Issue metadata
Sign in to add a comment
|
Crash in v8::internal::StackTraceFrameIterator::Advance |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6149710461272064 Fuzzer: v8_builtins_generator Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0xffffffff Crash State: v8::internal::StackTraceFrameIterator::Advance v8::internal::StackTraceFrameIterator::StackTraceFrameIterator v8::internal::Isolate::ComputeLocation Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=400574:400576 Minimized Testcase (0.15 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97Mndjt2nJYmbAg1yL_G811H9H-kB-ylTOVVUX48KjA7gkchy8A_Uog3uAwm1g3dNnRopwC4eg8thKzxToRBTibq8cvVMjgNcUjImGiQUJiZjFi5352xU1VLGwT1bLx3P3NI8RdvS-hZ15zjz6M3z2j8MQDyQ?testcase_id=6149710461272064 v7 = new URIError(); v13 = new Int32Array(); URIError.prototype.__defineGetter__("name", function() { return v7; }) v75 = Math.min(v13, v13, v7); Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 20 2016
,
Jun 20 2016
,
Jun 21 2016
Same as issue 621431 but here it is the StackTraceFrameIterator::IsValidFrame() who queries a JSFunction from a BUILTIN frame.
,
Jun 21 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6bd37e3f20651cc4ff780e09518ae2a408b509dc commit 6bd37e3f20651cc4ff780e09518ae2a408b509dc Author: jgruber <jgruber@chromium.org> Date: Wed Jun 22 09:18:29 2016 [builtins] Fix clobbered reg in Math.{Max,Min} edi is expected to contain the JS function. Ensure that it is not overwritten. BUG= chromium:621431 , chromium:621550 , chromium:621217 R=bmeurer@chromium.org Review-Url: https://codereview.chromium.org/2085043004 Cr-Commit-Position: refs/heads/master@{#37173} [modify] https://crrev.com/6bd37e3f20651cc4ff780e09518ae2a408b509dc/src/ia32/builtins-ia32.cc
,
Jun 22 2016
,
Jun 22 2016
,
Jun 22 2016
,
Jun 23 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6149710461272064 Fuzzer: v8_builtins_generator Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0xffffffff Crash State: v8::internal::StackTraceFrameIterator::Advance v8::internal::StackTraceFrameIterator::StackTraceFrameIterator v8::internal::Isolate::ComputeLocation Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=400574:400576 Minimized Testcase (0.15 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97Mndjt2nJYmbAg1yL_G811H9H-kB-ylTOVVUX48KjA7gkchy8A_Uog3uAwm1g3dNnRopwC4eg8thKzxToRBTibq8cvVMjgNcUjImGiQUJiZjFi5352xU1VLGwT1bLx3P3NI8RdvS-hZ15zjz6M3z2j8MQDyQ?testcase_id=6149710461272064 v7 = new URIError(); v13 = new Int32Array(); URIError.prototype.__defineGetter__("name", function() { return v7; }) v75 = Math.min(v13, v13, v7); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 26 2016
Fix already in M53, removing ReleaseBlock-Beta.
,
Sep 28 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Jun 20 2016Components: Blink>JavaScript>Runtime
Labels: Pri-1