wgpu icon indicating copy to clipboard operation
wgpu copied to clipboard
verified publisher icon gfx-rs

[naga] Detected panics during fuzzing

Open 0x64617061 opened this issue 7 months ago • 0 comments

Description I did fuzz runs with naga fuzz targets with Rust overflow checks enabled and detected numerous different panics/issues:

  • glsl_parser
    • naga/src/front/glsl/offset.rs:88:53 attempt to multiply with overflow
    • naga/src/front/mod.rs:76:25 index out of bounds: the len is 2 but the index is 3
    • naga/src/proc/constant_evaluator.rs:404:19 index out of bounds: the len is 1 but the index is 1
    • naga/src/proc/mod.rs:495:20 index out of bounds: the len is 0 but the index is 0
    • naga/src/proc/type_methods.rs:218:17 attempt to multiply with overflow
    • UNKNOWN stack overflow
  • ir
    • naga/src/proc/constant_evaluator.rs:404:19 index out of bounds: the len is 0 but the index is 0 (see glsl_parser)
    • naga/naga/src/proc/type_methods.rs:218:17 attempt to multiply with overflow (see glsl_parser/spv_parser)
    • naga/src/proc/typifier.rs:445:44 index out of bounds: the len is 0 but the index is 0
    • naga/src/proc/typifier.rs:745:44 index out of bounds: the len is 0 but the index is 0
    • naga/src/valid/analyzer.rs:1169:83 index out of bounds: the len is 1 but the index is 62
    • naga/src/valid/expression.rs:1093:30 index out of bounds: the len is 0 but the index is 3324497870
    • naga/src/valid/interface.rs:693:72 internal error: entered unreachable code
    • naga/src/valid/type.rs:676:36 attempt to subtract with overflow
    • UNKNOWN stack overflow
  • spv_parser
    • naga/src/front/spv/mod.rs:4854:42 index out of bounds: the len is 0 but the index is 0
    • naga/src/front/spv/mod.rs:4854:51 index out of bounds: the len is 1 but the index is 1
    • naga/src/front/spv/mod.rs:4854:60 index out of bounds: the len is 2 but the index is 2
    • naga/src/front/spv/mod.rs:5229:47 called Result::unwrap() on an Err value: LayoutError
    • naga/src/front/spv/mod.rs:5310:47 called Result::unwrap() on an Err value: LayoutError
    • naga/src/front/spv/mod.rs:5361:47 called Result::unwrap() on an Err value: LayoutError
    • naga/src/front/spv/mod.rs:5393:13 attempt to add with overflow
    • naga/src/proc/type_methods.rs:218:17 attempt to multiply with overflow (see glsl_parser/ir)

I tried to search through the existing issues to avoid duplicates. Sorry if I missed something.

Repro steps I have attached an archive with the example input files that lead to the respective crash generated by the fuzzer. (see "Extra materials")

Expected vs observed behavior The code should not panic/crash.

Extra materials naga_panic_inputs.zip

Platform Commit f04391d916d4cc34ca85944f27f2e050c14f56c3. My test environment is based on Ubuntu Linux 22.04 and Rust v1.86.0.

0x64617061 avatar May 12 '25 18:05 0x64617061