New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 617529 link

Starred by 0 users

Issue metadata

Status: Fixed
Owner:
Closed: Jun 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

kAstStmt != var_type in asm-wasm-builder.cc

Project Member Reported by ClusterFuzz, Jun 6 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6687521761394688

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  kAstStmt != var_type in asm-wasm-builder.cc
  
Regressed: V8: r34586:34587

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97BssVfilP9yCHoZyJ8NSEfwqnHQsWjo3kImEHIce0gnPOdyfyWj-8JeRloYzgQVW8k1y8gKPN7v3puiwT8bthsEy8QJLwfjiExMQpArmn1o4SIYJ3p1wr2y3fwM4n-E69yhLTnb3uEI8QSomNiKRUTLi5g-g
function __f_71(stdlib, buffer) {
  "use asm";
  var __v_22 = new stdlib.Float64Array(buffer);
  function __f_26() {
    __v_22 = __v_22;
  }
  return {__f_26: __f_26};
}
 Wasm.instantiateModuleFromAsm( __f_71.toString());
( {
})();


Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: bradnelson@chromium.org
Owner: titzer@chromium.org
Status: Assigned (was: Available)
Project Member

Comment 2 by bugdroid1@chromium.org, Jun 6 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/dc98fabf1519d25b20fc0ca559692af7d0519916

commit dc98fabf1519d25b20fc0ca559692af7d0519916
Author: titzer <titzer@chromium.org>
Date: Mon Jun 06 13:27:49 2016

[asmjs] Validator should reject assignments to heap variables in functions.

BUG= chromium:617529 

Review-Url: https://codereview.chromium.org/2041843002
Cr-Commit-Position: refs/heads/master@{#36747}

[modify] https://crrev.com/dc98fabf1519d25b20fc0ca559692af7d0519916/src/typing-asm.cc
[add] https://crrev.com/dc98fabf1519d25b20fc0ca559692af7d0519916/test/mjsunit/regress/regress-617529.js

Status: Fixed (was: Assigned)
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment