Issue 617525 link

Starred by 0 users

Issue metadata

Status:	Fixed
Owner:	titzer@chromium.org
Closed:	Jun 2016
Cc:	ishell@chromium.org █ bradnelson@chromium.org mstarzinger@chromium.org
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Reproducible Clusterfuzz

!locals_.has_sig() in encoder.cc

Project Member Reported by ClusterFuzz, Jun 6 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5498136760156160

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !locals_.has_sig() in encoder.cc
  
Regressed: V8: r36291:36292

Minimized Testcase (0.25 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Cytkz4JoEhVHn5s2ReitD7GLLdbig0yGRzTSH8xXAyrm94Suhpi6gbSwPP5tAW3kCaOdcrPyZw3HioHc0uUd6XOwXgcJXCwWbkF0GhI30J_89JMMltvKgds8hfmWm-BuBCVpU5kVUQUjPexodP31pgGBgiw
function __f_13(asmfunc) {
  var __v_9 = asmfunc.toString();
  var __v_13 = Wasm.instantiateModuleFromAsm(__v_9);
}
function __f_14() {
  "use asm";
  function __f_15() { return 0; }
  function __f_15() { return 137; }
  return {
};
}
__f_13(__f_14, {
});


Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mstarzinger@chromium.org, Jun 6 2016

Cc: bradnelson@chromium.org
Owner: titzer@chromium.org
Status: Assigned (was: Available)

Project Member

Comment 2 by bugdroid1@chromium.org, Jun 6 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/0b91952913e3e90e12e0c6908073dad51d43bf8e

commit 0b91952913e3e90e12e0c6908073dad51d43bf8e
Author: titzer <titzer@chromium.org>
Date: Mon Jun 06 13:40:11 2016

[asmjs] Validator should reject modules with repeated functions.

R=ahaas@chromium.org,aseemgarg@chromium.org,bradnelson@chromium.org
BUG= chromium:617525 

Review-Url: https://codereview.chromium.org/2040983002
Cr-Commit-Position: refs/heads/master@{#36748}

[modify] https://crrev.com/0b91952913e3e90e12e0c6908073dad51d43bf8e/src/typing-asm.cc
[modify] https://crrev.com/0b91952913e3e90e12e0c6908073dad51d43bf8e/test/cctest/test-asm-validator.cc
[add] https://crrev.com/0b91952913e3e90e12e0c6908073dad51d43bf8e/test/mjsunit/regress/regress-617525.js

Comment 3 by titzer@chromium.org, Jun 6 2016

Status: Fixed (was: Assigned)

Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 617525 link

Issue metadata

!locals_.has_sig() in encoder.cc

Issue description

Comment 1 by mstarzinger@chromium.org, Jun 6 2016

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Jun 6 2016

Comment 2 Deleted

Comment 3 by titzer@chromium.org, Jun 6 2016

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Comment 4 Deleted

Sign in to add a comment