entry->to() + 1 > current.from() in src/regexp/jsregexp.cc |
||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6272139516182528 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: entry->to() + 1 > current.from() in src/regexp/jsregexp.cc Regressed: V8: r33926:33927 Minimized Testcase (0.23 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94-fm1FSCoXkRmrLJt9O3ZOS5SzZhYvFpV6oVmn1I36XXJeeZN4T6eWLPsJTBCyGeZgd65sBtwvfyPqACDj-TsBpnOdM39nVL3uMLhntAgQj-Kj1APRvMugX9RBYgHLBsoiEGdcNYWUQUdYFReCEUjuEBv-mw function __f_6(expectation, regexp, subject) { regexp.exec(subject); } function __f_7(expectation, regexp_source, subject) { __f_6(expectation, new RegExp(regexp_source, "u"), subject); } __f_7(null, "[^\u{1}-\u{65535}]", "\u{12358}"); Filer: machenbach See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 7 2016
This is an off-by-one error in CharacterRange::Negate. Fix incoming. This will need to be merged to M50.
,
Mar 7 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f9d7c711afe0389e9c6c48f6653312017109cb6f commit f9d7c711afe0389e9c6c48f6653312017109cb6f Author: yangguo <yangguo@chromium.org> Date: Mon Mar 07 10:58:46 2016 [regexp] Fix off-by-one in CharacterRange::Negate. Character ranges starting at 1 are not correctly negated. R=jkummerow@chromium.org BUG= chromium:592343 LOG=Y Review URL: https://codereview.chromium.org/1768093002 Cr-Commit-Position: refs/heads/master@{#34528} [modify] https://crrev.com/f9d7c711afe0389e9c6c48f6653312017109cb6f/src/regexp/jsregexp.cc [modify] https://crrev.com/f9d7c711afe0389e9c6c48f6653312017109cb6f/src/regexp/jsregexp.h [modify] https://crrev.com/f9d7c711afe0389e9c6c48f6653312017109cb6f/src/regexp/regexp-ast.h [add] https://crrev.com/f9d7c711afe0389e9c6c48f6653312017109cb6f/test/mjsunit/regress/regress-crbug-592343.js
,
Mar 7 2016
,
Mar 7 2016
Both https://codereview.chromium.org/1768093002 and the follow-up compile fix https://codereview.chromium.org/1773573002 i.e 2947b2fa6fcebb349f66818b15b063a32ef71b05 and f9d7c711afe0389e9c6c48f6653312017109cb6f
,
Mar 7 2016
,
Mar 7 2016
ClusterFuzz has detected this issue as fixed in range 34527:34528. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6272139516182528 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: entry->to() + 1 > current.from() in src/regexp/jsregexp.cc Regressed: V8: r33926:33927 Fixed: V8: r34527:34528 Minimized Testcase (0.23 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94-fm1FSCoXkRmrLJt9O3ZOS5SzZhYvFpV6oVmn1I36XXJeeZN4T6eWLPsJTBCyGeZgd65sBtwvfyPqACDj-TsBpnOdM39nVL3uMLhntAgQj-Kj1APRvMugX9RBYgHLBsoiEGdcNYWUQUdYFReCEUjuEBv-mw function __f_6(expectation, regexp, subject) { regexp.exec(subject); } function __f_7(expectation, regexp_source, subject) { __f_6(expectation, new RegExp(regexp_source, "u"), subject); } __f_7(null, "[^\u{1}-\u{65535}]", "\u{12358}"); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 9 2016
Michael, when can I merge this to V8 5.0?
,
Mar 11 2016
,
Mar 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/c8a0cf00a399184ec1b51140a7a241fa4d2ad13a commit c8a0cf00a399184ec1b51140a7a241fa4d2ad13a Author: Yang Guo <yangguo@chromium.org> Date: Mon Mar 14 10:07:33 2016 Version 5.0.71.17 (cherry-pick) Merged f9d7c711afe0389e9c6c48f6653312017109cb6f Merged 2947b2fa6fcebb349f66818b15b063a32ef71b05 Merged d1f68f776eafa62d4bd1cc3465d18c2e47473381 [regexp] Fix off-by-one in CharacterRange::Negate. Fix compile error on arm. [regexp] fix bogus assertion in CharacterRange constructor. BUG= chromium:592343 , chromium:593282 LOG=N TBR=hablich@chromium.org Review URL: https://codereview.chromium.org/1801573002 . Cr-Commit-Position: refs/branch-heads/5.0@{#23} Cr-Branched-From: ad16e6c2cbd2c6b0f2e8ff944ac245561c682ac2-refs/heads/5.0.71@{#1} Cr-Branched-From: bd9df50d75125ee2ad37b3d92c8f50f0a8b5f030-refs/heads/master@{#34215} [modify] https://crrev.com/c8a0cf00a399184ec1b51140a7a241fa4d2ad13a/include/v8-version.h [modify] https://crrev.com/c8a0cf00a399184ec1b51140a7a241fa4d2ad13a/src/regexp/jsregexp.cc [modify] https://crrev.com/c8a0cf00a399184ec1b51140a7a241fa4d2ad13a/src/regexp/jsregexp.h [modify] https://crrev.com/c8a0cf00a399184ec1b51140a7a241fa4d2ad13a/src/regexp/regexp-ast.h [modify] https://crrev.com/c8a0cf00a399184ec1b51140a7a241fa4d2ad13a/test/cctest/test-regexp.cc [add] https://crrev.com/c8a0cf00a399184ec1b51140a7a241fa4d2ad13a/test/mjsunit/regress/regress-crbug-592343.js [add] https://crrev.com/c8a0cf00a399184ec1b51140a7a241fa4d2ad13a/test/mjsunit/regress/regress-crbug-593282.js
,
Mar 18 2016
Remove legacy label cr-blink-javascript.
,
Mar 22 2016
,
Mar 22 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by machenb...@chromium.org
, Mar 7 2016Owner: yangguo@chromium.org
Status: Assigned (was: Available)