Crash in v8::internal::AsmTyper::VisitHeapAccess |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4771259014971392 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000004 Crash State: v8::internal::AsmTyper::VisitHeapAccess v8::internal::AsmTyper::VisitAssignment v8::internal::Assignment::Accept Regressed: V8: r34586:34587 Minimized Testcase (0.31 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97-D-N5iVbfPPVCIZa-3OD_klUOaAvHe51TYbEp1AOD6zQCSzLzwDP6aA40l5v5p5ezUpo9FP4J9ScFa8G433ffQbhmzNSUag0qMX3cJFVEstDWgCoYZxQ00pyj4f-H5t_O4EP_L95qUBtcOwU5v-TE2HJ-nw function __f_97(stdlib, buffer) { "use asm"; var __v_30 = new stdlib.Int32Array(buffer); function __f_74() { var __v_27 = 4; __v_30[__v_27 >> __v_2] = ((__v_30[-1073741825]|-10) + 2) | 0; } } var module = Wasm.instantiateModuleFromAsm( __f_97.toString()); function __f_61() { } (function __f_75() { })(); Filer: durga.behera See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 1 2016
,
Apr 5 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/77a8c2ea860027f551eaf6dd50a1dff6c0ed204f commit 77a8c2ea860027f551eaf6dd50a1dff6c0ed204f Author: titzer <titzer@chromium.org> Date: Tue Apr 05 17:23:08 2016 [asm.js] Fix typing bug for non-literals in heap access. R=bradnelson@chromium.org BUG= chromium:599825 LOG=Y Review URL: https://codereview.chromium.org/1858263002 Cr-Commit-Position: refs/heads/master@{#35273} [modify] https://crrev.com/77a8c2ea860027f551eaf6dd50a1dff6c0ed204f/src/typing-asm.cc [add] https://crrev.com/77a8c2ea860027f551eaf6dd50a1dff6c0ed204f/test/mjsunit/regress/regress-599825.js
,
Apr 6 2016
ClusterFuzz has detected this issue as fixed in range 35272:35273. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4771259014971392 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000004 Crash State: v8::internal::AsmTyper::VisitHeapAccess v8::internal::AsmTyper::VisitAssignment v8::internal::Assignment::Accept Regressed: V8: r34586:34587 Fixed: V8: r35272:35273 Minimized Testcase (0.31 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97-D-N5iVbfPPVCIZa-3OD_klUOaAvHe51TYbEp1AOD6zQCSzLzwDP6aA40l5v5p5ezUpo9FP4J9ScFa8G433ffQbhmzNSUag0qMX3cJFVEstDWgCoYZxQ00pyj4f-H5t_O4EP_L95qUBtcOwU5v-TE2HJ-nw function __f_97(stdlib, buffer) { "use asm"; var __v_30 = new stdlib.Int32Array(buffer); function __f_74() { var __v_27 = 4; __v_30[__v_27 >> __v_2] = ((__v_30[-1073741825]|-10) + 2) | 0; } } var module = Wasm.instantiateModuleFromAsm( __f_97.toString()); function __f_61() { } (function __f_75() { })(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 6 2016
Issue 594027 has been merged into this issue.
,
Jun 14 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ishell@chromium.org
, Apr 1 2016Status: Assigned (was: Available)