Issue metadata
Sign in to add a comment
|
Crash in v8::internal::AsmTyper::VisitHeapAccess |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6659383431266304 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x00000004 Crash State: v8::internal::AsmTyper::VisitHeapAccess v8::internal::AsmTyper::VisitProperty v8::internal::Property::Accept Regressed: V8: r34586:34587 Minimized Testcase (0.24 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94RMlN6XxQG9wc0B1Hx-BSyR5KoFkCFCUKnOQwG2TE9QlTTVbLIC44coeh7wgWIDy_7xgt_8qckasw8jwnB-H5I7a9gMkoqz2_zTwB9rnTjBHZ4c26_OlclQh9E_tscrjZUjpCiWNar8PJKBoU4GquEY6-OcQ function __f_60(stdlib, buffer) { "use asm"; var __v_28 = new stdlib.Float64Array(buffer); function __f_73() { var __v_50 = 8; __v_50 = +__v_28[__v_50 >> __v_80] == 9.0; } } Wasm.instantiateModuleFromAsm( __f_60.toString()); Filer: nyerramilli See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 11 2016
,
Mar 11 2016
,
Mar 18 2016
Remove legacy label cr-blink-javascript.
,
Mar 21 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6665827348119552 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000008 Crash State: v8::internal::AsmTyper::VisitHeapAccess v8::internal::AsmTyper::VisitProperty v8::internal::AsmTyper::VisitWithExpectation Regressed: V8: r34586:34587 Minimized Testcase (0.26 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96ILj8HcdkkpZqBfMuL1bCP-V8tfYBR3YtNH0tepUtxrRJec8l-NXKEY_bjQIAWOKbwDqBKCOoz26Fw6TFVBG-afy4kOtECjvBEkCJjwOE-mbfIsT_Fcbpe_EvlW9BKomz-RpvgTyHjt1DcDQWsCC_UQixfVg function __f_72(stdlib, buffer) { "use asm"; var __v_39 = new stdlib.Float64Array(buffer); function __f_86() { var __v_61 = 8; __v_61 = +__v_39[__v_61 >> __v_38] == 9.0; } } var module = Wasm.instantiateModuleFromAsm( __f_72.toString()); ( { })(); Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 21 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5435454844829696 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000014 Crash State: v8::InstantiateModuleFromAsm v8::internal::FunctionCallbackArguments::Call v8::internal::MaybeHandle<v8::internal::Object> v8::internal::HandleApiCallHelpe Regressed: V8: r34586:34587 Minimized Testcase (0.15 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94kH1naSrEDHFALaAAatm_m2pqhl-YEqpbPqKEs-cSCXTzji7awpdjCNXXtQ70Ad4VVgMHgGIJxc_Lub1O_jsHnJ3wBZPM_scsiaGMq3AyiU-oIDRhxyfLWyQ1HJAUNjWrIftMIPhAWTmWM_x4N4-ELCPv6zQ var __v_6 = "for (var __v_5 = 0; __v_5 < 10; __v_5++) { if (__v_5 == 5) nop(); }"; var module = Wasm.instantiateModuleFromAsm(__v_6); ( { })(); Additional requirements: Requires Gestures Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 5 2016
ClusterFuzz has detected this issue as fixed in range 35272:35273. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6665827348119552 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000008 Crash State: v8::internal::AsmTyper::VisitHeapAccess v8::internal::AsmTyper::VisitProperty v8::internal::AsmTyper::VisitWithExpectation Regressed: V8: r34586:34587 Fixed: V8: r35272:35273 Minimized Testcase (0.26 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96ILj8HcdkkpZqBfMuL1bCP-V8tfYBR3YtNH0tepUtxrRJec8l-NXKEY_bjQIAWOKbwDqBKCOoz26Fw6TFVBG-afy4kOtECjvBEkCJjwOE-mbfIsT_Fcbpe_EvlW9BKomz-RpvgTyHjt1DcDQWsCC_UQixfVg function __f_72(stdlib, buffer) { "use asm"; var __v_39 = new stdlib.Float64Array(buffer); function __f_86() { var __v_61 = 8; __v_61 = +__v_39[__v_61 >> __v_38] == 9.0; } } var module = Wasm.instantiateModuleFromAsm( __f_72.toString()); ( { })(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 6 2016
ClusterFuzz has detected this issue as fixed in range 35272:35273. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6659383431266304 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x00000004 Crash State: v8::internal::AsmTyper::VisitHeapAccess v8::internal::AsmTyper::VisitProperty v8::internal::Property::Accept Regressed: V8: r34586:34587 Fixed: V8: r35272:35273 Minimized Testcase (0.24 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94RMlN6XxQG9wc0B1Hx-BSyR5KoFkCFCUKnOQwG2TE9QlTTVbLIC44coeh7wgWIDy_7xgt_8qckasw8jwnB-H5I7a9gMkoqz2_zTwB9rnTjBHZ4c26_OlclQh9E_tscrjZUjpCiWNar8PJKBoU4GquEY6-OcQ function __f_60(stdlib, buffer) { "use asm"; var __v_28 = new stdlib.Float64Array(buffer); function __f_73() { var __v_50 = 8; __v_50 = +__v_28[__v_50 >> __v_80] == 9.0; } } Wasm.instantiateModuleFromAsm( __f_60.toString()); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 6 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by nyerramilli@chromium.org
, Mar 11 2016Labels: findit-wrong Te-Logged