New issue
Advanced search Search tips

Issue 594027 link

Starred by 0 users

Issue metadata

Status: Duplicate
Merged: issue 599825
Owner:
Closed: Apr 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in v8::internal::AsmTyper::VisitHeapAccess

Project Member Reported by ClusterFuzz, Mar 11 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6659383431266304

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x00000004
Crash State:
  v8::internal::AsmTyper::VisitHeapAccess
  v8::internal::AsmTyper::VisitProperty
  v8::internal::Property::Accept
  
Regressed: V8: r34586:34587

Minimized Testcase (0.24 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94RMlN6XxQG9wc0B1Hx-BSyR5KoFkCFCUKnOQwG2TE9QlTTVbLIC44coeh7wgWIDy_7xgt_8qckasw8jwnB-H5I7a9gMkoqz2_zTwB9rnTjBHZ4c26_OlclQh9E_tscrjZUjpCiWNar8PJKBoU4GquEY6-OcQ
function __f_60(stdlib, buffer) {
  "use asm";
  var __v_28 = new stdlib.Float64Array(buffer);
  function __f_73() {
    var __v_50 = 8;
    __v_50 = +__v_28[__v_50 >> __v_80] == 9.0;
  }
}
 Wasm.instantiateModuleFromAsm( __f_60.toString());


Filer: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: nyerramilli@chromium.org hablich@chromium.org
Labels: findit-wrong Te-Logged
Find it:
Unable to determine culprit CLs without crash revision and regression information

Suspected Component: chromium
Labels: Needs-triage
Labels: -Needs-triage
Owner: titzer@chromium.org
Status: Assigned (was: Available)
Components: Blink>JavaScript
Labels: -cr-blink-javascript
Remove legacy label cr-blink-javascript.
Project Member

Comment 5 by ClusterFuzz, Mar 21 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6665827348119552

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000008
Crash State:
  v8::internal::AsmTyper::VisitHeapAccess
  v8::internal::AsmTyper::VisitProperty
  v8::internal::AsmTyper::VisitWithExpectation
  
Regressed: V8: r34586:34587

Minimized Testcase (0.26 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96ILj8HcdkkpZqBfMuL1bCP-V8tfYBR3YtNH0tepUtxrRJec8l-NXKEY_bjQIAWOKbwDqBKCOoz26Fw6TFVBG-afy4kOtECjvBEkCJjwOE-mbfIsT_Fcbpe_EvlW9BKomz-RpvgTyHjt1DcDQWsCC_UQixfVg
function __f_72(stdlib, buffer) {
  "use asm";
  var __v_39 = new stdlib.Float64Array(buffer);
  function __f_86() {
    var __v_61 = 8;
    __v_61 = +__v_39[__v_61 >> __v_38] == 9.0;
  }
}
  var module = Wasm.instantiateModuleFromAsm( __f_72.toString());
( {
})();


Filer: hablich

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 6 by ClusterFuzz, Mar 21 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5435454844829696

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000014
Crash State:
  v8::InstantiateModuleFromAsm
  v8::internal::FunctionCallbackArguments::Call
  v8::internal::MaybeHandle<v8::internal::Object> v8::internal::HandleApiCallHelpe
  
Regressed: V8: r34586:34587

Minimized Testcase (0.15 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94kH1naSrEDHFALaAAatm_m2pqhl-YEqpbPqKEs-cSCXTzji7awpdjCNXXtQ70Ad4VVgMHgGIJxc_Lub1O_jsHnJ3wBZPM_scsiaGMq3AyiU-oIDRhxyfLWyQ1HJAUNjWrIftMIPhAWTmWM_x4N4-ELCPv6zQ
  var __v_6 = "for (var __v_5 = 0; __v_5 < 10; __v_5++) { if (__v_5 == 5) nop(); }";
    var module = Wasm.instantiateModuleFromAsm(__v_6);
( {
})();


Additional requirements: Requires Gestures

Filer: hablich

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 7 by ClusterFuzz, Apr 5 2016

ClusterFuzz has detected this issue as fixed in range 35272:35273.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6665827348119552

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000008
Crash State:
  v8::internal::AsmTyper::VisitHeapAccess
  v8::internal::AsmTyper::VisitProperty
  v8::internal::AsmTyper::VisitWithExpectation
  
Regressed: V8: r34586:34587
Fixed: V8: r35272:35273

Minimized Testcase (0.26 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96ILj8HcdkkpZqBfMuL1bCP-V8tfYBR3YtNH0tepUtxrRJec8l-NXKEY_bjQIAWOKbwDqBKCOoz26Fw6TFVBG-afy4kOtECjvBEkCJjwOE-mbfIsT_Fcbpe_EvlW9BKomz-RpvgTyHjt1DcDQWsCC_UQixfVg
function __f_72(stdlib, buffer) {
  "use asm";
  var __v_39 = new stdlib.Float64Array(buffer);
  function __f_86() {
    var __v_61 = 8;
    __v_61 = +__v_39[__v_61 >> __v_38] == 9.0;
  }
}
  var module = Wasm.instantiateModuleFromAsm( __f_72.toString());
( {
})();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Apr 6 2016

ClusterFuzz has detected this issue as fixed in range 35272:35273.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6659383431266304

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x00000004
Crash State:
  v8::internal::AsmTyper::VisitHeapAccess
  v8::internal::AsmTyper::VisitProperty
  v8::internal::Property::Accept
  
Regressed: V8: r34586:34587
Fixed: V8: r35272:35273

Minimized Testcase (0.24 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94RMlN6XxQG9wc0B1Hx-BSyR5KoFkCFCUKnOQwG2TE9QlTTVbLIC44coeh7wgWIDy_7xgt_8qckasw8jwnB-H5I7a9gMkoqz2_zTwB9rnTjBHZ4c26_OlclQh9E_tscrjZUjpCiWNar8PJKBoU4GquEY6-OcQ
function __f_60(stdlib, buffer) {
  "use asm";
  var __v_28 = new stdlib.Float64Array(buffer);
  function __f_73() {
    var __v_50 = 8;
    __v_50 = +__v_28[__v_50 >> __v_80] == 9.0;
  }
}
 Wasm.instantiateModuleFromAsm( __f_60.toString());


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Mergedinto: 599825
Status: Duplicate (was: Assigned)
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment