Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in long v8::internal::Simulator::AddWithCarry<long> |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5394722806038528 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: long v8::internal::Simulator::AddWithCarry<long> void v8::internal::Simulator::AddSubHelper<long> v8::internal::Simulator::CallVoid Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=384282:384380 Minimized Testcase (0.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96vV1X4MtRKYM3Cr-bKsw7LeatMY3zkCSLsuxLN1fq3SEkeBf-FlvUv-sDkejKr46PO9wv2zyG-F4HTZXaIcyvr9I-xxEH6OyjmQn09vp6F7sL5aLOf84KssA8yfOSkArElOEIRiopk1usbG03H2JCQJFzDVg Filer: inferno See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 12 2016
,
Jun 13 2016
Bisects to: commit f2a585935fa070d2b4fb78389045d4df5253dd96 Author: mlippautz <mlippautz@chromium.org> Date: Thu Mar 31 00:54:23 2016 -0700 Remove usages of Heap::NewSpaceStart and its external reference Replace the uses with proper page flag lookups. BUG=chromium:581412 LOG=N TEST=mjsunit/allocation-site-info Review URL: https://codereview.chromium.org/1845463003 Cr-Commit-Position: refs/heads/master@{#35153}
,
Jun 13 2016
,
Jun 13 2016
,
Jun 14 2016
,
Jun 14 2016
Alright, the bug is that we don't properly compare against new space top on platforms that don't resolve the indirection of external references automatically. The platforms are: arm, arm64, mips, mips64. Fix is on the way.
,
Jun 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/d6473f5c14de5f52866b41730807932158fcaffb commit d6473f5c14de5f52866b41730807932158fcaffb Author: mlippautz <mlippautz@chromium.org> Date: Tue Jun 14 13:49:47 2016 [Heap] Fix comparing against new space top pointer See bug description. BUG= chromium:619382 LOG=N R=ulan@chromium.org Review-Url: https://codereview.chromium.org/2065063002 Cr-Commit-Position: refs/heads/master@{#36968} [modify] https://crrev.com/d6473f5c14de5f52866b41730807932158fcaffb/src/arm/macro-assembler-arm.cc [modify] https://crrev.com/d6473f5c14de5f52866b41730807932158fcaffb/src/arm64/macro-assembler-arm64.cc [modify] https://crrev.com/d6473f5c14de5f52866b41730807932158fcaffb/src/mips/macro-assembler-mips.cc [modify] https://crrev.com/d6473f5c14de5f52866b41730807932158fcaffb/src/mips64/macro-assembler-mips64.cc [add] https://crrev.com/d6473f5c14de5f52866b41730807932158fcaffb/test/mjsunit/regress/regress-619382.js
,
Jun 15 2016
,
Jun 15 2016
,
Jun 15 2016
Adding Merge-Triage label for tracking purposes. Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone. When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com. - Your friendly ClusterFuzz
,
Jun 15 2016
ClusterFuzz has detected this issue as fixed in range 399780:399803. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5394722806038528 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: long v8::internal::Simulator::AddWithCarry<long> void v8::internal::Simulator::AddSubHelper<long> v8::internal::Simulator::CallVoid Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=384282:384380 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=399780:399803 Minimized Testcase (0.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96vV1X4MtRKYM3Cr-bKsw7LeatMY3zkCSLsuxLN1fq3SEkeBf-FlvUv-sDkejKr46PO9wv2zyG-F4HTZXaIcyvr9I-xxEH6OyjmQn09vp6F7sL5aLOf84KssA8yfOSkArElOEIRiopk1usbG03H2JCQJFzDVg See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 16 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b95de0441228b874bd125e9afe18e08b5b02b918 commit b95de0441228b874bd125e9afe18e08b5b02b918 Author: bjaideep <bjaideep@ca.ibm.com> Date: Thu Jun 16 06:25:37 2016 PPC: [Heap] Fix comparing against new space top pointer Port d6473f5c14de5f52866b41730807932158fcaffb Original commit message: See bug description. R=mlippautz@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com BUG= chromium:619382 LOG=N Review-Url: https://codereview.chromium.org/2066603007 Cr-Commit-Position: refs/heads/master@{#37023} [modify] https://crrev.com/b95de0441228b874bd125e9afe18e08b5b02b918/src/ppc/macro-assembler-ppc.cc
,
Jul 5 2016
How about merging this to M52?
,
Jul 8 2016
,
Jul 11 2016
Approving merging to M52.
,
Jul 12 2016
Hello! Please merge to M52 by 5pm PDT Today (Tuesday 12th) if at all possible. Cheers!
,
Jul 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/09d164d7c33c3c60f02f0d59ec6fd973a633f415 commit 09d164d7c33c3c60f02f0d59ec6fd973a633f415 Author: mlippautz <mlippautz@chromium.org> Date: Wed Jul 13 07:23:11 2016 Version 5.2.361.42 (cherry-pick) Merged d6473f5c14de5f52866b41730807932158fcaffb Merged b95de0441228b874bd125e9afe18e08b5b02b918 Merged a3b6f9bbbed2694f725d74d388600c4ff65861e8 [Heap] Fix comparing against new space top pointer PPC: [Heap] Fix comparing against new space top pointer S390: [Heap] Fix comparing against new space top pointer BUG= chromium:619382 LOG=N R=ulan@chromium.org NOTRY=true NOPRESUBMIT=true Review-Url: https://codereview.chromium.org/2140133003 Cr-Commit-Position: refs/branch-heads/5.2@{#48} Cr-Branched-From: 2cd36d6d0439ddfbe84cd90e112dced85084ec95-refs/heads/5.2.361@{#1} Cr-Branched-From: 3fef34e02388e07d46067c516320f1ff12304c8e-refs/heads/master@{#36332} [modify] https://crrev.com/09d164d7c33c3c60f02f0d59ec6fd973a633f415/include/v8-version.h [modify] https://crrev.com/09d164d7c33c3c60f02f0d59ec6fd973a633f415/src/arm/macro-assembler-arm.cc [modify] https://crrev.com/09d164d7c33c3c60f02f0d59ec6fd973a633f415/src/arm64/macro-assembler-arm64.cc [modify] https://crrev.com/09d164d7c33c3c60f02f0d59ec6fd973a633f415/src/mips/macro-assembler-mips.cc [modify] https://crrev.com/09d164d7c33c3c60f02f0d59ec6fd973a633f415/src/mips64/macro-assembler-mips64.cc [modify] https://crrev.com/09d164d7c33c3c60f02f0d59ec6fd973a633f415/src/ppc/macro-assembler-ppc.cc [modify] https://crrev.com/09d164d7c33c3c60f02f0d59ec6fd973a633f415/src/s390/macro-assembler-s390.cc [add] https://crrev.com/09d164d7c33c3c60f02f0d59ec6fd973a633f415/test/mjsunit/regress/regress-619382.js
,
Jul 14 2016
Per comment #18, this is already merged to M52. Is there anything pending for M52? If not, please remove Merge-Approved-52 label. Also is this require a merge to M53? If yes, please request a merge to M53 by applying Merge-Request-53 label.
,
Jul 14 2016
Nothing to be done for M53.
,
Jul 19 2016
,
Sep 21 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by infe...@chromium.org
, Jun 12 2016Status: Assigned (was: Available)