Issue metadata
Sign in to add a comment
|
Crash in v8::internal::HandleBase::IsDereferenceAllowed |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4854869844557824 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0xd0a0001c Crash State: v8::internal::HandleBase::IsDereferenceAllowed void v8::internal::LookupIterator::Start<false> v8::internal::LookupIterator::LookupIterator Recommended Security Severity: Medium Regressed: V8: r36680:36681 Minimized Testcase (4.04 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ykIeI4GpGyk8oljcjEZ1Hbd82yqujztvpmfF7uf63c8x_kyhRjLZPnQytAc5-bOiZSRAVN1Ru5nEiaZk6zB4Kx8Twwq9eO7sHPRjmBddXe-e7i4UlhJKqEBPC5mNx6MvWqBUPyvLLQ7HTk8FuQs2FpvP6eg Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 3 2016
Reproduction is highly timing specific. Regression range is most likely unreliable. Needs ASM-to-WASM translation. Reproduces as follows with tip-of-tree ... $ ~/Development/v8.git/out/x64.debug/d8 --expose-gc --omit-quit --gc-interval=153 --expose-wasm fuzz-00030.js
,
Jun 3 2016
,
Jun 3 2016
,
Jun 3 2016
bradnelson@, have you had a chance to look at this?
,
Jun 3 2016
So I'm doubtful that this is the cause: https://crrev.com/31882103773436538fa929b1b867a6cb42fe72bf Since, the only map in all this is the one attached to the Wasm object at bootstrap. ahaas, at a glance is this a side effect of the same thing you're investigating with weak gc refs on the js->wasm thunks? Since this is behind the expose-wasm flag, lowering in priority slightly, and marking with BlocksAsmWasmLaunch.
,
Jun 5 2016
,
Jun 5 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 6 2016
#7/#8: No, this is a bug in a new feature that's off by default.
,
Jun 6 2016
I don't know why and how, but this issue seems to get fixed by my work on the GC. Instead of a SegFault I get
fuzz-00030.js:171: TypeError: (intermediate value) is not a function
})();
^
TypeError: (intermediate value) is not a function
at /usr/local/google/home/ahaas/Downloads/fuzz-00030.js:171:3
where fuzz-00030.js is the minimized testcase.
,
Jun 9 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4940906897866752 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0xcf20001c Crash State: v8::internal::HandleBase::IsDereferenceAllowed void v8::internal::LookupIterator::Start<false> v8::internal::LookupIterator::LookupIterator Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_v8_arm_dbg&range=36680:36681 Minimized Testcase (5.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96vG8DKEaOK2udnVG9hRUUNN8CiH6_SvvT5lhkVAsye9uQ0Rtc1U6bXTZ1mQA8YnM_zM-357bTtnkNt3Yx1UBIHwWfNLKWQN40LmBXJxJR4n6BC1ZX7JNS5FxHAYqrOFy7OBQvmApFacM77WmPL_80xKXv0qA Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 16 2016
ClusterFuzz has detected this issue as fixed in range 37005:37006. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4940906897866752 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0xcf20001c Crash State: v8::internal::HandleBase::IsDereferenceAllowed void v8::internal::LookupIterator::Start<false> v8::internal::LookupIterator::LookupIterator Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_v8_arm_dbg&range=36680:36681 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_v8_arm_dbg&range=37005:37006 Minimized Testcase (5.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96vG8DKEaOK2udnVG9hRUUNN8CiH6_SvvT5lhkVAsye9uQ0Rtc1U6bXTZ1mQA8YnM_zM-357bTtnkNt3Yx1UBIHwWfNLKWQN40LmBXJxJR4n6BC1ZX7JNS5FxHAYqrOFy7OBQvmApFacM77WmPL_80xKXv0qA See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6507668386873344 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7f5078c00038 Crash State: v8::internal::HandleBase::IsDereferenceAllowed void v8::internal::LookupIterator::Start<false> v8::internal::LookupIterator::LookupIterator Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_dbg&range=36737:36738 Minimized Testcase (8.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv976WmZboh-h9tHZIXO7lRjUX8uK8hHcIxEhfQ46TGbHJD9yeENnKp9K8-Hs0pkY5mplCqn2tQnPBSvP6_5PI0KOXFgOr_xbM96Ou6bKszO0ESQRQcEX-vpLnfcIQCEUkvgoVbxb_5u3NOmSdCCFUEXkXP8taQ Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 19 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6507668386873344 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7f5078c00038 Crash State: v8::internal::HandleBase::IsDereferenceAllowed void v8::internal::LookupIterator::Start<false> v8::internal::LookupIterator::LookupIterator Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_dbg&range=36737:36738 Minimized Testcase (8.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv976WmZboh-h9tHZIXO7lRjUX8uK8hHcIxEhfQ46TGbHJD9yeENnKp9K8-Hs0pkY5mplCqn2tQnPBSvP6_5PI0KOXFgOr_xbM96Ou6bKszO0ESQRQcEX-vpLnfcIQCEUkvgoVbxb_5u3NOmSdCCFUEXkXP8taQ?testcase_id=6507668386873344 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 20 2016
,
Jun 20 2016
,
Jun 28 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4854869844557824 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0xd0a0001c Crash State: v8::internal::HandleBase::IsDereferenceAllowed void v8::internal::LookupIterator::Start<false> v8::internal::LookupIterator::LookupIterator Recommended Security Severity: Medium Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97U8BjCrW6kgoFiZs17Yjc4MSL09iY2i8HnGwNUcDLZ7vK7YHxwlcE7Nxej5i5aqelab0GGPZdyngAlLAzhUGgS9quR0ft2FywfCz-HWaOomWxLq7JkbpReV0ZkixkmySkLEoQvnEZYbBlmPIefTXMsYxDRupMTtURFJlYJ3V5JTTofjeo?testcase_id=4854869844557824 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 28 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 28 2016
,
Oct 4 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mstarzinger@chromium.org
, Jun 3 2016