Check failed: scanner_.peek_location().beg_pos == source->length() in v8/src/parsing/parser.cc |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6496618357981184 Fuzzer: inferno_webbot Job Type: linux_debug_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: scanner_.peek_location().beg_pos == source->length() in v8/src/parsing/parser.cc <unknown> v8::base::OS::Abort V8_Fatal Minimized Testcase (0.10 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95GpFcgRCovJDZqMjn1XWtfsb26t9w9XKoD0U9U7Y2Sh33WMjYYPnWM1-6_Ug6gYdsGop8LMHAtQurfK8zYb-2iXFdy6XNYyBzL-31p87_Z4F2AwEOfv4GTOXKHnZtt5iJQw2ArcAtQduLOAx_Tvodvf-87Ig <script> window.open("http://000area-weekly.com"); window.location = "http://inderscience.com";</script> Filer: jkummerow See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 2 2016
Nicer repro attached, w/ a single-line HTML + 7-line JS. Reproduces with either chrome or content_shell debug builds. The file ends with a // comment and *no* new-line. That fails the sanity test after parsing, which checks whether all characters gave been read. Not sure yet what to do, but I guess this is an uncritical bug, probably in how the parser skips over comments.
,
May 2 2016
Also, does not reproduce w/ d8. So probably something "interesting" about how the source string is passed from Chrome to V8.
,
May 3 2016
#3 was wrong. The issue was that end-of-stream is represented as a code point, and ExternalTwobyteStringUtf16CharacterStream::PushBack of that 'magic' code point didn't quite work. The other stream implementations are fine. D8 uses another stream implementation, which is why this didn't reproduce on d8.
,
May 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/57f0a521e40a96bab629ca6618c9f939653f8a06 commit 57f0a521e40a96bab629ca6618c9f939653f8a06 Author: vogelheim <vogelheim@chromium.org> Date: Tue May 03 09:41:34 2016 Fix ExternalTwobyteStringUtf16CharacterStream::PushBack(kEndOfInput) PushBack(end-of-input) is a little weird, but since Utf16CharacterStream::Advance will advance pos_m, but not buffer_cursor_ when at the end of the stream, pushing back the end-of-input token needs to do the exact inverse. (The reason Advance does not advance buffer_cursor_ is that buffer_cursor_ is often dereferenced directly to access memory and so always needs to point to, well, memory.) (The PushBack implementation for all other streams looks correct.) R=rossberg@chromium.org BUG= chromium:607903 LOG=Y Review-Url: https://codereview.chromium.org/1941843002 Cr-Commit-Position: refs/heads/master@{#35968} [modify] https://crrev.com/57f0a521e40a96bab629ca6618c9f939653f8a06/src/parsing/scanner-character-streams.h
,
May 3 2016
,
May 4 2016
ClusterFuzz has detected this issue as fixed in range 391361:391404. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6496618357981184 Fuzzer: inferno_webbot Job Type: linux_debug_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: scanner_.peek_location().beg_pos == source->length() in v8/src/parsing/parser.cc <unknown> v8::base::OS::Abort V8_Fatal Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=391361:391404 Minimized Testcase (0.10 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95GpFcgRCovJDZqMjn1XWtfsb26t9w9XKoD0U9U7Y2Sh33WMjYYPnWM1-6_Ug6gYdsGop8LMHAtQurfK8zYb-2iXFdy6XNYyBzL-31p87_Z4F2AwEOfv4GTOXKHnZtt5iJQw2ArcAtQduLOAx_Tvodvf-87Ig <script> window.open("http://000area-weekly.com"); window.location = "http://inderscience.com";</script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by jkummerow@chromium.org
, Apr 29 2016Labels: -Pri-1 Pri-2
Owner: vogelheim@chromium.org
Status: Assigned (was: Available)
Summary: Check failed: scanner_.peek_location().beg_pos == source->length() in v8/src/parsing/parser.cc (was: scanner_.peek_location().beg_pos == source->length() in v8/src/parsing/parser.cc)