Fatal error in asm-wasm-builder.cc |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5375014878838784 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: Fatal error Crash Address: Crash State: asm-wasm-builder.cc Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97tpxeUJRnNv9DXqNATN5CVLE41a8zwuoB8TZJNfvC5xtoNwMCsVmtn1E3S5V8bNK4-Q66wDK6Usc0VPcd3kNHs0nTZkAT50nP-0mtDcfLG5EmHzkvezDjH9gplOghAr0aoTG6t0B1qDRl0JZLac3yjRxULPqFb7zpj2LGUINzHdcRpfvU Filer: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 20 2016
Aseem, can you try to repro? Thanks!
,
Jul 11 2016
The issue can be seen in the following code:
function __f_103(stdlib, __v_34, buffer) {
"use asm";
var __v_32 = new stdlib.Int8Array(buffer);
function __f_20() {
var __v_29 = 4;
__v_32[0] = (__v_29 + 1) | 0;
__v_32[__v_29 >> 65535] = ((__v_32[4294967295]|14) + 1) | 14;
__v_32[2] = ((__v_32[__v_29 >> 0]|0) + 1) | 0;
return __v_32[2] | 0;
}
return {__f_20: __f_20};
}
The array access allows for unsigned values (0 - 2^32-1) but the typer is marking them as signed.
,
Jul 12 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by mstarzinger@chromium.org
, Jun 9 2016Owner: titzer@chromium.org
Status: Assigned (was: Available)