Issue 613933 link

Starred by 0 users

Issue metadata

Status:	WontFix
Owner:	----
Closed:	May 2016
Cc:	cbruni@chromium.org nyerramilli@chromium.org hablich@chromium.org ishell@chromium.org mstarzinger@chromium.org
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	2
Type:	Bug-Regression
Te-Logged Stability-Crash M-50 Reproducible Stability-Memory-AddressSanitizer findit-wrong Clusterfuzz

Crash in v8::internal::JSObject::AddDataElement

Project Member Reported by ClusterFuzz, May 23 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=375259:376263

Minimized Testcase (0.40 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96cjMA7QaPKH871M03cHJClRvGAbz36Cnl7EExLZAFDnxV0koi1tw-2IAbAeaNON39VlXxhPiisiGGjAmSE1NGkoQ9aA_nt1gNQfZndn2JUE_ObHhpZNIJ5S9QeHYd1k_xWERlt5QszZWHtcWLCLA5BkDQwUg
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          runTest(gl);
      }
function runTest(gl) {
try { runTest(gl) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


Filer: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by nyerramilli@chromium.org, May 23 2016

Cc: nyerramilli@chromium.org mstarzinger@chromium.org cbruni@chromium.org hablich@chromium.org
Components: Blink>JavaScript Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 -Type-Bug findit-wrong Te-Logged M-50 Pri-2 Type-Bug-Regression

adding v8 people..

providing find it results for internal purpose:
Suspected CLs	The result is a list of CLs that change the crashed files.

Author: mstarzinger
Project: chromium-v8
Changelist: https://chromium.googlesource.com/v8/v8.git/+/305a36e0d41f22d79b60daea70050e58f960bd8e
Time: Wed Feb 17 10:30:10 2016
Lines 4347 of file objects.cc which potentially caused crash are changed in this cl (frame #4, "v8::internal::Object::SetProperty").
Minimum distance from crash line to modified line: 0. (file: objects.cc, crashed on: 4347, modified: 4347).

Suspected Project: chromium-v8
Suspected Component: Blink>JavaScript

Comment 2 by ishell@chromium.org, May 23 2016

Cc: ishell@chromium.org

Comment 3 by cbruni@chromium.org, May 30 2016

Status: WontFix (was: Available)

This is an StackOverflow situation caused by the recursive call of runTest(gl). which in turn prevents further Handle allocations.

Project Member

Comment 4 by ClusterFuzz, Aug 8 2016

ClusterFuzz has detected this issue as fixed in range 409589:409828.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393646:393765
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=409589:409828

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-eW3JpOgOYOFIf_LO33Isw_1RntnyssAhkLUOgvzFSfovXvnqfGSzvcqqYHvaPCpANfW2Kucy5FQa8cBW1k5Lrosq6Oa_pUDXSiywhxM_70wLqidFeNB6VaqwfEraNhajChbw36GlKiE0_pdwIBDNwgbFQ?testcase_id=5136336524935168
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          var p = create_program();
          runTest(gl, p);
      }
function runTest(gl) {
try { runTest(gl, gl.canvas.height) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 5 by ClusterFuzz, Aug 8 2016

ClusterFuzz has detected this issue as fixed in range 409589:409828.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393646:393765
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=409589:409828

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-eW3JpOgOYOFIf_LO33Isw_1RntnyssAhkLUOgvzFSfovXvnqfGSzvcqqYHvaPCpANfW2Kucy5FQa8cBW1k5Lrosq6Oa_pUDXSiywhxM_70wLqidFeNB6VaqwfEraNhajChbw36GlKiE0_pdwIBDNwgbFQ?testcase_id=5136336524935168
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          var p = create_program();
          runTest(gl, p);
      }
function runTest(gl) {
try { runTest(gl, gl.canvas.height) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 6 by ClusterFuzz, Aug 8 2016

ClusterFuzz has detected this issue as fixed in range 409589:409828.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393646:393765
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=409589:409828

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-eW3JpOgOYOFIf_LO33Isw_1RntnyssAhkLUOgvzFSfovXvnqfGSzvcqqYHvaPCpANfW2Kucy5FQa8cBW1k5Lrosq6Oa_pUDXSiywhxM_70wLqidFeNB6VaqwfEraNhajChbw36GlKiE0_pdwIBDNwgbFQ?testcase_id=5136336524935168
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          var p = create_program();
          runTest(gl, p);
      }
function runTest(gl) {
try { runTest(gl, gl.canvas.height) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 7 by ClusterFuzz, Aug 8 2016

ClusterFuzz has detected this issue as fixed in range 409589:409828.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393646:393765
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=409589:409828

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-eW3JpOgOYOFIf_LO33Isw_1RntnyssAhkLUOgvzFSfovXvnqfGSzvcqqYHvaPCpANfW2Kucy5FQa8cBW1k5Lrosq6Oa_pUDXSiywhxM_70wLqidFeNB6VaqwfEraNhajChbw36GlKiE0_pdwIBDNwgbFQ?testcase_id=5136336524935168
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          var p = create_program();
          runTest(gl, p);
      }
function runTest(gl) {
try { runTest(gl, gl.canvas.height) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 8 by ClusterFuzz, Aug 8 2016

ClusterFuzz has detected this issue as fixed in range 409589:409828.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393646:393765
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=409589:409828

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-eW3JpOgOYOFIf_LO33Isw_1RntnyssAhkLUOgvzFSfovXvnqfGSzvcqqYHvaPCpANfW2Kucy5FQa8cBW1k5Lrosq6Oa_pUDXSiywhxM_70wLqidFeNB6VaqwfEraNhajChbw36GlKiE0_pdwIBDNwgbFQ?testcase_id=5136336524935168
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          var p = create_program();
          runTest(gl, p);
      }
function runTest(gl) {
try { runTest(gl, gl.canvas.height) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 9 by ClusterFuzz, Aug 8 2016

ClusterFuzz has detected this issue as fixed in range 409589:409828.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393646:393765
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=409589:409828

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-eW3JpOgOYOFIf_LO33Isw_1RntnyssAhkLUOgvzFSfovXvnqfGSzvcqqYHvaPCpANfW2Kucy5FQa8cBW1k5Lrosq6Oa_pUDXSiywhxM_70wLqidFeNB6VaqwfEraNhajChbw36GlKiE0_pdwIBDNwgbFQ?testcase_id=5136336524935168
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          var p = create_program();
          runTest(gl, p);
      }
function runTest(gl) {
try { runTest(gl, gl.canvas.height) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 10 by ClusterFuzz, Aug 8 2016

ClusterFuzz has detected this issue as fixed in range 409589:409828.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393646:393765
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=409589:409828

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-eW3JpOgOYOFIf_LO33Isw_1RntnyssAhkLUOgvzFSfovXvnqfGSzvcqqYHvaPCpANfW2Kucy5FQa8cBW1k5Lrosq6Oa_pUDXSiywhxM_70wLqidFeNB6VaqwfEraNhajChbw36GlKiE0_pdwIBDNwgbFQ?testcase_id=5136336524935168
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          var p = create_program();
          runTest(gl, p);
      }
function runTest(gl) {
try { runTest(gl, gl.canvas.height) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 11 by ClusterFuzz, Aug 8 2016

ClusterFuzz has detected this issue as fixed in range 409589:409828.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393646:393765
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=409589:409828

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-eW3JpOgOYOFIf_LO33Isw_1RntnyssAhkLUOgvzFSfovXvnqfGSzvcqqYHvaPCpANfW2Kucy5FQa8cBW1k5Lrosq6Oa_pUDXSiywhxM_70wLqidFeNB6VaqwfEraNhajChbw36GlKiE0_pdwIBDNwgbFQ?testcase_id=5136336524935168
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          var p = create_program();
          runTest(gl, p);
      }
function runTest(gl) {
try { runTest(gl, gl.canvas.height) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 12 by ClusterFuzz, Aug 8 2016

ClusterFuzz has detected this issue as fixed in range 409589:409828.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393646:393765
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=409589:409828

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-eW3JpOgOYOFIf_LO33Isw_1RntnyssAhkLUOgvzFSfovXvnqfGSzvcqqYHvaPCpANfW2Kucy5FQa8cBW1k5Lrosq6Oa_pUDXSiywhxM_70wLqidFeNB6VaqwfEraNhajChbw36GlKiE0_pdwIBDNwgbFQ?testcase_id=5136336524935168
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          var p = create_program();
          runTest(gl, p);
      }
function runTest(gl) {
try { runTest(gl, gl.canvas.height) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 13 by ClusterFuzz, Aug 8 2016

ClusterFuzz has detected this issue as fixed in range 409589:409828.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393646:393765
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=409589:409828

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-eW3JpOgOYOFIf_LO33Isw_1RntnyssAhkLUOgvzFSfovXvnqfGSzvcqqYHvaPCpANfW2Kucy5FQa8cBW1k5Lrosq6Oa_pUDXSiywhxM_70wLqidFeNB6VaqwfEraNhajChbw36GlKiE0_pdwIBDNwgbFQ?testcase_id=5136336524935168
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          var p = create_program();
          runTest(gl, p);
      }
function runTest(gl) {
try { runTest(gl, gl.canvas.height) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 14 by ClusterFuzz, Aug 8 2016

ClusterFuzz has detected this issue as fixed in range 409589:409828.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393646:393765
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=409589:409828

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-eW3JpOgOYOFIf_LO33Isw_1RntnyssAhkLUOgvzFSfovXvnqfGSzvcqqYHvaPCpANfW2Kucy5FQa8cBW1k5Lrosq6Oa_pUDXSiywhxM_70wLqidFeNB6VaqwfEraNhajChbw36GlKiE0_pdwIBDNwgbFQ?testcase_id=5136336524935168
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          var p = create_program();
          runTest(gl, p);
      }
function runTest(gl) {
try { runTest(gl, gl.canvas.height) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 15 by ClusterFuzz, Aug 8 2016

ClusterFuzz has detected this issue as fixed in range 409589:409828.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393646:393765
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=409589:409828

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-eW3JpOgOYOFIf_LO33Isw_1RntnyssAhkLUOgvzFSfovXvnqfGSzvcqqYHvaPCpANfW2Kucy5FQa8cBW1k5Lrosq6Oa_pUDXSiywhxM_70wLqidFeNB6VaqwfEraNhajChbw36GlKiE0_pdwIBDNwgbFQ?testcase_id=5136336524935168
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          var p = create_program();
          runTest(gl, p);
      }
function runTest(gl) {
try { runTest(gl, gl.canvas.height) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 16 by ClusterFuzz, Aug 8 2016

ClusterFuzz has detected this issue as fixed in range 409589:409828.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393646:393765
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=409589:409828

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-eW3JpOgOYOFIf_LO33Isw_1RntnyssAhkLUOgvzFSfovXvnqfGSzvcqqYHvaPCpANfW2Kucy5FQa8cBW1k5Lrosq6Oa_pUDXSiywhxM_70wLqidFeNB6VaqwfEraNhajChbw36GlKiE0_pdwIBDNwgbFQ?testcase_id=5136336524935168
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          var p = create_program();
          runTest(gl, p);
      }
function runTest(gl) {
try { runTest(gl, gl.canvas.height) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 17 by ClusterFuzz, Aug 8 2016

ClusterFuzz has detected this issue as fixed in range 409589:409828.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5136336524935168

Fuzzer: mbarbella_webgl
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::JSObject::AddDataElement
  v8::internal::Object::SetProperty
  v8::Object::Set
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393646:393765
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=409589:409828

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95K-eW3JpOgOYOFIf_LO33Isw_1RntnyssAhkLUOgvzFSfovXvnqfGSzvcqqYHvaPCpANfW2Kucy5FQa8cBW1k5Lrosq6Oa_pUDXSiywhxM_70wLqidFeNB6VaqwfEraNhajChbw36GlKiE0_pdwIBDNwgbFQ?testcase_id=5136336524935168
<script>
      function create_program() {
      }
      function runTests() {
          var canvas = document.createElement('canvas');
          var gl = canvas.getContext('experimental-webgl');
          var p = create_program();
          runTest(gl, p);
      }
function runTest(gl) {
try { runTest(gl, gl.canvas.height) } catch(e) {; }
 var vertexObject = gl.createBuffer() 
 gl.bindBuffer(gl.ARRAY_BUFFER, vertexObject) 
}
</script>
<body onload="runTests()">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 18 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 613933 link

Issue metadata

Crash in v8::internal::JSObject::AddDataElement

Issue description

Comment 1 by nyerramilli@chromium.org, May 23 2016

Comment 1 Deleted

Comment 2 by ishell@chromium.org, May 23 2016

Comment 2 Deleted

Comment 3 by cbruni@chromium.org, May 30 2016

Comment 3 Deleted

Comment 4 by ClusterFuzz, Aug 8 2016

Comment 4 Deleted

Comment 5 by ClusterFuzz, Aug 8 2016

Comment 5 Deleted

Comment 6 by ClusterFuzz, Aug 8 2016

Comment 6 Deleted

Comment 7 by ClusterFuzz, Aug 8 2016

Comment 7 Deleted

Comment 8 by ClusterFuzz, Aug 8 2016

Comment 8 Deleted

Comment 9 by ClusterFuzz, Aug 8 2016

Comment 9 Deleted

Comment 10 by ClusterFuzz, Aug 8 2016

Comment 10 Deleted

Comment 11 by ClusterFuzz, Aug 8 2016

Comment 11 Deleted

Comment 12 by ClusterFuzz, Aug 8 2016

Comment 12 Deleted

Comment 13 by ClusterFuzz, Aug 8 2016

Comment 13 Deleted

Comment 14 by ClusterFuzz, Aug 8 2016

Comment 14 Deleted

Comment 15 by ClusterFuzz, Aug 8 2016

Comment 15 Deleted

Comment 16 by ClusterFuzz, Aug 8 2016

Comment 16 Deleted

Comment 17 by ClusterFuzz, Aug 8 2016

Comment 17 Deleted

Comment 18 by sheriffbot@chromium.org, Nov 22 2016

Comment 18 Deleted

Sign in to add a comment