false in code-generator.cc |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4669351175389184 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false in code-generator.cc v8::base::OS::Abort V8_Fatal v8::internal::compiler::CodeGenerator::AddTranslationForOperand Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=409589:409863 Minimized Testcase (0.27 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv961_stdjgqlhNFqqNVUobN9vjux3xXaVB_gp-Ju2ratzSrOpxQ3GegIrqIHR6iVNpJ0k3gHz6qiQ6yRUh-XXslUefmaPGUKNYB0AehnTLSM_cX3rg_BGZNEuTVucTKAyt2WcymH7ITnwZN0BCFumyfpLDQsAw?testcase_id=4669351175389184 <script> try { function foo(a) { return typeof(a) == "function"; } var array = [ foo,0, {f:42}[ 3]]; var result = 0; for (var __v_143 = 0; __v_143 < 100000; ++__v_143) { result *= 0; result += foo(array[__v_143 % array.length]) | 0; } } catch(e) {; } </script> Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 5 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6587008640352256 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_msan_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false in code-generator.cc SignalAction v8::base::OS::Abort V8_Fatal Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=409589:409863 Minimized Testcase (0.17 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94NqP1LOVZyHtQCjcPECY4lAmP9y6SsKSex6e7pZQk7DInhqF6h9wCPUYRmWu03La750Cey6l06pyhAd5Hmeh4qD5SPzAciDjSXFSRRwrj3vXISBhn0qznbQrJ1VYdewsn8cuk4ESRixsA7fl31jee_3hdryA?testcase_id=6587008640352256 <script> try { function foo() { } var result = 0; for (var __v_143 = 0; __v_143 < 100000; ++__v_143) { result *= 0; result += foo() | 10; } } catch(e) {; } </script> Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 8 2016
Interesting, we'll take a look.
,
Aug 8 2016
,
Aug 8 2016
Verified that this is fixed by: https://crrev.com/c38f1011e89ececb2ac7f4acdfdf5216a2e94e83
,
Aug 9 2016
ClusterFuzz has detected this issue as fixed in range 410349:410400. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4669351175389184 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false in code-generator.cc v8::base::OS::Abort V8_Fatal v8::internal::compiler::CodeGenerator::AddTranslationForOperand Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=409589:409863 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=410349:410400 Minimized Testcase (0.27 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv961_stdjgqlhNFqqNVUobN9vjux3xXaVB_gp-Ju2ratzSrOpxQ3GegIrqIHR6iVNpJ0k3gHz6qiQ6yRUh-XXslUefmaPGUKNYB0AehnTLSM_cX3rg_BGZNEuTVucTKAyt2WcymH7ITnwZN0BCFumyfpLDQsAw?testcase_id=4669351175389184 <script> try { function foo(a) { return typeof(a) == "function"; } var array = [ foo,0, {f:42}[ 3]]; var result = 0; for (var __v_143 = 0; __v_143 < 100000; ++__v_143) { result *= 0; result += foo(array[__v_143 % array.length]) | 0; } } catch(e) {; } </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 9 2016
ClusterFuzz has detected this issue as fixed in range 410349:410400. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6587008640352256 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_msan_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: false in code-generator.cc SignalAction v8::base::OS::Abort V8_Fatal Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=409589:409863 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=410349:410400 Minimized Testcase (0.17 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94NqP1LOVZyHtQCjcPECY4lAmP9y6SsKSex6e7pZQk7DInhqF6h9wCPUYRmWu03La750Cey6l06pyhAd5Hmeh4qD5SPzAciDjSXFSRRwrj3vXISBhn0qznbQrJ1VYdewsn8cuk4ESRixsA7fl31jee_3hdryA?testcase_id=6587008640352256 <script> try { function foo() { } var result = 0; for (var __v_143 = 0; __v_143 < 100000; ++__v_143) { result *= 0; result += foo() | 10; } } catch(e) {; } </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 9 2016
As per update#5,#6 and #7 marking the bug as verified. Thank you
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mummare...@chromium.org
, Aug 5 2016Components: Blink>JavaScript
Status: Available (was: Untriaged)