kAstStmt != var_type in src/wasm/asm-wasm-builder.cc |
||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6662104588746752 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: kAstStmt != var_type in src/wasm/asm-wasm-builder.cc Regressed: V8: r34586:34587 Minimized Testcase (0.37 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97g-_wXzw5UtCE0rPff3jKo9Ppo2Sr_LuK2IPeG3yvPznFWPQ4VW3hFiHacvweT9iisvLcwiWQhYYtUqBv4adLhO9vVQLEODvkQvMKwrldSbBxOwtC651nPv4SXA2dXZUA9uy_vwW7q6EcWbbx7uQSSY4WRxA (function __f_12() { function __f_2() { "use asm" function __f_4() { __v_2 = __v_2; var __v_2 = 0; var __v_6 = 7; switch (__v_6) { case 1: return 0; } switch (__v_6) { } return __v_2|0; } return {__f_4:__f_4}; } var __v_2 = Wasm.instantiateModuleFromAsm(__f_2.toString()); })(); (function __f_1() { })(); Filer: jkummerow See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 29 2016
Looks like an asm.js verification bug. In this case, __v_2 is context allocated, and the initialization expression seems like invalid asm.js
,
Jun 8 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6662104588746752 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: kAstStmt != var_type in src/wasm/asm-wasm-builder.cc Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97nuNeJwTvxWXkWIDGjC-weIp_ES15V3OSfWxxLqfs-1gDeiiYb4geb88QWuLJacpIdkJDv4hQ2f7HCGEv4vs5iDfkhMAkSGrl8kf3TH4AMGKzXsp8oHMpXLeCOx-qgVp5ShsUqW4S52bkQeehXpEZhGKFHPhLHXDRBm2dg_Ut4eLrrCFY See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 20 2016
Aseem, please see if you can repro + understand this. Thanks!
,
Jun 20 2016
Issue 618605 has been merged into this issue.
,
Jun 20 2016
,
Jun 30 2016
This is caused as the typer is not detecting variables being used before declaration and marking it with none type. asm-wasm-builder would catch this in debug mode.
,
Jul 15 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5485799277854720 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: kAstStmt != var_type in asm-wasm-builder.cc Regressed: V8: r35895:35896 Minimized Testcase (0.42 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97iXZ8NmbEhrqfz9vipxHI1Sv6rPv_r02_69Rx00UoabTJsaFCGh3sdzyX2y-RSkEwWTqG0NyKm5x9o0txBowcZAk7LeALkmebjyDOBsbCUfymoPqMro_Ql_DacgOf2OdsHH6fTlAUBM8h36NBK76Ap0Ab9wg?testcase_id=5485799277854720 function __f_46() { label: { } } function __f_6() { abc: { } } function __f_110(stdlib, __v_37, buffer) { "use asm"; var __v_35 = new stdlib.Int32Array(buffer); function __f_23() { __v_35 = __v_35; } return {__f_23: __f_23}; } var module = Wasm.instantiateModuleFromAsm( __f_110.toString()); function __f_13() { } (function () { })() function __f_116() { } (function () { })(); function __f_44() { } Filer: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 23 2016
ClusterFuzz has detected this issue as fixed in range 38805:38806. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5485799277854720 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: kAstStmt != var_type in asm-wasm-builder.cc Regressed: V8: r35895:35896 Fixed: V8: r38805:38806 Minimized Testcase (0.42 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97iXZ8NmbEhrqfz9vipxHI1Sv6rPv_r02_69Rx00UoabTJsaFCGh3sdzyX2y-RSkEwWTqG0NyKm5x9o0txBowcZAk7LeALkmebjyDOBsbCUfymoPqMro_Ql_DacgOf2OdsHH6fTlAUBM8h36NBK76Ap0Ab9wg?testcase_id=5485799277854720 function __f_46() { label: { } } function __f_6() { abc: { } } function __f_110(stdlib, __v_37, buffer) { "use asm"; var __v_35 = new stdlib.Int32Array(buffer); function __f_23() { __v_35 = __v_35; } return {__f_23: __f_23}; } var module = Wasm.instantiateModuleFromAsm( __f_110.toString()); function __f_13() { } (function () { })() function __f_116() { } (function () { })(); function __f_44() { } See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 8 2016
ClusterFuzz testcase 5485799277854720 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by jkummerow@chromium.org
, Apr 29 2016Owner: titzer@chromium.org
Status: Assigned (was: Available)