ASAN failure on ignition. |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5762275373219840 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0001bfff8000 Crash State: v8::internal::Context::native_context v8::internal::Map::TransitionElementsTo v8::internal::JSObject::GetElementsTransitionMap Recommended Security Severity: Medium Minimized Testcase (0.36 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96JKllWiAcu6Y7SOLT7gHkvZWuTFBbRKXKtkb5H6sZx6Yc1ss67dnC4W_IthOMZHx2DSGeBU_h4xx6rHfW-BFDhuGd5jAtR4ZOoiQfsf0F8bp5HzOvg5tbhohMnKY29WCRPLkNChhySCHTNGYIpu3Bemyv7dw function __f_7() { return " [0, 0, 0];" } function __f_6() { return eval(__f_7()); } function __f_10() { var __v_1 = __f_6(); return __v_1; } function __f_3() { var __v_2 = __f_10(); __v_2[0] = 1.5; return __v_2; } function __f_2(array, value) { array[1] = value; } function __f_9() { __f_2( 1.5); var __v_4 = __f_3(); __f_2(__v_4); } __f_9()
,
Mar 24 2016
,
Mar 24 2016
Reproduces as follow ... $ git checkout 8b218d6464cf8c5eb63c23112f4d15933feba8c7 $ make -j1000 ia32.debug $ out/ia32.debug/d8 --random-seed=1051011469 --enable-slow-asserts --invoke-weak-callbacks --omit-quit --ignition --no-inline-new ~/Downloads/fuzz-00028.js
,
Mar 31 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e6b6e5545386985f1d0bec875307e5df52062d71 commit e6b6e5545386985f1d0bec875307e5df52062d71 Author: mythria <mythria@chromium.org> Date: Thu Mar 31 13:44:44 2016 [Interpreter] Changes GenerateDoubleToObject to push and pop rsi value. In the earlier implementation of GenerateDoubleToObject the context is loaded from the parent's frame. rsi is clobbered because it is used to store kHoleNan constnat. It is not always safe to peek at the parents frame. Bytecode handlers have TypedFrame and the type of frame is stored at FP + 1. GenerateDoubleToObject expects context to be store at that place. In the current implementation rsi is pushed onto the stack and is popped when exiting this function. BUG= v8:4280 , chromium:597565 LOG=N Review URL: https://codereview.chromium.org/1848473002 Cr-Commit-Position: refs/heads/master@{#35163} [modify] https://crrev.com/e6b6e5545386985f1d0bec875307e5df52062d71/src/ia32/codegen-ia32.cc [modify] https://crrev.com/e6b6e5545386985f1d0bec875307e5df52062d71/src/x64/codegen-x64.cc [add] https://crrev.com/e6b6e5545386985f1d0bec875307e5df52062d71/test/mjsunit/ignition/regress-597565-double-to-object-transition.js
,
Mar 31 2016
ClusterFuzz has detected this issue as fixed in range 35162:35163. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5762275373219840 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0001bfff8000 Crash State: v8::internal::Context::native_context v8::internal::Map::TransitionElementsTo v8::internal::JSObject::GetElementsTransitionMap Recommended Security Severity: Medium Fixed: V8: r35162:35163 Minimized Testcase (0.36 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96JKllWiAcu6Y7SOLT7gHkvZWuTFBbRKXKtkb5H6sZx6Yc1ss67dnC4W_IthOMZHx2DSGeBU_h4xx6rHfW-BFDhuGd5jAtR4ZOoiQfsf0F8bp5HzOvg5tbhohMnKY29WCRPLkNChhySCHTNGYIpu3Bemyv7dw function __f_7() { return " [0, 0, 0];" } function __f_6() { return eval(__f_7()); } function __f_10() { var __v_1 = __f_6(); return __v_1; } function __f_3() { var __v_2 = __f_10(); __v_2[0] = 1.5; return __v_2; } function __f_2(array, value) { array[1] = value; } function __f_9() { __f_2( 1.5); var __v_4 = __f_3(); __f_2(__v_4); } __f_9(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 1 2016
|
|||
►
Sign in to add a comment |
|||
Comment 1 by ClusterFuzz
, Mar 24 2016