index < length() in builtins-utils.h |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4509688458903552 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: index < length() in builtins-utils.h Regressed: V8: r38757:38758 Minimized Testcase (12.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97nmZMA0JyE2tY0-PPEnIDQ_vuy-LDN-k8fNTsva8OFXe8BxIuLQ5tn32h6rijUlw9TitHo_EQMaH6_qJdnvjWiIL0sT79RT7VLP411akd9OMY1PgCl4XzdKgBEgA8NL527cvrSyT2Us6f5-_RC6ad7QT672Q?testcase_id=4509688458903552 Issue manually filed by: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4723600110387200 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: 4 == args.length() in builtins-object.cc Regressed: V8: r38757:38758 Minimized Testcase (8.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ATym9pdM-eREs115sd8Nv47nGAynEvVBOvbJh4yXUvZ4pcYu3HCCX3A8MqXkROitsndXE_yYAzGOtncLGFwshxyrHDZONGORWlFScia030GarKYP-E4W_K-jazerpx8QAr_E0iWK3P7zsVUD1iVF9K10XrA?testcase_id=4723600110387200 Issue manually filed by: mstarzinger See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 22 2016
As per request, here is one repro ...
"use strict";
function foo() {
for (var i = 0; i < 10000; i++) {
try {
for (;;) { toLocaleString(__defineSetter__(parseInt('0x'))) }
} catch(e) {
if (typeof a == "number") return a && isNaN(b);
}
}
}
foo();
,
Aug 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/be23ef541b7f48e81f7106e8522a510fb0f441b6 commit be23ef541b7f48e81f7106e8522a510fb0f441b6 Author: jgruber <jgruber@chromium.org> Date: Mon Aug 22 14:55:14 2016 [turbofan] Disable inlining of Cpp builtins in need of argument adaption Disable inlining of Cpp to a direct CEntryStub call when a call would require argument adaption, i.e. when argument adaption is enabled for the given function and the actual argument count differs from the formal parameter count. This is intended to be a temporary fix until we either disable argument adaption for all Cpp builtins or add adaption logic to inlined Cpp builtins. BUG= chromium:639752 Review-Url: https://codereview.chromium.org/2266893002 Cr-Commit-Position: refs/heads/master@{#38788} [modify] https://crrev.com/be23ef541b7f48e81f7106e8522a510fb0f441b6/src/compiler/js-typed-lowering.cc
,
Aug 22 2016
,
Aug 23 2016
ClusterFuzz has detected this issue as fixed in range 38787:38788. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4509688458903552 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: index < length() in builtins-utils.h Regressed: V8: r38757:38758 Fixed: V8: r38787:38788 Minimized Testcase (12.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97nmZMA0JyE2tY0-PPEnIDQ_vuy-LDN-k8fNTsva8OFXe8BxIuLQ5tn32h6rijUlw9TitHo_EQMaH6_qJdnvjWiIL0sT79RT7VLP411akd9OMY1PgCl4XzdKgBEgA8NL527cvrSyT2Us6f5-_RC6ad7QT672Q?testcase_id=4509688458903552 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 23 2016
ClusterFuzz has detected this issue as fixed in range 38787:38788. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4723600110387200 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: 4 == args.length() in builtins-object.cc Regressed: V8: r38757:38758 Fixed: V8: r38787:38788 Minimized Testcase (8.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ATym9pdM-eREs115sd8Nv47nGAynEvVBOvbJh4yXUvZ4pcYu3HCCX3A8MqXkROitsndXE_yYAzGOtncLGFwshxyrHDZONGORWlFScia030GarKYP-E4W_K-jazerpx8QAr_E0iWK3P7zsVUD1iVF9K10XrA?testcase_id=4723600110387200 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||
►
Sign in to add a comment |
|||
Comment 1 by mstarzinger@chromium.org
, Aug 22 2016Owner: jgruber@chromium.org
Status: Assigned (was: Untriaged)