddc3eb60ab38d9d1d89e81135e5 (Add validation for OpArrayLength. (#2117)). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Dec 16
,
Jan 2
A label is passed at the array argument in an ArrayLength instruction.
%20 = OpLabel
%24 = OpArrayLength %uint %20 16
This is the same as a type id being given at the array argument. I could check that the type id for the array argument is not 0 (https://github.com/KhronosGroup/SPIRV-Tools/pull/2155), but Alan said he did not want that. It would be needed in so many places. He decided to check it in another way. I'll pass this to him to see if he wants to handle it in the same way.
,
Jan 2
,
Jan 4
ClusterFuzz has detected this issue as fixed in range 619756:619758. Detailed report: https://clusterfuzz.com/testcase?key=6111469034536960 Fuzzer: libFuzzer_spvtools_val_fuzzer Fuzz target binary: spvtools_val_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x00000000003a Crash State: spvtools::val::Instruction::opcode spvtools::val::ValidateArrayLength spvtools::val::MemoryPass Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=611369:611409 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=619756:619758 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6111469034536960 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ClusterFuzz
, Dec 14Labels: Test-Predator-Auto-Components