Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in v8::internal::Factory::NewNumber |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5559407740190720 Fuzzer: ochang_domfuzzer Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::Factory::NewNumber v8::Number::New blink::DeviceMotionEventV8Internal::intervalAttributeGetterCallback Recommended Security Severity: Medium Minimized Testcase (7.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv952xGcInyq22c_lQ1GFQHTWeBBeUvGxOoC3sMF1p7wxa4j8LbkNFZ9X4Iw4iHLqbJOEqVnlgUfPUHKA0uQqHRJ3ObCxLrN2TZimY58mUuyXWq_f_5LBwEmZ07wFtZqFLCa7Fj4OFVEcMFJEheqTa35bNSRImg?testcase_id=5559407740190720 Additional requirements: Requires HTTP Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 25 2016
,
Jun 25 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5559407740190720 Fuzzer: ochang_domfuzzer Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::Factory::NewNumber v8::Number::New blink::DeviceMotionEventV8Internal::intervalAttributeGetterCallback Recommended Security Severity: Medium Minimized Testcase (7.40 Kb): https://cluster-fuzz.appspot.com/download/AMIfv952xGcInyq22c_lQ1GFQHTWeBBeUvGxOoC3sMF1p7wxa4j8LbkNFZ9X4Iw4iHLqbJOEqVnlgUfPUHKA0uQqHRJ3ObCxLrN2TZimY58mUuyXWq_f_5LBwEmZ07wFtZqFLCa7Fj4OFVEcMFJEheqTa35bNSRImg?testcase_id=5559407740190720 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 27 2016
,
Jun 27 2016
,
Jun 27 2016
,
Jun 27 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 28 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4868857328304128 Fuzzer: inferno_twister Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::Factory::NewNumber v8::Number::New blink::DeviceMotionEventV8Internal::intervalAttributeGetterCallback Recommended Security Severity: Medium Minimized Testcase (7.33 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95JeQNc-KUCfS-4WezH7Uuhf2QK9_WOkCCIDETiSDhIuLFL0hFxXfw35t4_wy7qMKB15XhZlQ3XVsEnlWtS4p1BW6wto_DWTHmB2v1QENwh8ids40T3wJ55qY-4fprJbATv1FUKTQtM-H8A-dXQjWkI2gcqxw?testcase_id=4868857328304128 Additional requirements: Requires HTTP Filer: tanin See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 28 2016
M53 is branching this week and will be promoted to Beta in July.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.
,
Jun 29 2016
I think I fixed the culprit in https://codereview.chromium.org/2105683006 but I cannot reproduce the problem with a local build to test it.
,
Jun 29 2016
,
Jun 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/db0811fe5f1cd6f0f4fedc8ca282e33dd2c6de24 commit db0811fe5f1cd6f0f4fedc8ca282e33dd2c6de24 Author: ahaas <ahaas@chromium.org> Date: Wed Jun 29 11:58:13 2016 Remove DoubleRepresentation from globals.h The implementation of DoubleRepresentation was based on undefined behavior, and it can be replaced by bit_casts. BUG= chromium:623168 R=titzer@chromium.org Review-Url: https://codereview.chromium.org/2105683006 Cr-Commit-Position: refs/heads/master@{#37390} [modify] https://crrev.com/db0811fe5f1cd6f0f4fedc8ca282e33dd2c6de24/src/arm/macro-assembler-arm.cc [modify] https://crrev.com/db0811fe5f1cd6f0f4fedc8ca282e33dd2c6de24/src/conversions.h [modify] https://crrev.com/db0811fe5f1cd6f0f4fedc8ca282e33dd2c6de24/src/factory.cc [modify] https://crrev.com/db0811fe5f1cd6f0f4fedc8ca282e33dd2c6de24/src/globals.h [modify] https://crrev.com/db0811fe5f1cd6f0f4fedc8ca282e33dd2c6de24/src/mips/macro-assembler-mips.cc [modify] https://crrev.com/db0811fe5f1cd6f0f4fedc8ca282e33dd2c6de24/src/mips64/macro-assembler-mips64.cc
,
Jul 6 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4868857328304128 Fuzzer: inferno_twister Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::Factory::NewNumber v8::Number::New blink::DeviceMotionEventV8Internal::intervalAttributeGetterCallback Recommended Security Severity: Medium Minimized Testcase (7.33 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95JeQNc-KUCfS-4WezH7Uuhf2QK9_WOkCCIDETiSDhIuLFL0hFxXfw35t4_wy7qMKB15XhZlQ3XVsEnlWtS4p1BW6wto_DWTHmB2v1QENwh8ids40T3wJ55qY-4fprJbATv1FUKTQtM-H8A-dXQjWkI2gcqxw?testcase_id=4868857328304128 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 12 2016
Temporarily re-opening to attach another CF report.
,
Jul 12 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4612768003260416 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::Factory::NewNumber v8::Number::New blink::DeviceMotionEventV8Internal::intervalAttributeGetterCallback Recommended Security Severity: Medium Minimized Testcase (7.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94zHDA7COcsmwP7k5WghDaW_m2qflnbX3TMrn5Doh3QJj5gZobL3z2qddJ4a0rwbO_Xgmaf4LVNYrMr2byAvG2xOeXITXcVfhYfSD6geuoWpFJ-uOz6gGOVL1SQJly8UaNTObLt_DdHJcNI-kUj_mFYyiBaPg?testcase_id=4612768003260416 Additional requirements: Requires HTTP Filer: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 12 2016
,
Jul 13 2016
,
Jul 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fb093a52259d93bc5efd77776927afc18ac57277 commit fb093a52259d93bc5efd77776927afc18ac57277 Author: jochen <jochen@chromium.org> Date: Wed Jul 13 10:42:02 2016 Initialize all parameters for MockDeviceMotion interface BUG= 623168 R=mkwst@chromium.org Review-Url: https://codereview.chromium.org/2145873003 Cr-Commit-Position: refs/heads/master@{#405115} [modify] https://crrev.com/fb093a52259d93bc5efd77776927afc18ac57277/components/test_runner/test_runner.cc
,
Jul 13 2016
,
Jul 13 2016
,
Jul 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fb093a52259d93bc5efd77776927afc18ac57277 commit fb093a52259d93bc5efd77776927afc18ac57277 Author: jochen <jochen@chromium.org> Date: Wed Jul 13 10:42:02 2016 Initialize all parameters for MockDeviceMotion interface BUG= 623168 R=mkwst@chromium.org Review-Url: https://codereview.chromium.org/2145873003 Cr-Commit-Position: refs/heads/master@{#405115} [modify] https://crrev.com/fb093a52259d93bc5efd77776927afc18ac57277/components/test_runner/test_runner.cc
,
Jul 14 2016
ClusterFuzz has detected this issue as fixed in range 405102:405116. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4612768003260416 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::Factory::NewNumber v8::Number::New blink::DeviceMotionEventV8Internal::intervalAttributeGetterCallback Recommended Security Severity: Medium Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=405102:405116 Minimized Testcase (7.43 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94zHDA7COcsmwP7k5WghDaW_m2qflnbX3TMrn5Doh3QJj5gZobL3z2qddJ4a0rwbO_Xgmaf4LVNYrMr2byAvG2xOeXITXcVfhYfSD6geuoWpFJ-uOz6gGOVL1SQJly8UaNTObLt_DdHJcNI-kUj_mFYyiBaPg?testcase_id=4612768003260416 Additional requirements: Requires HTTP See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 26 2016
,
Jul 26 2016
Your change meets the bar and is auto-approved for M53 (branch: 2785)
,
Jul 26 2016
Actually, I don't think we need the merge. The main fix from #12 is in M53, and the commit in #21 is limited to test_runner. Mind confirming that +jochen@
,
Jul 27 2016
correct, this was a test-only issue
,
Jul 27 2016
Please try to merge you change to M53 branch 2785 ASAP latest by 5:00 PM PDT today (sooner the better to avoid compile failure and merge conflicts) so we can take it for tomorrow's M53 beta promotion. Thank you.
,
Jul 27 2016
If no merge is needed to M53 branch 2785, please remove "Hotlist-Merge-Approved" and "Merge-Approved-53" label. Thank you.
,
Jul 27 2016
,
Jul 27 2016
,
Oct 19 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, Jun 25 2016Labels: -Unreproducible Security_Impact-Head
Owner: ahaas@chromium.org
Status: Assigned (was: Available)