New issue
Advanced search Search tips

Issue 620751 link

Starred by 1 user
Status: Verified
Owner:
mstarzinger@chromium.org
Closed: Jun 2016
Cc:
jarin@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Crash in v8::internal::JSFunction::shared

Project Member Reported by ClusterFuzz, Jun 16 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6296827217575936

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_be
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000095b0ee22
Crash State:
  v8::internal::JSFunction::shared
  v8::internal::TranslatedState::MaterializeAt
  v8::internal::TranslatedState::MaterializeObjectAt
  

Minimized Testcase (0.13 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv940cUTnH9B-1mALxEOJbugQymSEmHnaFDvazgB8HY-x5ZoGEoja_YPF0glH4xcaXRNTiLPeHU7NgiKrTmxAV1FCTXvXdMgkLve5NzDoUc1-y0zrfHE_sRZdg9VFLZZU30wFMHioKZYXXxSD_6t-JJNJskvdoQ
var __v_9 = 0;
function __f_8(x) {
  var __v_8 = arguments;
  __v_9++;
  function __f_9() {
    __f_8();
  };
  __f_9();
}
__f_8();


Filer: inferno

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by est...@chromium.org, Jun 16 2016

Components: Blink>JavaScript
Owner: jarin@chromium.org
Status: Assigned (was: Available)
jarin@, do you think you could please help get this bug to the right person? Thanks!
Project Member

Comment 2 by sheriffbot@chromium.org, Jun 17 2016

Labels: M-51
Project Member

Comment 3 by sheriffbot@chromium.org, Jun 17 2016

Labels: Pri-1

Comment 4 by jarin@chromium.org, Jun 17 2016

Cc: jarin@chromium.org
Labels: -Security_Impact-Stable -Security_Severity-High
Owner: mstarzinger@chromium.org
This is a Turbofan escape analysis bug. As we are not shipping escape analysis, I am removing the security labels.

Comment 5 by mstarzinger@chromium.org, Jun 17 2016

Labels: -Pri-1 Pri-2
Project Member

Comment 6 by ClusterFuzz, Jun 17 2016

Labels: Security_Impact-Stable

Comment 7 by est...@chromium.org, Jun 17 2016

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Impact-Stable Type-Bug
Fixing labels based on comment 4.

Comment 8 by est...@chromium.org, Jun 17 2016

Labels: Security_Impact-None
Project Member

Comment 9 by ClusterFuzz, Jun 23 2016 

ClusterFuzz has detected this issue as fixed in range 37168:37191.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6296827217575936

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_be
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000095b0ee22
Crash State:
  v8::internal::JSFunction::shared
  v8::internal::TranslatedState::MaterializeAt
  v8::internal::TranslatedState::MaterializeObjectAt
  
Fixed: V8: r37168:37191

Minimized Testcase (0.13 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv940cUTnH9B-1mALxEOJbugQymSEmHnaFDvazgB8HY-x5ZoGEoja_YPF0glH4xcaXRNTiLPeHU7NgiKrTmxAV1FCTXvXdMgkLve5NzDoUc1-y0zrfHE_sRZdg9VFLZZU30wFMHioKZYXXxSD_6t-JJNJskvdoQ?testcase_id=6296827217575936
var __v_9 = 0;
function __f_8(x) {
  var __v_8 = arguments;
  __v_9++;
  function __f_9() {
    __f_8();
  };
  __f_9();
}
__f_8();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Jun 23 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment