Issue metadata
Sign in to add a comment
|
Use-of-uninitialized-value in v8::internal::PointerUpdateJobTraits< |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6081568072531968 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::PointerUpdateJobTraits< int v8::internal::SlotSet::Iterate<v8::internal::PointerUpdateJobTraits< v8::internal::PointerUpdateJobTraits< Recommended Security Severity: Medium Minimized Testcase (16.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95yEWCmNB3_GPmB4vlN3WRj25butChfncOTxlys77zCytPpNU9LMQ7zdXkMDmLtm2z5EMJ0xeNWEUK9TIyGUxD05i19gJ8BrwOgwSHUcVnhwkGksOQsoXFm1BIBZYhb1EWPdD4wwraWg2DUPxbJZui2P8tPi2Wc0tjPfzbC6G8co1Bf_LM?testcase_id=6081568072531968 Issue manually filed by: mmoroz See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 17 2016
Assigning to the current memory sheriff.
,
Aug 17 2016
We have a stale slot in the old to new remembered set. Investigating.
,
Aug 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/23f61424e321c5895af568f13781a8d1669e8ada commit 23f61424e321c5895af568f13781a8d1669e8ada Author: mlippautz <mlippautz@chromium.org> Date: Wed Aug 17 12:49:59 2016 [heap] Filter slots in map space We mark an object allocated as uninitialized. If we happen to have a GC before fields of a map are written, msan will observe access to unitialized memory and crash. This also unifies the handling as we now deal with all spaces in the same way. In future we could parallelize clearing. BUG= chromium:638226 R=hpayer@chromium.org Review-Url: https://codereview.chromium.org/2251993002 Cr-Commit-Position: refs/heads/master@{#38681} [modify] https://crrev.com/23f61424e321c5895af568f13781a8d1669e8ada/src/heap/remembered-set.cc
,
Aug 17 2016
,
Aug 18 2016
ClusterFuzz has detected this issue as fixed in range 412507:412570. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6081568072531968 Fuzzer: mbarbella_js_mutation Job Type: linux_msan_d8 Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: v8::internal::PointerUpdateJobTraits< int v8::internal::SlotSet::Iterate<v8::internal::PointerUpdateJobTraits< v8::internal::PointerUpdateJobTraits< Recommended Security Severity: Medium Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_d8&range=412507:412570 Minimized Testcase (16.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95yEWCmNB3_GPmB4vlN3WRj25butChfncOTxlys77zCytPpNU9LMQ7zdXkMDmLtm2z5EMJ0xeNWEUK9TIyGUxD05i19gJ8BrwOgwSHUcVnhwkGksOQsoXFm1BIBZYhb1EWPdD4wwraWg2DUPxbJZui2P8tPi2Wc0tjPfzbC6G8co1Bf_LM?testcase_id=6081568072531968 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 18 2016
,
Aug 18 2016
,
Nov 24 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Aug 16 2016Owner: hpayer@chromium.org