Issue 606276 link

Starred by 0 users

Issue metadata

Status:	Fixed
Owner:	█ bradnelson@chromium.org Last visit > 30 days ago
Closed:	Jan 2017
Cc:	hablich@chromium.org titzer@chromium.org adamk@chromium.org dschuff@chromium.org
Components:	Blink>JavaScript>WebAssembly
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	2
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Clusterfuzz BlocksAsmWasmLaunch

Crash in v8::internal::wasm::SR_WasmDecoder::CreateOrMergeIntoPhi

Project Member Reported by ClusterFuzz, Apr 25 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4768812204818432

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000024
Crash State:
  v8::internal::wasm::SR_WasmDecoder::CreateOrMergeIntoPhi
  v8::internal::wasm::SR_WasmDecoder::MergeIntoProduction
  v8::internal::wasm::SR_WasmDecoder::Reduce
  
Regressed: V8: r34586:34587

Minimized Testcase (0.46 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97pNBvMCc6mEblxBVglPUDMeeCwRZjHlmYrcy-dbCF68s5W2QcRi-V4f_Pu4vzDOF1WWbdZuzoTirU9eBppRfPwA39uLESFkVTAOYXn3kLCSY3uqJwg2U8TcqHQ-4-9GK6eK5XLDYGh12EUrOdWP8cnxH9oFQ
function __f_55(expected, __f_70, __f_11) {
 Wasm.instantiateModuleFromAsm( __f_70.toString());
}
function __f_71() {
  "use asm";
  function __f_42(__v_25, __v_27) {
    __v_25 = +__v_25;
    __v_27 = +__v_27;
    return +(__v_25 + __v_27);
  }
  function __f_22() {
    var __v_25 = +__f_42(70.1,10.2);
    var __v_14 = 0|0;
    if (__v_25 == 80.3) {
      __v_14 = 1|0;
    } else {
      __v_14 = __v_25;
    }
  }
  return {__f_22: __f_22};
}
__f_55(1, __f_71);


Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mstarzinger@chromium.org, Apr 25 2016

Owner: titzer@chromium.org
Status: Assigned (was: Available)

Comment 2 by titzer@chromium.org, May 3 2016

Cc: -ishell@chromium.org -mstarzinger@chromium.org titzer@chromium.org
Owner: bradnelson@chromium.org

This looks like it should be a type error in __f22 above. __v_14 is assigned an integer value in the true branch and a double value in the false branch.

Comment 3 by bradnelson@chromium.org, Jun 20 2016

Labels: BlocksWasmLaunch

Comment 4 by bradnelson@chromium.org, Jun 20 2016

Labels: -BlocksWasmLaunch BlocksAsmWasmLaunch

Comment 5 by bradnelson@chromium.org, Jun 20 2016

Components: -Blink>JavaScript Platform>DevTools>JavaScript Blink>JavaScript>WebAssembly

Comment 6 by bradnelson@chromium.org, Jun 20 2016

Components: -Platform>DevTools>JavaScript

Comment 7 by bradnelson@chromium.org, Jun 20 2016

Labels: -Pri-1 Pri-2

Project Member

Comment 8 by ClusterFuzz, Jun 28 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4768812204818432

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000024
Crash State:
  v8::internal::wasm::SR_WasmDecoder::CreateOrMergeIntoPhi
  v8::internal::wasm::SR_WasmDecoder::MergeIntoProduction
  v8::internal::wasm::SR_WasmDecoder::Reduce
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97BK_nDfLWBFfVTI8RvZ5HPn8Afie1KBZWxr04Pg-yQ8PnusFJ7x4uJhp590OiNobjuAwtFNEBF2wSTaXAQW8sbZUi4h6tO46a4DOSBasMcVQpRXn_NbWMHX9G1ylPDvVxVXzlsSz8gTBZJ3gYo1yriLiZmxTIaSlpubCiuURVHgSbasJI?testcase_id=4768812204818432


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 9 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 10 by hablich@chromium.org, Jan 9 2017

Cc: hablich@chromium.org

Is this fixed?

Comment 11 by bradnelson@chromium.org, Jan 10 2017

Status: Fixed (was: Assigned)

Obsoleted by code churn. Closing.

►

Issue 606276 link

Issue metadata

Crash in v8::internal::wasm::SR_WasmDecoder::CreateOrMergeIntoPhi

Issue description

Comment 1 by mstarzinger@chromium.org, Apr 25 2016

Comment 1 Deleted

Comment 2 by titzer@chromium.org, May 3 2016

Comment 2 Deleted

Comment 3 by bradnelson@chromium.org, Jun 20 2016

Comment 3 Deleted

Comment 4 by bradnelson@chromium.org, Jun 20 2016

Comment 4 Deleted

Comment 5 by bradnelson@chromium.org, Jun 20 2016

Comment 5 Deleted

Comment 6 by bradnelson@chromium.org, Jun 20 2016

Comment 6 Deleted

Comment 7 by bradnelson@chromium.org, Jun 20 2016

Comment 7 Deleted

Comment 8 by ClusterFuzz, Jun 28 2016

Comment 8 Deleted

Comment 9 by sheriffbot@chromium.org, Nov 22 2016

Comment 9 Deleted

Comment 10 by hablich@chromium.org, Jan 9 2017

Comment 10 Deleted

Comment 11 by bradnelson@chromium.org, Jan 10 2017

Comment 11 Deleted

Sign in to add a comment