New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
User never visited
Closed: May 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug-Security



Sign in to add a comment
UNKNOWN in v8::internal::Simulator::DecodeType3
Project Member Reported by ClusterFuzz, Mar 31 2014 Back to list
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4773635457810432

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_asan_d8_v8_arm

Crash Type: UNKNOWN
Crash Address: 0xdb015969
Crash State:
  - crash stack -
  v8::internal::Simulator::DecodeType3
  v8::internal::Simulator::InstructionDecode
  v8::internal::Simulator::CallInternal
  
Regressed: https://cluster-fuzz.appspot.com/revisions?range=259842:259888

Minimized Testcase (3.28 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97XDdmCr_Ihh8P9T39bQGajO3Y1a7Xy7YHItpBDnnkbnfD7_1uwLRFzgQL1PRvwzY2eOMvdkUgyGoXldTaGr4QLQNVnb-g2XVascS4dMsvgEF39CY2dtUTnWmfZTHr8Ay8twL1rmFva88oOuqDvaAl9qubtLA
 
Cc: danno@chromium.org
Danno, could you help find an owner for this when you get a chance?

Minimized repro:

__v_0 = new Uint8ClampedArray(10);
function __f_12(__v_6) {
  if (__v_6 < 0) {
    __v_1 = __v_0[__v_6 + 10];
  }
}
__f_12(-1);
%OptimizeFunctionOnNextCall(__f_12);
__f_12(-1);
Project Member Comment 2 by ClusterFuzz, Mar 31 2014
Labels: Pri-1
Comment 3 by danno@chromium.org, Mar 31 2014
Labels: M-34
Comment 4 by danno@chromium.org, Mar 31 2014
Cc: jochen@chromium.org
Owner: dslomov@chromium.org
Status: Assigned
Project Member Comment 5 by ClusterFuzz, Mar 31 2014
Labels: Security_Impact-Stable Security_Impact-Beta
Fix under review https://codereview.chromium.org/219473002
Labels: -M-34 M-35 Arch-ARM
This bug only affects M35, not M34. The problem is limited to arm. 
Project Member Comment 8 by ClusterFuzz, Mar 31 2014
Labels: ReleaseBlock-Stable
Status: Fixed
Project Member Comment 11 by bugdroid1@chromium.org, Mar 31 2014
Labels: Merge-TBD
Is there a merge required here?
Labels: -Merge-TBD Merge-Requested
Project Member Comment 13 by ClusterFuzz, Mar 31 2014
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Comment 14 by kareng@google.com, Apr 1 2014
approved once it's on trunk.
Comment 15 by kareng@google.com, Apr 1 2014
Labels: -Merge-Requested Merge-Approved
Labels: -Merge-Approved Merge-Merged
version: 3.25.28.4
branch: branches/3.25
svn revision: 20466
patches: r20410, r20363, r20370

Labels: Release-0-M35
Labels: CVE-2014-3152
Project Member Comment 19 by ClusterFuzz, Jul 7 2014
Labels: -Restrict-View-SecurityNotify
Bulk update: removing view restriction from closed bugs.
Project Member Comment 20 by ClusterFuzz, May 27 2015
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5818005376729088

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_asan_d8_v8_arm

Crash Type: UNKNOWN
Crash Address: 0x00000011
Crash State:
  v8::internal::Simulator::DecodeType3
  v8::internal::Simulator::InstructionDecode
  v8::internal::Simulator::Execute
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_v8_arm&range=331235:331244

Minimized Testcase (0.24 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv9451i3YOHRwXXuSJD9CJIYXXZwnFkFryX3mTG3keUUl26wZeBYGBOqhTtCx_gAEFj54IBuGN-Z971VcELR9qVh-qm35GTNHJyP6wcEUOI-XgLYbY7qEM6a7Th-saV0jOuVkkxhwyMxtoNw6V8lUXxpBk8-Jhg
  %OptimizeFunctionOnNextCall(print);
function __f_3() {
    __v_1[__v_7].__f_4 = __v_6.foo;
}
try {
__f_3();
} catch(e) { print("Caught: " + e); }
__v_6 = [ 3];
for (x in __v_6) {
  try {
    throw "ex1";
  } catch(er1) {
  } finally {
  }
}


Filer: manoranjanr
Status: Assigned
Seems like we are seeing this issue again?

Thank you!
Cc: manoranj...@chromium.org
Status: Fixed
It seems very unlikely that the report from c#20 is related to this issue. To avoid confusing any fix for this issue with this patched security bug, please file a new report.
Project Member Comment 23 by ClusterFuzz, May 28 2015
ClusterFuzz has detected this issue as fixed in range 331444:331661.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5818005376729088

Fuzzer: Mbarbella_js_mutation
Job Type: Linux_asan_d8_v8_arm

Crash Type: UNKNOWN
Crash Address: 0x00000011
Crash State:
  v8::internal::Simulator::DecodeType3
  v8::internal::Simulator::InstructionDecode
  v8::internal::Simulator::Execute
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_v8_arm&range=331235:331244
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_v8_arm&range=331444:331661

Minimized Testcase (0.24 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv9451i3YOHRwXXuSJD9CJIYXXZwnFkFryX3mTG3keUUl26wZeBYGBOqhTtCx_gAEFj54IBuGN-Z971VcELR9qVh-qm35GTNHJyP6wcEUOI-XgLYbY7qEM6a7Th-saV0jOuVkkxhwyMxtoNw6V8lUXxpBk8-Jhg
  %OptimizeFunctionOnNextCall(print);
function __f_3() {
    __v_1[__v_7].__f_4 = __v_6.foo;
}
try {
__f_3();
} catch(e) { print("Caught: " + e); }
__v_6 = [ 3];
for (x in __v_6) {
  try {
    throw "ex1";
  } catch(er1) {
  } finally {
  }
}

If you suspect that the result above is incorrect,try re-doing that job on the test case report page.
Project Member Comment 24 by ClusterFuzz, Feb 2 2016
Labels: -Security_Impact-Beta
Project Member Comment 25 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 26 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment