kAstStmt != var_type in asm-wasm-builder.cc |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6687521761394688 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: kAstStmt != var_type in asm-wasm-builder.cc Regressed: V8: r34586:34587 Minimized Testcase (0.23 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97BssVfilP9yCHoZyJ8NSEfwqnHQsWjo3kImEHIce0gnPOdyfyWj-8JeRloYzgQVW8k1y8gKPN7v3puiwT8bthsEy8QJLwfjiExMQpArmn1o4SIYJ3p1wr2y3fwM4n-E69yhLTnb3uEI8QSomNiKRUTLi5g-g function __f_71(stdlib, buffer) { "use asm"; var __v_22 = new stdlib.Float64Array(buffer); function __f_26() { __v_22 = __v_22; } return {__f_26: __f_26}; } Wasm.instantiateModuleFromAsm( __f_71.toString()); ( { })(); Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 6 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/dc98fabf1519d25b20fc0ca559692af7d0519916 commit dc98fabf1519d25b20fc0ca559692af7d0519916 Author: titzer <titzer@chromium.org> Date: Mon Jun 06 13:27:49 2016 [asmjs] Validator should reject assignments to heap variables in functions. BUG= chromium:617529 Review-Url: https://codereview.chromium.org/2041843002 Cr-Commit-Position: refs/heads/master@{#36747} [modify] https://crrev.com/dc98fabf1519d25b20fc0ca559692af7d0519916/src/typing-asm.cc [add] https://crrev.com/dc98fabf1519d25b20fc0ca559692af7d0519916/test/mjsunit/regress/regress-617529.js
,
Jun 6 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by mstarzinger@chromium.org
, Jun 6 2016Owner: titzer@chromium.org
Status: Assigned (was: Available)