New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 614643 link

Starred by 0 users

Issue metadata

Status: Archived
Owner: ----
Closed: Nov 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in v8::internal::Invoke

Project Member Reported by ClusterFuzz, May 25 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6086500328669184

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  
Regressed: V8: r35756:35757

Minimized Testcase (0.27 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94xil1NDSMBsqfNhNEEBMcD3-eDVzF7rudFV2mLLHpoRwCFnY8ADZasvBlqligWhhEw-T9SwkI8lKwBzjGuQqNOQMxUXzXCqJSSAnZzVgOH1136G5XuNbVAT0Zxq5cuKnylQXRyAmjuGnuhZkkAgLQfrkXnVg
"use strict";
for (var __v_0 = 0; __v_0 < 10*1000; __v_0++) {
  Object.prototype['generatedProperty'+__v_0] = true;
}
function __f_7(x) {
  var __v_12 = [];
  for (let __v_9 in x);
  return __v_12.sort();
}
 __f_7({}).length;
["x"], __f_7({x:1});
[], __f_7({});
[], __f_7({});


Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Related to either the three-tier pipeline or Ignition. I'll have a look.
Reproduces as follows on tip of tree ...

$ git checkout 39d08198bd1d8f28c71d0c4f684582b462216364
$ make -j1000 x64.debug
$ ./out/x64.debug/d8 --es-staging --ignition test/mjsunit/foo.js
$ cat test/mjsunit/foo.js

"use strict";
for (var i = 0; i < 100000; i++) {
  Object.prototype['generatedProperty'+i] = true;
}
function f(x) {
  var a = [];
  for (let p in x);
  return a.sort();
}
f({});
f({});
f({});
f({});
Project Member

Comment 3 by ClusterFuzz, Jun 28 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6086500328669184

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94eCaN9G7b6Yy6VkMji7xCh69vh_2t82edg1h-4E8XuiGuzAeQ9UgEatwUDYUx4homcsWCZLl5Z1ml6wYHLDG_dJu2Qsts7buO2VFAnGdiVViiWsDuRpWMrM01QJMLxphuh1ckUa0pnCFsTsgbqnbB4FEMwFg?testcase_id=6086500328669184


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Status: Archived (was: Available)
No longer reproduces. Underlying issue has been fixed by now. Closing.

Sign in to add a comment