RUNTIME_ASSERT in call_site.IsJavaScript() || call_site.IsWasm() in src/runtime/runtime-internal.c |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6630508536791040 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: RUNTIME_ASSERT Crash Address: Crash State: call_site.IsJavaScript() || call_site.IsWasm() in src/runtime/runtime-internal.c Regressed: V8: r36066:36067 Minimized Testcase (0.10 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv945WooL4mWKdHya1dlMcoUmCVBCEO-6IoGEpkC5omcQBNrFENc6TCMNK_XDl6bZoisw9092tJXL9Q4CsjgT2b241uyph_EyTf9Fflxy-ExZ6aWGMk7vNAXZvI1oNwjrK3La-VR0G-wCjNGjlBECcDlNXHXgFw Error.prepareStackTrace = (e,s) => s; __v_0 = Error().stack[0].constructor; new __v_0(3, 6).toString(); Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 24 2016
,
May 24 2016
It looks like https://codereview.chromium.org/2006603002 requires a follow up.
,
May 24 2016
I think it's the check in the CallSite constructor on the JS side (messages.js:459), which is allowing too much. We would have to validate that the passed wasm object is indeed a wasm object.
,
May 24 2016
Working on it.
,
May 24 2016
,
May 30 2016
,
May 30 2016
Issue 615774 has been merged into this issue.
,
May 30 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/25c2203a8f1553ac79deed299ff66830d4d9ec0e commit 25c2203a8f1553ac79deed299ff66830d4d9ec0e Author: clemensh <clemensh@chromium.org> Date: Mon May 30 10:27:03 2016 Check CallSite arguments more rigorously Before, it was possible to construct invalid CallSite objects, which would trigger a runtime assert when any function is called on it. This check ensures to throw a TypeError when invalid information is passed to the CallSite constructor. This reverts part of this CL: https://codereview.chromium.org/2006603002 R=ishell@chromium.org, titzer@chromium.org, yangguo@chromium.org BUG= chromium:614295 Review-Url: https://codereview.chromium.org/2010493002 Cr-Commit-Position: refs/heads/master@{#36578} [modify] https://crrev.com/25c2203a8f1553ac79deed299ff66830d4d9ec0e/src/js/messages.js [modify] https://crrev.com/25c2203a8f1553ac79deed299ff66830d4d9ec0e/src/messages.cc [modify] https://crrev.com/25c2203a8f1553ac79deed299ff66830d4d9ec0e/src/messages.h [modify] https://crrev.com/25c2203a8f1553ac79deed299ff66830d4d9ec0e/src/runtime/runtime-internal.cc [modify] https://crrev.com/25c2203a8f1553ac79deed299ff66830d4d9ec0e/src/runtime/runtime.h [modify] https://crrev.com/25c2203a8f1553ac79deed299ff66830d4d9ec0e/src/wasm/wasm-module.cc [modify] https://crrev.com/25c2203a8f1553ac79deed299ff66830d4d9ec0e/src/wasm/wasm-module.h [add] https://crrev.com/25c2203a8f1553ac79deed299ff66830d4d9ec0e/test/mjsunit/regress/regress-crbug-615774.js
,
May 30 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by ishell@chromium.org
, May 24 2016Status: Assigned (was: Available)