Issue 625966 link

Starred by 1 user

Issue metadata

Status:	WontFix
Owner:	jarin@chromium.org
Closed:	Dec 2016
Cc:	bmeu...@chromium.org jarin@chromium.org
Components:	Blink>JavaScript>Compiler
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Reproducible Clusterfuzz

InputCountField::is_valid(input_count) in instruction.h

Project Member Reported by ClusterFuzz, Jul 6 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5996304442589184

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_be
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  InputCountField::is_valid(input_count) in instruction.h
  

Minimized Testcase (0.14 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Np8xO8ld1q2Hfx6YnAc6H1uusIrN04WMNxAaGah_K-9KoRMP-7hY79Qaq5gSE2P39wDH-KUDhQPF9kFjHCCUKK6zkOoou-ksujv_lmPiHunNxdMR_1PFCWeJ9vcM8H_pmU8ZIsy2QtbH5OO8X30cFKpBfIA?testcase_id=5996304442589184
"use strict";
var __v_1 = {};
__v_1 = "";
for (var __v_0 = 0; __v_0 < 65535; __v_0++) {
  __v_1 += ("var a" + __v_0 + ";");
} eval(__v_1); 


Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mstarzinger@chromium.org, Jul 6 2016

Cc: bmeu...@chromium.org jarin@chromium.org
Components: Blink>JavaScript>Compiler

Comment 2 by ishell@chromium.org, Jul 25 2016

Labels: -ClusterFuzz Clusterfuzz
Owner: jarin@chromium.org
Status: Assigned (was: Available)

Project Member

Comment 3 by bugdroid1@chromium.org, Oct 5 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a974970cffae3380c2b96cc5fc6210bd5826871c

commit a974970cffae3380c2b96cc5fc6210bd5826871c
Author: jarin <jarin@chromium.org>
Date: Wed Oct 05 05:43:21 2016

[turbofan] Check instruction input/output count limits in instruction selector.

BUG= chromium:625966 

Review-Url: https://codereview.chromium.org/2390303002
Cr-Commit-Position: refs/heads/master@{#39970}

[modify] https://crrev.com/a974970cffae3380c2b96cc5fc6210bd5826871c/src/compiler/instruction-selector.cc
[modify] https://crrev.com/a974970cffae3380c2b96cc5fc6210bd5826871c/src/compiler/instruction-selector.h
[modify] https://crrev.com/a974970cffae3380c2b96cc5fc6210bd5826871c/src/compiler/instruction.h
[modify] https://crrev.com/a974970cffae3380c2b96cc5fc6210bd5826871c/src/compiler/pipeline.cc
[add] https://crrev.com/a974970cffae3380c2b96cc5fc6210bd5826871c/test/mjsunit/compiler/regress-625966.js

Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Project Member

Comment 5 by ClusterFuzz, Dec 22 2016

Status: WontFix (was: Assigned)

ClusterFuzz testcase 5996304442589184 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

►

Issue 625966 link

Issue metadata

InputCountField::is_valid(input_count) in instruction.h

Issue description

Comment 1 by mstarzinger@chromium.org, Jul 6 2016

Comment 1 Deleted

Comment 2 by ishell@chromium.org, Jul 25 2016

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Oct 5 2016

Comment 3 Deleted

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Comment 4 Deleted

Comment 5 by ClusterFuzz, Dec 22 2016

Comment 5 Deleted

Sign in to add a comment