RUNTIME_ASSERT in args[0]->IsNumber() in src/runtime/runtime-maths.cc |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5205335090659328 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: RUNTIME_ASSERT Crash Address: Crash State: args[0]->IsNumber() in src/runtime/runtime-maths.cc Regressed: V8: r36527:36528 Minimized Testcase (0.40 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96LiH2k-zFpB65no1EGCv2j14dTt4URj-a1HXecEyY-krcKeEOb6JUmsP1AZT0OjCL7rUqZqBZ5XyIVFd78bFLtbtIH73TFzqWslmlSNgXb0gvqJVkows-D1SCTCaQTtCJJcVHqcQA7_qyfnfiXyKj8Em9M4Q (function() { class MyTypedArray extends Int32Array { get length() { } } })(); (function() { class MyTypedArray extends Int32Array { constructor(length) { } } })(); (function() { })(); delete Int32Array.prototype.__proto__.length; get = function() { } try { } catch(e) {; } try { (function __f_4() { })(); } catch(e) {; } var __v_18 = new WeakMap; var __v_19 = {}; __v_18.set(__v_19); Filer: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 31 2016
I ran into this a few days ago and did some debugging. I've attached a more simplified test case. The issue stems from https://chromium.googlesource.com/v8/v8/+/4513e07787e2860a73d290d7580c961a0aad3482. In |MathRandomRaw|, |nextRandomIndex| can become an invalid array index, causing undefined to be passed into |%_DoubleLo|. A possible fix may be using |%_TypedArrayGetLength| instead of accessing the length in javascript.
,
May 31 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4603839483478016 Uploader: tjbecker@google.com Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: RUNTIME_ASSERT Crash Address: Crash State: args[0]->IsNumber() in src/runtime/runtime-maths.cc Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv957LvH8fd7jiubSl6XnFyW3r7TDgDjscWdh7fH_DW-SI8LT_OFMQqcYDqLOGnCeSUQaYoGRVIRe5aNrrTm_vyFBNmbeX5ZeonsRTSxeicRSTopE51tyBdCWzrASblj_6tFUgGB5xfXBs4XRol3Dwfj4vAlSDA Filer: tjbecker See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 1 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4603839483478016 Uploader: tjbecker@google.com Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: RUNTIME_ASSERT Crash Address: Crash State: args[0]->IsNumber() in src/runtime/runtime-maths.cc Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv957LvH8fd7jiubSl6XnFyW3r7TDgDjscWdh7fH_DW-SI8LT_OFMQqcYDqLOGnCeSUQaYoGRVIRe5aNrrTm_vyFBNmbeX5ZeonsRTSxeicRSTopE51tyBdCWzrASblj_6tFUgGB5xfXBs4XRol3Dwfj4vAlSDA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 1 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/a7d091ffe385fc62e372f34317d97e6ea31a0a4a commit a7d091ffe385fc62e372f34317d97e6ea31a0a4a Author: gsathya <gsathya@chromium.org> Date: Wed Jun 01 18:41:58 2016 math.js: Use %_TypedArrayGetLength to get length https://codereview.chromium.org/2001393004 makes TypedArray length property writable, which means we shouldn't depend on it. Instead, use %_TypedArrayGetLength% to get length. Attached regression test. BUG= chromium:615776 Review-Url: https://codereview.chromium.org/2020203006 Cr-Commit-Position: refs/heads/master@{#36655} [modify] https://crrev.com/a7d091ffe385fc62e372f34317d97e6ea31a0a4a/src/js/math.js [add] https://crrev.com/a7d091ffe385fc62e372f34317d97e6ea31a0a4a/test/mjsunit/regress/regress-615776.js
,
Jun 1 2016
Thanks for looking into this, tjbecker.
,
Jun 2 2016
ClusterFuzz has detected this issue as fixed in range 36654:36655. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5205335090659328 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: RUNTIME_ASSERT Crash Address: Crash State: args[0]->IsNumber() in src/runtime/runtime-maths.cc Regressed: V8: r36527:36528 Fixed: V8: r36654:36655 Minimized Testcase (0.40 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96LiH2k-zFpB65no1EGCv2j14dTt4URj-a1HXecEyY-krcKeEOb6JUmsP1AZT0OjCL7rUqZqBZ5XyIVFd78bFLtbtIH73TFzqWslmlSNgXb0gvqJVkows-D1SCTCaQTtCJJcVHqcQA7_qyfnfiXyKj8Em9M4Q (function() { class MyTypedArray extends Int32Array { get length() { } } })(); (function() { class MyTypedArray extends Int32Array { constructor(length) { } } })(); (function() { })(); delete Int32Array.prototype.__proto__.length; get = function() { } try { } catch(e) {; } try { (function __f_4() { })(); } catch(e) {; } var __v_18 = new WeakMap; var __v_19 = {}; __v_18.set(__v_19); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by ishell@chromium.org
, May 30 2016Owner: gsat...@chromium.org
Status: Assigned (was: Available)