Crash in v8::internal::JavaScriptFrame::unchecked_code |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5955741618012160 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x0000001b Crash State: v8::internal::JavaScriptFrame::unchecked_code v8::internal::MarkCompactCollector::PrepareThreadForCodeFlushing v8::internal::MarkCompactCollector::PrepareForCodeFlushing Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=400445:400462 Minimized Testcase (0.17 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97El39mvws-gTWR4u-oitKcZEImFphaln8xI7WYlGzYHaNj_LV893xUQ1XXlgy0pP1BdLR5TpuaTj1E6okg4G_Svok4nw8xXK9ejapGcZjFpMQpe29YT67BRQrA6MweARolOhPHGvJ8O3BFwuWIPrs9PMCzxQ?testcase_id=5955741618012160 var __v_3 = {}; function __f_4( value) { __v_3.valueOf = function() { gc(); return value; } return __v_3; } Math.min(__f_4(), __f_4(), __f_4(2, 1, [])); Filer: msrchandra See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 21 2016
Reproduces on ia32.
,
Jun 21 2016
,
Jun 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6bd37e3f20651cc4ff780e09518ae2a408b509dc commit 6bd37e3f20651cc4ff780e09518ae2a408b509dc Author: jgruber <jgruber@chromium.org> Date: Wed Jun 22 09:18:29 2016 [builtins] Fix clobbered reg in Math.{Max,Min} edi is expected to contain the JS function. Ensure that it is not overwritten. BUG= chromium:621431 , chromium:621550 , chromium:621217 R=bmeurer@chromium.org Review-Url: https://codereview.chromium.org/2085043004 Cr-Commit-Position: refs/heads/master@{#37173} [modify] https://crrev.com/6bd37e3f20651cc4ff780e09518ae2a408b509dc/src/ia32/builtins-ia32.cc
,
Jun 22 2016
,
Jun 23 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5955741618012160 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x0000001b Crash State: v8::internal::JavaScriptFrame::unchecked_code v8::internal::MarkCompactCollector::PrepareThreadForCodeFlushing v8::internal::MarkCompactCollector::PrepareForCodeFlushing Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=400445:400462 Minimized Testcase (0.17 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97El39mvws-gTWR4u-oitKcZEImFphaln8xI7WYlGzYHaNj_LV893xUQ1XXlgy0pP1BdLR5TpuaTj1E6okg4G_Svok4nw8xXK9ejapGcZjFpMQpe29YT67BRQrA6MweARolOhPHGvJ8O3BFwuWIPrs9PMCzxQ?testcase_id=5955741618012160 var __v_3 = {}; function __f_4( value) { __v_3.valueOf = function() { gc(); return value; } return __v_3; } Math.min(__f_4(), __f_4(), __f_4(2, 1, [])); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 23 2016
Issue 622704 has been merged into this issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by ishell@chromium.org
, Jun 21 2016Owner: jgruber@chromium.org
Status: Assigned (was: Available)