New issue
Advanced search Search tips

Issue 625550 link

Starred by 1 user
Status: Duplicate
Merged: issue 625549
Owner: ----
Closed: Jul 2016
Cc:
ishell@chromium.org
mstarzinger@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: ----
Type: Bug-Security



Sign in to add a comment

Crash in v8::internal::__RT_impl_Runtime_NewArray

Project Member Reported by ClusterFuzz, Jul 4 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4728542302830592

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0xbeeddeac
Crash State:
  v8::internal::__RT_impl_Runtime_NewArray
  v8::internal::Runtime_NewArray
  v8::internal::Simulator::SoftwareInterrupt
  
Recommended Security Severity: Medium

Regressed: V8: r37476:37477

Minimized Testcase (0.43 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv974-xgzzNkis9FAJOLy4ZLfW641GYUKrLlmLAcHUbyUOSypniE142_GAnZtJaX8KTIWPSJN2Rt2IvMqhgd5QcbS8Dz21T1h_vavLFqIAQ-zXVB0pgsBZFK3hTU5EOUNegleY5dmbDy9ywjViE0QlisX2PZwrg?testcase_id=4728542302830592
try {
} catch(e) {; }
__v_8 = 0;
function __f_12(
    array, frontPaddingNum, littleEndian, start, length) {
  var __v_11 = new Array(frontPaddingNum);
}
function __f_20( array, start, length) {
  __f_12(array, 0);
}
function __f_18(isTestingGet, func, array, start, expected) {
  __f_12();
}
function __f_17(isTestingGet, start) {
  __f_18(isTestingGet, "Float64", isTestingGet ? [] : __v_6, start, -6213576.4839);
}
  __f_20();
  __f_17(true);


Filer: ishell

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ishell@chromium.org, Jul 4 2016

Mergedinto: 625549
Status: Duplicate (was: Available)
Project Member

Comment 2 by ClusterFuzz, Jul 4 2016 

ClusterFuzz has detected this issue as fixed in range 37498:37499.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4728542302830592

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0xbeeddeac
Crash State:
  v8::internal::__RT_impl_Runtime_NewArray
  v8::internal::Runtime_NewArray
  v8::internal::Simulator::SoftwareInterrupt
  
Recommended Security Severity: Medium

Regressed: V8: r37476:37477
Fixed: V8: r37498:37499

Minimized Testcase (0.43 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv974-xgzzNkis9FAJOLy4ZLfW641GYUKrLlmLAcHUbyUOSypniE142_GAnZtJaX8KTIWPSJN2Rt2IvMqhgd5QcbS8Dz21T1h_vavLFqIAQ-zXVB0pgsBZFK3hTU5EOUNegleY5dmbDy9ywjViE0QlisX2PZwrg?testcase_id=4728542302830592
try {
} catch(e) {; }
__v_8 = 0;
function __f_12(
    array, frontPaddingNum, littleEndian, start, length) {
  var __v_11 = new Array(frontPaddingNum);
}
function __f_20( array, start, length) {
  __f_12(array, 0);
}
function __f_18(isTestingGet, func, array, start, expected) {
  __f_12();
}
function __f_17(isTestingGet, start) {
  __f_18(isTestingGet, "Float64", isTestingGet ? [] : __v_6, start, -6213576.4839);
}
  __f_20();
  __f_17(true);


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 10 2016

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment