Issue metadata
Sign in to add a comment
|
Stack-use-after-return in v8::internal::Runtime_GetProperty |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6323460074897408 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: Stack-use-after-return READ 8 Crash Address: 0x7fbdb7673e50 Crash State: v8::internal::Runtime_GetProperty v8::internal::Invoke v8::internal::Execution::Call Minimized Testcase (0.16 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95YKYVcaLsESdBL-4fKm4HTcknWZ9xoaPwPijbLJKrEnOntxzrcDIKGxpqJdOBZbqYGiXDWqe_Z01ifdVgVdKXJk4Um2ov5svd_XFK5N7dBDpypGbbqswjDIAchEXkFePxlwUOA_uKl7_Dff4pGmxTpp6bOBQ?testcase_id=6323460074897408 function __f_3() { __f_4(true); } __f_3(); __f_3(); Object.defineProperty(Boolean.prototype, "v", {get:constructor}); function __f_4(b) { return b.v; } __f_4(true); Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5692437372862464 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8 Platform Id: linux Crash Type: Stack-use-after-return READ 8 Crash Address: 0x7fabe5f9ac50 Crash State: v8::internal::Runtime_LoadIC_Miss v8::internal::Invoke v8::internal::Execution::Call Regressed: V8: r37179:37180 Minimized Testcase (7.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96pJH-dcnxb4qwl5CpRTs2Ceur0eJYFGALLsEOsZWNAaWPK3HVI8FyoyxFHiadPPQf6a8hrr2EQ6MJWSrVi9gDKDww1fafKoIeUu66z1NRDqVLvBxOmUSBoASNCTLxqwQTLi9JJcQexQL1Z0ToIlw7BBBFgLw?testcase_id=5692437372862464 Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6128647404781568 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: Stack-use-after-return READ 8 Crash Address: 0x7f047e361910 Crash State: v8::internal::HandleBase::IsDereferenceAllowed v8::internal::__RT_impl_Runtime_GetProperty v8::internal::Runtime_GetProperty Regressed: V8: r37179:37180 Minimized Testcase (0.28 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96zcHDnJynZdh8nXiYVIEfSs86_rclMI0vD-W_3DeHX_W8hbrAj9xdhr_TVXgjXck82Y46WJUfqvC8HR_3RKdUi3eG2U1I5jzozfPSaRFWjJyECdPEFGPfaPCRPM1jpbfiKWSvMO44cvN-2o5Cznh90Q7ciFw?testcase_id=6128647404781568 function __f_6(expected, func) { func(); func(); } function __f_2() { __f_11(true); for (let __v_0 = 0; __v_0 < 2; __v_0++) { __v_2 = __v_0; } } __f_6(1, __f_2); Object.defineProperty(Boolean.prototype, "v", {get:constructor}); function __f_11(b) { return b.v; } __f_11(true); Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5634426122010624 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: Stack-use-after-return READ 4 Crash Address: 0xf5e47878 Crash State: v8::internal::HandleBase::IsDereferenceAllowed v8::internal::__RT_impl_Runtime_GetProperty v8::internal::Runtime_GetProperty Minimized Testcase (0.28 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95b_EWPqFW_KDjnpVlo3cAXX2w3KmgWpab3MlrQp1gA4RMZVg2uN7DJc9hUc_oOdRT04GpStqJ0SRNxqggHW0OFCgIiWq1D2tN0x8kLItcgaTyCqT4pmTimrzJSLGcTQiagHfQcqtXJorH0DOgdz7IXxSxAfQ?testcase_id=5634426122010624 function __f_8() { __f_11(4); } __v_3 = 42, __v_2 = 99; function __f_7() { return __v_3 | __f_8() | (__f_8() | __v_3); } __f_7(); function __f_3() { } function __f_5() { } Object.defineProperty(Number.prototype, "v", {get:constructor}); function __f_11(b) { return b.v; } __f_11(3); Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 22 2016
,
Jun 23 2016
,
Jun 23 2016
,
Jun 23 2016
,
Jun 24 2016
,
Jun 24 2016
ClusterFuzz has detected this issue as fixed in range 37253:37254. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6323460074897408 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: Stack-use-after-return READ 8 Crash Address: 0x7fbdb7673e50 Crash State: v8::internal::Runtime_GetProperty v8::internal::Invoke v8::internal::Execution::Call Regressed: V8: r37179:37180 Fixed: V8: r37253:37254 Minimized Testcase (0.16 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95YKYVcaLsESdBL-4fKm4HTcknWZ9xoaPwPijbLJKrEnOntxzrcDIKGxpqJdOBZbqYGiXDWqe_Z01ifdVgVdKXJk4Um2ov5svd_XFK5N7dBDpypGbbqswjDIAchEXkFePxlwUOA_uKl7_Dff4pGmxTpp6bOBQ?testcase_id=6323460074897408 function __f_3() { __f_4(true); } __f_3(); __f_3(); Object.defineProperty(Boolean.prototype, "v", {get:constructor}); function __f_4(b) { return b.v; } __f_4(true); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 24 2016
ClusterFuzz has detected this issue as fixed in range 37253:37254. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5634426122010624 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: Stack-use-after-return READ 4 Crash Address: 0xf5e47878 Crash State: v8::internal::HandleBase::IsDereferenceAllowed v8::internal::__RT_impl_Runtime_GetProperty v8::internal::Runtime_GetProperty Regressed: V8: r37179:37180 Fixed: V8: r37253:37254 Minimized Testcase (0.28 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95b_EWPqFW_KDjnpVlo3cAXX2w3KmgWpab3MlrQp1gA4RMZVg2uN7DJc9hUc_oOdRT04GpStqJ0SRNxqggHW0OFCgIiWq1D2tN0x8kLItcgaTyCqT4pmTimrzJSLGcTQiagHfQcqtXJorH0DOgdz7IXxSxAfQ?testcase_id=5634426122010624 function __f_8() { __f_11(4); } __v_3 = 42, __v_2 = 99; function __f_7() { return __v_3 | __f_8() | (__f_8() | __v_3); } __f_7(); function __f_3() { } function __f_5() { } Object.defineProperty(Number.prototype, "v", {get:constructor}); function __f_11(b) { return b.v; } __f_11(3); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 25 2016
ClusterFuzz has detected this issue as fixed in range 37253:37254. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5692437372862464 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8 Platform Id: linux Crash Type: Stack-use-after-return READ 8 Crash Address: 0x7fabe5f9ac50 Crash State: v8::internal::Runtime_LoadIC_Miss v8::internal::Invoke v8::internal::Execution::Call Regressed: V8: r37179:37180 Fixed: V8: r37253:37254 Minimized Testcase (7.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96pJH-dcnxb4qwl5CpRTs2Ceur0eJYFGALLsEOsZWNAaWPK3HVI8FyoyxFHiadPPQf6a8hrr2EQ6MJWSrVi9gDKDww1fafKoIeUu66z1NRDqVLvBxOmUSBoASNCTLxqwQTLi9JJcQexQL1Z0ToIlw7BBBFgLw?testcase_id=5692437372862464 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 25 2016
ClusterFuzz has detected this issue as fixed in range 37253:37254. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6128647404781568 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: Stack-use-after-return READ 8 Crash Address: 0x7f047e361910 Crash State: v8::internal::HandleBase::IsDereferenceAllowed v8::internal::__RT_impl_Runtime_GetProperty v8::internal::Runtime_GetProperty Regressed: V8: r37179:37180 Fixed: V8: r37253:37254 Minimized Testcase (0.28 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96zcHDnJynZdh8nXiYVIEfSs86_rclMI0vD-W_3DeHX_W8hbrAj9xdhr_TVXgjXck82Y46WJUfqvC8HR_3RKdUi3eG2U1I5jzozfPSaRFWjJyECdPEFGPfaPCRPM1jpbfiKWSvMO44cvN-2o5Cznh90Q7ciFw?testcase_id=6128647404781568 function __f_6(expected, func) { func(); func(); } function __f_2() { __f_11(true); for (let __v_0 = 0; __v_0 < 2; __v_0++) { __v_2 = __v_0; } } __f_6(1, __f_2); Object.defineProperty(Boolean.prototype, "v", {get:constructor}); function __f_11(b) { return b.v; } __f_11(true); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 25 2016
ClusterFuzz has detected this issue as fixed in range 37253:37254. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6041786657275904 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8 Platform Id: linux Crash Type: Stack-use-after-return READ 8 Crash Address: 0x7f126cbb0050 Crash State: v8::internal::Runtime_KeyedLoadIC_Miss v8::internal::Invoke v8::internal::Execution::Call Regressed: V8: r37179:37180 Fixed: V8: r37253:37254 Minimized Testcase (6.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95hx2K-0osDamcLS0tnWRZC12VNibJlsXct0PT-aEi6phUbNhVbQZrAtNK2cgJnA3DPUgkxxyIhm5clkb7Ka4-6huZvJFDMLhDpsS_b0xqEduDRqojQ_TC-qbfPVXYI6otoNKYi7HajiXJ-0M-oHy5Yjuo03w?testcase_id=6041786657275904 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jun 22 2016