New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 612076 link

Starred by 0 users
Status: Fixed
Owner:
ishell@chromium.org
Closed: May 2016
Cc:
ranjitkan@google.com
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

Crash in v8::internal::Object::GetRootMap

Project Member Reported by ClusterFuzz, May 16 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4794301569040384

Fuzzer: attekett_surku_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000013
Crash State:
  v8::internal::Object::GetRootMap
  v8::internal::StringStream::PrintPrototype
  v8::internal::StringStream::PrintFunction
  

Minimized Testcase (1.46 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96c_XOh6GBQHR4yrp9l9ZpadwZ01xBeY5npeJIFxINTaMBHB0ybEwjW3jk2KPc4NDMxtwX58EAjXR9CjQY3oqjej4T7H0WjJUZuCZFDkhoez1k8cFRyo-BWxKe37KX5d54eDvwQFFy_R8YT5TK8R1sYp7mznA
<script>
					var x="function f(x){var i,o=\"\",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" +
					"harAt(i);}catch(e){}}return o;}f(\")\\\"function f(x,y){var i,o=\\\"\\\\\\\""+
					"\\\\,l=x.length;for(i=0;i<l;i++){if(i<110)y++;y%=127;o+=String.fromCharCode" +
					"(x.charc�rCodeAt(i)^(y++));}return o;}f(\\\"\\\\\\\\\\\\013\\\\\\\\036\\\\\\\\" +
					"020\\\\\\\\000\\\\\\\\032\\\\\\\\034\\\\\\\\025\\\\\\\\t.uvo|o``80(w8rn{F\\" +
					"\\\\\\037x\\\\\\\\004EKEBD]\\\\\\\\016SVKIW2+!5\\\\\\\\010$-:	9=:74==2\\\\\\" +
					"\\014\\\\\\\\007\\\\\\\\026\\\\\\\\017\\\\\\\\r\\\\\\\\031B\\\\\\\\001\\\\\\"+
					"\\002\\\\\\\\025K\\\\\\\\005\\\\\\\\r\\\\\\\\030\\\\\\\\026\\\\\\\\033bw8Bg" +
					"zxfcj5qktp?UK@\\\\\\\\007^NO\\\\\\\\\\\\\\\\XGPk\\\\\\\\033\\\\\\\\033IV5/ " +
					"z\\\\\\\\025i\\\\\\\\017\\\\\\\\\\\"\\\\ ;12&s!&v!18z>1<73<C\\\\\\\\\\\\\\\\"+
					"\\\\\\\\006\\\\\\\\n\\\\\\\\024\\\\\\\\023\\\\\\\\016\\\\\\\\032\\\\\\\\000" +
					"\\\\\\\\017\\\\\\\\030,\\\\\\\\003\\\\\\\\017\\\\\\\\033\\\\\\\\031\\\\\\\\" +
					"036\\\\\\\\034\\\\\\\\022\\\\\\\\030\\\\\\\\022\\\\\\\\027\\\\\\\\033\\\\\\" +
					"\\024\\\\\\\\034\\\\\\\\010\\\\\\\\022\\\\\\\\031\\\\\\\\016Pose?+d8%!2:0\\" +
					"\"\\\\,110)\\\"(f};)lo,0(rtsbus.o nruter};)i(tArahc.x=+o{)--i;0=>i;1-l=i(ro" +
					"f}}{)e(hctac};l=+l;x=+x{yrt{)15=!)31/l(tAedoCrahc.x(elihw;lo=l,htgnel.x=lo," +
					"\\\"\\\"=o,i rav{)x(f noitcnuf\")"                                           ;
					while(x=eval(x));
					</script>


Filer: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ranjitkan@chromium.org, May 16 2016

Components: Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 findit-for-crash Te-Logged M-52 Pri-3
Owner: bmeu...@chromium.org
Status: Assigned (was: Available)
Author: bmeurer
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/47502a238b8185a864bfe6a8d5508b4e67cad40e
Time: Fri Nov 27 16:59:28 2015
The CL last changed line 75 of file contexts-inl.h, which is stack frame 1.

@bmeurer: Request you to please take a look into it.

Comment 2 by bmeu...@chromium.org, May 17 2016

Owner: ishell@chromium.org
Assigning to clusterfuzz sheriff.
Project Member

Comment 3 by bugdroid1@chromium.org, May 24 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6b9c915794415dcd49d50eb82e532c52b42b3d60

commit 6b9c915794415dcd49d50eb82e532c52b42b3d60
Author: ishell <ishell@chromium.org>
Date: Tue May 24 06:58:27 2016

Don't access context during OOM reporting if it's not available.

BUG= chromium:612076 
LOG=N

Review-Url: https://codereview.chromium.org/2005763002
Cr-Commit-Position: refs/heads/master@{#36459}

[modify] https://crrev.com/6b9c915794415dcd49d50eb82e532c52b42b3d60/src/string-stream.cc

Comment 4 by ishell@chromium.org, May 24 2016

Status: Fixed (was: Assigned)
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment