Issue metadata
Sign in to add a comment
|
Crash in v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5403499919048704 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7fff7ea00030 Crash State: v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer v8::internal::InnerPointerToCodeCache::GetCacheEntry v8::internal::StackFrame::ComputeType Regressed: V8: r34731:34732 Minimized Testcase (6.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96jKhOUIwG2x-H_GpJD9SJccZ--XQxptO0q_s7KiG1_2e35NghPHPjAgofvCv7ve9a2fo8kPAH-Xp9Z8fP1vnvAMgBi9kSAW-1D9dEj3pjTQ089h2LYHuHWYT4WbVV6kEdKWPX62GKIcLOoNTXl4PiqiVqr8w Filer: hablich See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 17 2016
,
Mar 17 2016
Fairly certain this is not due to anything specific about the toString change; if the blamelist is correct, it's because that patch slightly changed heap layout. Meanwhile, I'm having trouble actually running this reproduction: the fuzzer_with_launcher_script.zip claims to not be a valid zipfile.
,
Mar 17 2016
ClusterFuzz has detected this issue as fixed in range 34867:34868. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5403499919048704 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7fff7ea00030 Crash State: v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer v8::internal::InnerPointerToCodeCache::GetCacheEntry v8::internal::StackFrame::ComputeType Regressed: V8: r34731:34732 Fixed: V8: r34867:34868 Minimized Testcase (6.24 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96jKhOUIwG2x-H_GpJD9SJccZ--XQxptO0q_s7KiG1_2e35NghPHPjAgofvCv7ve9a2fo8kPAH-Xp9Z8fP1vnvAMgBi9kSAW-1D9dEj3pjTQ089h2LYHuHWYT4WbVV6kEdKWPX62GKIcLOoNTXl4PiqiVqr8w See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 17 2016
Closing per #4
,
Mar 18 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. - Your friendly ClusterFuzz
,
Mar 30 2016
This was introduced only to ToT so no merge needed. Am I missing something?
,
May 24 2016
#7: No, you're not missing anything. If there's no "Security_Impact" label, we assume that the impact is more significant than ToT (defence in depth!). Added the label and the milestone, so this should be good to go.
,
Jun 24 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 30 2016
Congrats - $3,500 for this report. We'll add this to next week's payment run.
,
Jul 1 2016
,
Jul 1 2016
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by hablich@chromium.org
, Mar 17 2016Status: Assigned (was: Available)