Crash in v8::internal::AstNode::position |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6424520056897536 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_chrome_v8_d8 Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x000000000008 Crash State: v8::internal::AstNode::position v8::internal::AsmTyper::VisitHeapAccess v8::internal::AsmTyper::VisitProperty Minimized Testcase (0.26 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv979bgS1IS9SJkY9S9-UYqg2e5b6ESe8BEp0pONFOBsvhT0hf8BjjrsvQ-TYKoKtZmnRZhuV37CMtHZb84vOi4LbEismep0Y6kvrRhOshsj7YzeEBjdnWy3IzUUPXYFPgoi3A7v5XEcAaDp223ZJh492yRydBg function __f_60(stdlib, buffer) { "use asm"; var __v_28 = new stdlib.Float64Array(buffer); function __f_73() { var __v_50 = 8; __v_50 = +__v_28[__v_50 >> __v_13] == 9.0; } } var module = _WASMEXP_.instantiateModuleFromAsm( __f_60.toString()); ( { })(); Filer: machenbach See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 9 2016
ClusterFuzz has detected this issue as fixed in range 34577:34596. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6424520056897536 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_chrome_v8_d8 Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x000000000008 Crash State: v8::internal::AstNode::position v8::internal::AsmTyper::VisitHeapAccess v8::internal::AsmTyper::VisitProperty Fixed: V8: r34577:34596 Minimized Testcase (0.26 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv979bgS1IS9SJkY9S9-UYqg2e5b6ESe8BEp0pONFOBsvhT0hf8BjjrsvQ-TYKoKtZmnRZhuV37CMtHZb84vOi4LbEismep0Y6kvrRhOshsj7YzeEBjdnWy3IzUUPXYFPgoi3A7v5XEcAaDp223ZJh492yRydBg function __f_60(stdlib, buffer) { "use asm"; var __v_28 = new stdlib.Float64Array(buffer); function __f_73() { var __v_50 = 8; __v_50 = +__v_28[__v_50 >> __v_13] == 9.0; } } var module = _WASMEXP_.instantiateModuleFromAsm( __f_60.toString()); ( { })(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 15 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5676294917849088 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x000000000008 Crash State: v8::internal::AstNode::position v8::internal::AsmTyper::VisitHeapAccess v8::internal::AsmTyper::VisitProperty Regressed: V8: r34586:34587 Minimized Testcase (0.30 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96oo5AdUsu5_b9kPlAT--TljpG0wbAZU-5WBr8epSHA_VfDXDBKx29Z_2lbv8veoVcZiTl1b06NI5ws2ntbmd0THmcQuauAmEG0feRDMC1LuooPHHHsRq-VILw9QFSzXK0iT9VR8uUJ2aClcdSEan-nkORAJw function __f_60(stdlib, buffer) { "use asm"; var __v_28 = new stdlib.Float64Array(buffer); function __f_73() { var __v_53 = 8; __v_28[__v_53 >> 0] = +__v_28[__v_53 >> __v_65] + 1.0; } } var module = Wasm.instantiateModuleFromAsm( __f_60.toString()); ( { })(); (function __f_6() { })(); Filer: pucchakayala See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 18 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4876599907844096 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000008 Crash State: v8::internal::AstNode::position v8::internal::AsmTyper::VisitHeapAccess v8::internal::AsmTyper::VisitProperty Regressed: V8: r34586:34587 Minimized Testcase (0.28 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94i-PJyiq2kHKzEYxCDdQWeoTm0D5v7WdnGrnEtA7Nc9lSrEEoRTaV3nLFZjAIW0KgzL3RiAS35Je6OE5LeOXiy8KCkclquTZ8tyiju_5yjvXNnFE964z7KxRTAPfFQVjrV1xYvGOTj4v8RqMVnEyAN2q_qZQ function __f_99(stdlib, buffer) { "use asm"; var __v_57 = new stdlib.Int32Array(buffer); function __f_78() { var __v_53 = 4; __v_57[__v_53 >> (-__v_37)]|-1073741824 + 7 | 9; } } var module = Wasm.instantiateModuleFromAsm( __f_99.toString()); function __f_78() { } Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 18 2016
Remove legacy label cr-blink-javascript.
,
Apr 5 2016
ClusterFuzz has detected this issue as fixed in range 35272:35273. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5676294917849088 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x000000000008 Crash State: v8::internal::AstNode::position v8::internal::AsmTyper::VisitHeapAccess v8::internal::AsmTyper::VisitProperty Regressed: V8: r34586:34587 Fixed: V8: r35272:35273 Minimized Testcase (0.30 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96oo5AdUsu5_b9kPlAT--TljpG0wbAZU-5WBr8epSHA_VfDXDBKx29Z_2lbv8veoVcZiTl1b06NI5ws2ntbmd0THmcQuauAmEG0feRDMC1LuooPHHHsRq-VILw9QFSzXK0iT9VR8uUJ2aClcdSEan-nkORAJw function __f_60(stdlib, buffer) { "use asm"; var __v_28 = new stdlib.Float64Array(buffer); function __f_73() { var __v_53 = 8; __v_28[__v_53 >> 0] = +__v_28[__v_53 >> __v_65] + 1.0; } } var module = Wasm.instantiateModuleFromAsm( __f_60.toString()); ( { })(); (function __f_6() { })(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 5 2016
ClusterFuzz has detected this issue as fixed in range 35272:35273. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4876599907844096 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000008 Crash State: v8::internal::AstNode::position v8::internal::AsmTyper::VisitHeapAccess v8::internal::AsmTyper::VisitProperty Regressed: V8: r34586:34587 Fixed: V8: r35272:35273 Minimized Testcase (0.28 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94i-PJyiq2kHKzEYxCDdQWeoTm0D5v7WdnGrnEtA7Nc9lSrEEoRTaV3nLFZjAIW0KgzL3RiAS35Je6OE5LeOXiy8KCkclquTZ8tyiju_5yjvXNnFE964z7KxRTAPfFQVjrV1xYvGOTj4v8RqMVnEyAN2q_qZQ function __f_99(stdlib, buffer) { "use asm"; var __v_57 = new stdlib.Int32Array(buffer); function __f_78() { var __v_53 = 4; __v_57[__v_53 >> (-__v_37)]|-1073741824 + 7 | 9; } } var module = Wasm.instantiateModuleFromAsm( __f_99.toString()); function __f_78() { } See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 6 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by ishell@chromium.org
, Mar 7 2016Status: Assigned (was: Available)