node_types_.find(node) == node_types_.end() in asm-typer.cc |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5873697646968832 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: node_types_.find(node) == node_types_.end() in asm-typer.cc Regressed: V8: r37728:37729 Minimized Testcase (0.54 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv957b00ua5fVmDXul7UnBJcVb7gwzMhFTk7Oh7RwsIpXdUrqYHjbLWJ0L_tt0zfLODpjg5bb5ywCuaTajBuYBmdlezORrHk0zuPIVb8VCqs7hwL_nPOjg4Yx_aNe5FsZrkYGLuEud5KfFLYkvZhTZWHlXnsi4w?testcase_id=5873697646968832 function __f_22() { } function __f_109(stdlib, __v_36, buffer) { "use asm"; var __v_34 = new stdlib.Int32Array(buffer); function __f_22() {__v_34[__v_34 >> 2]|0 + 1 | 0; } } var __v_23 = [ [], [Uint8Array, 'Uint8Array', '>> 0'], [][ '>> 1'], [][ '>> 2']]; for (var __v_31 = 0; __v_31 < __v_23.length; __v_31++) { var __v_5 = __f_109.toString(); __v_5 = __v_5.replace('Int32Array', __v_23[__v_31][1]); __v_5 = __v_5.replace(/>> 2/g, __v_23[__v_31][2]); var module = Wasm.instantiateModuleFromAsm(__v_5); } ( { })(); ( { })(); Filer: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 27 2016
ClusterFuzz has detected this issue as fixed in range 38052:38053. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5873697646968832 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: node_types_.find(node) == node_types_.end() in asm-typer.cc Regressed: V8: r37728:37729 Fixed: V8: r38052:38053 Minimized Testcase (0.54 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv957b00ua5fVmDXul7UnBJcVb7gwzMhFTk7Oh7RwsIpXdUrqYHjbLWJ0L_tt0zfLODpjg5bb5ywCuaTajBuYBmdlezORrHk0zuPIVb8VCqs7hwL_nPOjg4Yx_aNe5FsZrkYGLuEud5KfFLYkvZhTZWHlXnsi4w?testcase_id=5873697646968832 function __f_22() { } function __f_109(stdlib, __v_36, buffer) { "use asm"; var __v_34 = new stdlib.Int32Array(buffer); function __f_22() {__v_34[__v_34 >> 2]|0 + 1 | 0; } } var __v_23 = [ [], [Uint8Array, 'Uint8Array', '>> 0'], [][ '>> 1'], [][ '>> 2']]; for (var __v_31 = 0; __v_31 < __v_23.length; __v_31++) { var __v_5 = __f_109.toString(); __v_5 = __v_5.replace('Int32Array', __v_23[__v_31][1]); __v_5 = __v_5.replace(/>> 2/g, __v_23[__v_31][2]); var module = Wasm.instantiateModuleFromAsm(__v_5); } ( { })(); ( { })(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 27 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by ishell@chromium.org
, Jul 25 2016Owner: jpp@chromium.org
Status: Assigned (was: Untriaged)