counters_row->Set(context, to_name_object, counter_object) .IsJust() in src/inte |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4784007976058880 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: counters_row->Set(context, to_name_object, counter_object) .IsJust() in src/inte Regressed: V8: r35815:35816 Minimized Testcase (0.17 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95KUOI7RqQ35N9UJza6YlgblSZ0ew2RKENgmgePGQ0Odqo_kOUziqz-qKQK7EphZrAWtkPxMsvN6rX7oZ2E2hOkZ8jPTDvrzqMB1X0xBqNkf4N4Gu3mLZnp7vtEgKN7eCb5Qzm_daMrLn9KSGP565eqCTp5zQ __v_7 = new Proxy({},{}, { get() { throw "No trap should fire" }}); Object.setPrototypeOf(Object.prototype, __v_7); function __f_7() { } __v_10 = getIgnitionDispatchCounters(); Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 23 2016
Reproduces on tip of tree as follows ... $ git checkout 3cc2adb3195afe8f6eb671664bd65828eb68adb1 $ make -j1000 x64.debug $ ./out/x64.debug/d8 --ignition --trace-ignition-dispatches ~/Downloads/fuzz-02351.js # # Fatal error in ../src/interpreter/interpreter.cc, line 254 # Check failed: counters_row->Set(context, to_name_object, counter_object) .IsJust(). # ==== C stack trace =============================== 1: V8_Fatal 2: v8::internal::interpreter::Interpreter::GetDispatchCountersObject() 3: v8::internal::IgnitionStatisticsExtension::GetIgnitionDispatchCounters(v8::FunctionCallbackInfo<v8::Value> const&) 4: v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) 5: 0xdff52f 6: 0xe45126 7: 0xe029eb 8: 0x85a20308bc7 Illegal instruction (core dumped)
,
May 23 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/26569a47d156cc24b39083ce924daa4674c12042 commit 26569a47d156cc24b39083ce924daa4674c12042 Author: ssanfilippo <ssanfilippo@chromium.org> Date: Mon May 23 16:40:00 2016 [Interpreter] Fix getIgnitionDispatchCounters crash with modified Object prototype. Changes to the Object prototype may cause getIgnitionDispatchCounters() to fail when building the counters table object. Using DefineOwnProperty instead of Set solves the issue by ignoring the prototype chain. BUG= chromium:613567 LOG=N Review-Url: https://codereview.chromium.org/2000203002 Cr-Commit-Position: refs/heads/master@{#36447} [modify] https://crrev.com/26569a47d156cc24b39083ce924daa4674c12042/src/interpreter/interpreter.cc
,
May 23 2016
ClusterFuzz has detected this issue as fixed in range 36446:36447. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4784007976058880 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: counters_row->Set(context, to_name_object, counter_object) .IsJust() in src/inte Regressed: V8: r35815:35816 Fixed: V8: r36446:36447 Minimized Testcase (0.17 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95KUOI7RqQ35N9UJza6YlgblSZ0ew2RKENgmgePGQ0Odqo_kOUziqz-qKQK7EphZrAWtkPxMsvN6rX7oZ2E2hOkZ8jPTDvrzqMB1X0xBqNkf4N4Gu3mLZnp7vtEgKN7eCb5Qzm_daMrLn9KSGP565eqCTp5zQ __v_7 = new Proxy({},{}, { get() { throw "No trap should fire" }}); Object.setPrototypeOf(Object.prototype, __v_7); function __f_7() { } __v_10 = getIgnitionDispatchCounters(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
May 23 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by mstarzinger@chromium.org
, May 20 2016Owner: ssanfilippo@chromium.org
Status: Assigned (was: Available)