Use-of-uninitialized-value in v8::internal::LookupIterator::Delete |
|||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6621787966406656 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::LookupIterator::Delete v8::internal::JSReceiver::DeleteProperty v8::internal::DeleteProperty Recommended Security Severity: Medium Minimized Testcase (7.60 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96h4gia-atE1RXNmkdscxqBbC8luD54DOkpiVnUVPmvrEClZ_GwKrWDA1d1mBdvpUGB3nwSskkM7SCFm-eZb2aNzj8r4b4aJEOsbWd_Oo_enEXPm05sAXRbcZo-VuohmJTlnUFsJWrz45BqQZhKhhfQQVWjqQ Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 17 2016
,
Jun 17 2016
,
Jun 18 2016
,
Jun 18 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 18 2016
,
Jun 21 2016
Crashes as out/x64.debug/d8 --random-seed=-1023152996 --allow-natives-syntax fuzz-03183.js Probably just heap corruption due to --turbo-escape (which doesn't ship yet afaik)
,
Jun 23 2016
M53 is branching soon and will be promoted to Beta in July.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.
,
Jun 24 2016
This is not a security issue - we are not shipping escape analysis.
,
Jun 24 2016
,
Jun 27 2016
Agree with comment #7 and #9. Same underlying problem as issue 613923 and produces same assert in debug mode.
,
Jul 5 2016
ClusterFuzz has detected this issue as fixed in range 403457:403659. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6621787966406656 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::LookupIterator::Delete v8::internal::JSReceiver::DeleteProperty v8::internal::DeleteProperty Recommended Security Severity: Medium Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=403457:403659 Minimized Testcase (7.60 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96h4gia-atE1RXNmkdscxqBbC8luD54DOkpiVnUVPmvrEClZ_GwKrWDA1d1mBdvpUGB3nwSskkM7SCFm-eZb2aNzj8r4b4aJEOsbWd_Oo_enEXPm05sAXRbcZo-VuohmJTlnUFsJWrz45BqQZhKhhfQQVWjqQ?testcase_id=6621787966406656 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 5 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 6 2016
,
Oct 12 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||
►
Sign in to add a comment |
|||||||||||||
Comment 1 by mmoroz@chromium.org
, Jun 17 2016