Issue metadata
Sign in to add a comment
|
Crash in v8::base::NoBarrier_Load |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5460300350619648 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: v8::base::NoBarrier_Load v8::internal::HeapObject::map_word v8::internal::HeapObject::map Regressed: V8: r37974:37975 Minimized Testcase (5.88 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97fEgrvbwmxOeMBWMdCBQzCDJjw6OqxYdk2Ax0yGcPDCXFxAoSuFsrvonitokYny3tv6tUkUdB0vIhmd5eUPs8a_ZuDLKXovSctrA1OS73bLbYZqfBrOYGAyQ2PI-vyBrU9MwHY1CxP8CldM7XzNfRCaVyYNw?testcase_id=5460300350619648 Filer: rnimmagadda See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 27 2016
Hi Jakob, This is caused by https://codereview.chromium.org/2158303002 (Begin porting CallSite to C++). We get a shared function info without a script (script is undefined), and don't expect this. Repro steps: 1) download the minimized test case files to a directory. 2) download the driver files from https://drive.google.com/corp/drive/u/0/folders/0B9vLMqai2n71MWFaU3FUa21JdjQ 3) alter driver-v8.js as explained below. 4) run the following, x64 debug is fine. /usr/local/google/home/mvstanton/src/v8/out/Debug/d8 --random-seed=6910623 --expose-gc --allow-natives-syntax --debug-code --es-staging --verify-heap --invoke-weak-callbacks --omit-quit mjsunit.js driver-v8.js --code-comments where driver-v8.js has been altered to: -------------------------------------- delete os; // Dangerous delete Realm; // Buggy var files = ["/usr/local/google/home/mvstanton/src/langfuzzer/case1/mutant13366_regress-2570.js", "/usr/local/google/home/mvstanton/src/langfuzzer/case1/mutant13370_regress-crbug-610207.js", "/usr/local/google/home/mvstanton/src/langfuzzer/case1/mutant13372_regress-crbug-393988.js"]; for (var i = 0; i < files.length; i++) { // var file = readline(); if (file == null) { break; } var file = files[i]; if (file == "evaluate") { print("Evaluation complete"); } else if (file == "selftest") { print("Self-test passed"); quit(); } else { if (isNaN(file)) { loadFile(file); } } } function loadFile(lfVarx) { try { print("Loading " + lfVarx); load(lfVarx); } catch (lfVare) { print("[LangFuzzDriver] " + lfVare); if (lfVare instanceof SyntaxError) { print("[LangFuzzDriver] Syntax Error in test " + lfVarx); } } } -----------------------------------------
,
Jul 28 2016
,
Jul 31 2016
ClusterFuzz has detected this issue as fixed in range 38132:38133. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5460300350619648 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: v8::base::NoBarrier_Load v8::internal::HeapObject::map_word v8::internal::HeapObject::map Regressed: V8: r37974:37975 Fixed: V8: r38132:38133 Minimized Testcase (5.88 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97fEgrvbwmxOeMBWMdCBQzCDJjw6OqxYdk2Ax0yGcPDCXFxAoSuFsrvonitokYny3tv6tUkUdB0vIhmd5eUPs8a_ZuDLKXovSctrA1OS73bLbYZqfBrOYGAyQ2PI-vyBrU9MwHY1CxP8CldM7XzNfRCaVyYNw?testcase_id=5460300350619648 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by rnimmagadda@chromium.org
, Jul 27 2016Labels: -Pri-1 -Type-Bug M-54 findit-wrong Te-Logged Pri-2 Type-Bug-Regression
Owner: mvstan...@chromium.org
Status: Assigned (was: Untriaged)