New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 644674 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

Attempting free in void v8::internal::LocalArrayBufferTracker::Free<

Project Member Reported by ClusterFuzz, Sep 7 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784

Fuzzer: v8_wasm_asmjs_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Attempting free
Crash Address: add
Crash State:
  void v8::internal::LocalArrayBufferTracker::Free<
  v8::internal::ArrayBufferTracker::FreeDead
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Recommended Security Severity: High


Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784

Issue manually filed by: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
 
Cc: mmoroz@chromium.org titzer@chromium.org kcc@chromium.org aizatsky@chromium.org
Components: Blink>JavaScript>WebAssembly
Labels: Pri-1
Owner: ahaas@chromium.org
ahaas@, if you are not an owner for this, could you please help to find a correct one?
Project Member

Comment 2 by ClusterFuzz, Sep 7 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784

Fuzzer: v8_wasm_asmjs_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Attempting free
Crash Address: add
Crash State:
  void v8::internal::LocalArrayBufferTracker::Free<
  v8::internal::ArrayBufferTracker::FreeDead
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Recommended Security Severity: High


Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 7 2016

Status: Assigned (was: Untriaged)

Comment 4 by ahaas@chromium.org, Sep 7 2016

The problem here is that the fuzzer generates opcodes which are not supported in the asmjs version of wasm. I'm working on a fix.
Project Member

Comment 6 by ClusterFuzz, Sep 15 2016

ClusterFuzz has detected this issue as fixed in range 417914:417938.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784

Fuzzer: v8_wasm_asmjs_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Attempting free
Crash Address: add
Crash State:
  void v8::internal::LocalArrayBufferTracker::Free<
  v8::internal::ArrayBufferTracker::FreeDead
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Recommended Security Severity: High

Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Sep 15 2016

ClusterFuzz has detected this issue as fixed in range 417914:417938.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784

Fuzzer: v8_wasm_asmjs_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Attempting free
Crash Address: add
Crash State:
  void v8::internal::LocalArrayBufferTracker::Free<
  v8::internal::ArrayBufferTracker::FreeDead
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=415621:415679
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Sep 15 2016

ClusterFuzz has detected this issue as fixed in range 417914:417938.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784

Fuzzer: v8_wasm_asmjs_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Attempting free
Crash Address: add
Crash State:
  void v8::internal::LocalArrayBufferTracker::Free<
  v8::internal::ArrayBufferTracker::FreeDead
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Recommended Security Severity: High

Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Sep 15 2016

ClusterFuzz has detected this issue as fixed in range 417914:417938.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784

Fuzzer: v8_wasm_asmjs_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Attempting free
Crash Address: add
Crash State:
  void v8::internal::LocalArrayBufferTracker::Free<
  v8::internal::ArrayBufferTracker::FreeDead
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Recommended Security Severity: High

Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 10 by ClusterFuzz, Sep 16 2016

ClusterFuzz has detected this issue as fixed in range 417914:417938.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784

Fuzzer: v8_wasm_asmjs_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Attempting free
Crash Address: add
Crash State:
  void v8::internal::LocalArrayBufferTracker::Free<
  v8::internal::ArrayBufferTracker::FreeDead
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=415949:415984
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 11 by ahaas@chromium.org, Sep 16 2016

Status: Fixed (was: Assigned)
Project Member

Comment 12 by sheriffbot@chromium.org, Sep 16 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 13 by ClusterFuzz, Sep 17 2016

ClusterFuzz has detected this issue as fixed in range 417914:417938.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784

Fuzzer: v8_wasm_asmjs_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Attempting free
Crash Address: add
Crash State:
  void v8::internal::LocalArrayBufferTracker::Free<
  v8::internal::ArrayBufferTracker::FreeDead
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=415621:415679
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 14 by ClusterFuzz, Sep 18 2016

ClusterFuzz has detected this issue as fixed in range 417914:417938.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784

Fuzzer: v8_wasm_asmjs_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Attempting free
Crash Address: add
Crash State:
  void v8::internal::LocalArrayBufferTracker::Free<
  v8::internal::ArrayBufferTracker::FreeDead
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Recommended Security Severity: High

Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Labels: Security_Impact-Head M-55
Project Member

Comment 16 by ClusterFuzz, Sep 19 2016

ClusterFuzz has detected this issue as fixed in range 417914:417938.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784

Fuzzer: v8_wasm_asmjs_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Attempting free
Crash Address: add
Crash State:
  void v8::internal::LocalArrayBufferTracker::Free<
  v8::internal::ArrayBufferTracker::FreeDead
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=415949:415984
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 17 by ClusterFuzz, Sep 20 2016

ClusterFuzz has detected this issue as fixed in range 417914:417938.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784

Fuzzer: v8_wasm_asmjs_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Attempting free
Crash Address: add
Crash State:
  void v8::internal::LocalArrayBufferTracker::Free<
  v8::internal::ArrayBufferTracker::FreeDead
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=415621:415679
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 18 by ClusterFuzz, Sep 21 2016

ClusterFuzz has detected this issue as fixed in range 417914:417938.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784

Fuzzer: v8_wasm_asmjs_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Attempting free
Crash Address: add
Crash State:
  void v8::internal::LocalArrayBufferTracker::Free<
  v8::internal::ArrayBufferTracker::FreeDead
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=415621:415679
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 19 by ClusterFuzz, Sep 21 2016

ClusterFuzz has detected this issue as fixed in range 417914:417938.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784

Fuzzer: v8_wasm_asmjs_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Attempting free
Crash Address: add
Crash State:
  void v8::internal::LocalArrayBufferTracker::Free<
  v8::internal::ArrayBufferTracker::FreeDead
  v8::internal::MarkCompactCollector::Sweeper::RawSweep
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=415621:415679
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 20 by sheriffbot@chromium.org, Dec 23 2016

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment