i == case_count - 1 in asm-wasm-builder.cc |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5562693855739904 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: i == case_count - 1 in asm-wasm-builder.cc Regressed: V8: r37728:37729 Minimized Testcase (0.37 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97FrvnO9tTWys58HdP-zoOmA6wDI0i0z8sB_6U5ts4cey7L3szzzxy_ZhfAY65gz3Hr_O7WFH7zyIUQSY8Q8dYs8bTEIXVPnvwY1A6DEBiFRVfCRUzKinKtjn_NF3KEG-fFygyjQEYn9p6L-KPazlH_weMGvg?testcase_id=5562693855739904 (function __f_4() { })(); (function __f_5() { function __f_6() { "use asm" function __f_8() { var __v_9 = 17; var __v_5 = 0; switch (__v_9|0) { default: __v_5 = (__v_5 + 1)|0; case 4: break; } } return {__f_8:__f_8}; } var __v_6 = Wasm.instantiateModuleFromAsm(__f_6.toString()); switch (__v_9|0) { } })(); Filer: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 16 2016
,
Jul 20 2016
This is a valid error as asm allows default to only be the last statement. However, the builder catches this in only debug mode (in release this specific test passes but generally there can be bad code generated). It should be caught by the typer.
,
Jul 20 2016
,
Jul 21 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/6f31bc9ce8d30dcb538097da099502bd976ef36c commit 6f31bc9ce8d30dcb538097da099502bd976ef36c Author: jpp <jpp@chromium.org> Date: Thu Jul 21 19:01:56 2016 [wasm] ASM-2-WASM. Enforces switch default clause appearing last. BUG= https://bugs.chromium.org/p/chromium/issues/detail?id=628803 BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203 TEST= cctest/asmjs/test-asm-typer.cc LOG= N Review-Url: https://codereview.chromium.org/2172603002 Cr-Commit-Position: refs/heads/master@{#37954} [modify] https://crrev.com/6f31bc9ce8d30dcb538097da099502bd976ef36c/src/asmjs/asm-typer.cc [modify] https://crrev.com/6f31bc9ce8d30dcb538097da099502bd976ef36c/test/cctest/asmjs/test-asm-typer.cc
,
Jul 22 2016
ClusterFuzz has detected this issue as fixed in range 37953:37954. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5562693855739904 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: i == case_count - 1 in asm-wasm-builder.cc Regressed: V8: r37728:37729 Fixed: V8: r37953:37954 Minimized Testcase (0.37 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97FrvnO9tTWys58HdP-zoOmA6wDI0i0z8sB_6U5ts4cey7L3szzzxy_ZhfAY65gz3Hr_O7WFH7zyIUQSY8Q8dYs8bTEIXVPnvwY1A6DEBiFRVfCRUzKinKtjn_NF3KEG-fFygyjQEYn9p6L-KPazlH_weMGvg?testcase_id=5562693855739904 (function __f_4() { })(); (function __f_5() { function __f_6() { "use asm" function __f_8() { var __v_9 = 17; var __v_5 = 0; switch (__v_9|0) { default: __v_5 = (__v_5 + 1)|0; case 4: break; } } return {__f_8:__f_8}; } var __v_6 = Wasm.instantiateModuleFromAsm(__f_6.toString()); switch (__v_9|0) { } })(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 22 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 26 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/060d984c94106a375e2eacaa123bc6b5e84a1e8d commit 060d984c94106a375e2eacaa123bc6b5e84a1e8d Author: jpp <jpp@chromium.org> Date: Tue Jul 26 14:03:02 2016 [wasm][asm2wasm] Fixes a bug in 8-bit heap view accesses. The bug was caused when validating expressions X >> 0 for indexing into 8-bit heap views. If X was not an intish, the 'normal' validation path would fail. That, however, left the type of X registered in the AsmTyper::node_types_ member. Later, in the 'lenient' code path for 8-bit views, the entire X >> 0 expression would be validated, which would cause X to be validated again, at which point AsmTyper::SetTypeOf() would DCHECK because the supplied node already had a type associated with it. The fix was to simply FAIL() when X is not an intish. This is safe because if X is not an intish, then Validate(>>, !intish, FixNum) will also fail. BUG= https://bugs.chromium.org/p/chromium/issues/detail?id=628803 BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203 TEST= cctest/asmjs/test-asm-typer.cc LOG= N Review-Url: https://codereview.chromium.org/2181723002 Cr-Commit-Position: refs/heads/master@{#38053} [modify] https://crrev.com/060d984c94106a375e2eacaa123bc6b5e84a1e8d/src/asmjs/asm-typer.cc [modify] https://crrev.com/060d984c94106a375e2eacaa123bc6b5e84a1e8d/test/cctest/asmjs/test-asm-typer.cc
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mmohammad@chromium.org
, Jul 15 2016Status: Assigned (was: Available)