New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 621525 link

Starred by 1 user
Status: Duplicate
Merged: issue 622191
Owner:
ishell@chromium.org
Closed: Jun 2016
Cc:
jochen@chromium.org
kcc@chromium.org
vogelheim@chromium.org
mmoroz@chromium.org
aizatsky@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Fatal error in v8::Isolate::Disposefuzzer::Fuzzer::CrashCallback (Crash from v8::internal::Parser::PatternRewriter::CreateTempVar)

Project Member Reported by ClusterFuzz, Jun 20 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4726356286111744

Fuzzer: libfuzzer_v8_script_parser_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Fatal error
Crash Address: 
Crash State:
  v8::Isolate::Disposefuzzer::Fuzzer::CrashCallback
  fuzzer::Fuzzer::StaticCrashSignalCallback
  SignalHandler
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=399325:399365

Minimized Testcase (0.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95TQGpsIrn5eJ269EX5z43Exh5CfO7UlqIitubjODOtpyMdxU4t1E599Rhvwv2yYyXR-z5nNGUrk6QPnvfdDXsmev9B_eaPEF-me6_v0BsKv7KiScN9KnGD2cv2GrnYQtwfXScemA-QQre58cMSlQvo65yUjw?testcase_id=4726356286111744

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Comment 1 by mmoroz@chromium.org, Jun 20 2016

Cc: mmoroz@chromium.org kcc@chromium.org aizatsky@chromium.org
Components: Blink>JavaScript
Owner: jochen@chromium.org
Summary: Fatal error in v8::Isolate::Disposefuzzer::Fuzzer::CrashCallback (Crash from v8::internal::Parser::PatternRewriter::CreateTempVar) (was: Fatal error in v8::Isolate::Disposefuzzer::Fuzzer::CrashCallback)
jochen@, who is the best owner to triage crashes of this sort?

Looks like null-deref, the fuzzer built with ASan crashes with SEGV on 0x000000000034:https://paste.googleplex.com/6637692120989696

Comment 2 by jochen@chromium.org, Jun 20 2016

Cc: jochen@chromium.org
Owner: vogelheim@chromium.org
vogelheim@ is a good PoC for these

Comment 3 by ishell@chromium.org, Jun 21 2016

Cc: vogelheim@chromium.org
Owner: ishell@chromium.org
Status: Assigned (was: Available)
Bisecting...

Comment 4 by ishell@chromium.org, Jun 22 2016

Mergedinto: 622191
Status: Duplicate (was: Assigned)
Project Member

Comment 5 by ClusterFuzz, Jun 22 2016 

ClusterFuzz has detected this issue as fixed in range 401156:401244.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4726356286111744

Fuzzer: libfuzzer_v8_script_parser_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Fatal error
Crash Address: 
Crash State:
  v8::Isolate::Disposefuzzer::Fuzzer::CrashCallback
  fuzzer::Fuzzer::StaticCrashSignalCallback
  SignalHandler
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=399325:399365
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=401156:401244

Minimized Testcase (0.33 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95QZs7HaSmpp_LKPhEDjPyc1PUQ0BGUE26fPLnMbIiqmD_yaCmQV0ZM1wAhgMAHjd5u2kC-X6azUU8z0UbEDSEb0VqAtd38c8-3D6w3F7fmbL-bWAkL8aTvdhxMKMR1B-cCrnno0EkhqRuQjrJ6lUg6ZZ0G2A?testcase_id=4726356286111744

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment