This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
The attached input crash1.js causes SIGILL when run against the v8 engine corresponding to dev/beta/stable releases, in addition to the tip of v8.

In v8, I built d8 with the tip, and used commit 3807927f46dda120dd7c5192e1313a1188cae83a corresponding to the v8 engine shipped with dev (54.0.2840.8) and used commit c668dfb3c38e0efcab923d8381e60f67a5cbb4c0 corresponding to the v8 engine shipped with beta/stable (53.0.2785.89).

Running ./d8 crash1.js causes

#
# Fatal error in , line 0
# unreachable code
#

==== C stack trace ===============================

 1: 0xae9829
 2: 0x4a4f75
 3: 0x4a4e5b
 4: 0x6c2fb2
 5: 0x114e09108206
Illegal instruction (core dumped)

VERSION
Chrome Version: 54.0.2840.6, dev
                53.0.2785.87, beta/stable

Operating System: Linux

REPRODUCTION CASE
crash1.js. Run ./d8 crash1.js to observe the error.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: in v8 engine
Crash State: see above; SIGILL

Please let me know if this submission is eligible for a bug bounty. Thanks!
 

Deleted: crash1.js 88 bytes

crash1.js 88 bytes View Download