Issue metadata
Sign in to add a comment
|
Attempting free in void v8::internal::LocalArrayBufferTracker::Free< |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Attempting free Crash Address: add Crash State: void v8::internal::LocalArrayBufferTracker::Free< v8::internal::ArrayBufferTracker::FreeDead v8::internal::MarkCompactCollector::Sweeper::RawSweep Recommended Security Severity: High Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784 Issue manually filed by: mmoroz See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 7 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Attempting free Crash Address: add Crash State: void v8::internal::LocalArrayBufferTracker::Free< v8::internal::ArrayBufferTracker::FreeDead v8::internal::MarkCompactCollector::Sweeper::RawSweep Recommended Security Severity: High Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 7 2016
,
Sep 7 2016
The problem here is that the fuzzer generates opcodes which are not supported in the asmjs version of wasm. I'm working on a fix.
,
Sep 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/685d488288a27ac6f208de59879ac7e11a5bb560 commit 685d488288a27ac6f208de59879ac7e11a5bb560 Author: ahaas <ahaas@chromium.org> Date: Mon Sep 12 10:16:06 2016 [wasm] Do not support grow_memory for asmjs modules. With this CL the AstDecoder produces an error if it encounters a grow_memory instruction in an asmjs module. Additionally asmjs instructions are not allowed anymore in wasm modules. BUG= chromium:644674 R=titzer@chromium.org Review-Url: https://codereview.chromium.org/2324733002 Cr-Commit-Position: refs/heads/master@{#39339} [modify] https://crrev.com/685d488288a27ac6f208de59879ac7e11a5bb560/src/compiler/wasm-compiler.cc [modify] https://crrev.com/685d488288a27ac6f208de59879ac7e11a5bb560/src/compiler/wasm-compiler.h [modify] https://crrev.com/685d488288a27ac6f208de59879ac7e11a5bb560/src/wasm/ast-decoder.cc [modify] https://crrev.com/685d488288a27ac6f208de59879ac7e11a5bb560/src/wasm/wasm-opcodes.cc [modify] https://crrev.com/685d488288a27ac6f208de59879ac7e11a5bb560/src/wasm/wasm-opcodes.h [modify] https://crrev.com/685d488288a27ac6f208de59879ac7e11a5bb560/test/cctest/wasm/test-run-wasm-asmjs.cc [modify] https://crrev.com/685d488288a27ac6f208de59879ac7e11a5bb560/test/cctest/wasm/test-signatures.h [modify] https://crrev.com/685d488288a27ac6f208de59879ac7e11a5bb560/test/unittests/wasm/ast-decoder-unittest.cc
,
Sep 15 2016
ClusterFuzz has detected this issue as fixed in range 417914:417938. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Attempting free Crash Address: add Crash State: void v8::internal::LocalArrayBufferTracker::Free< v8::internal::ArrayBufferTracker::FreeDead v8::internal::MarkCompactCollector::Sweeper::RawSweep Recommended Security Severity: High Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938 Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 15 2016
ClusterFuzz has detected this issue as fixed in range 417914:417938. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Attempting free Crash Address: add Crash State: void v8::internal::LocalArrayBufferTracker::Free< v8::internal::ArrayBufferTracker::FreeDead v8::internal::MarkCompactCollector::Sweeper::RawSweep Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=415621:415679 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938 Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 15 2016
ClusterFuzz has detected this issue as fixed in range 417914:417938. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Attempting free Crash Address: add Crash State: void v8::internal::LocalArrayBufferTracker::Free< v8::internal::ArrayBufferTracker::FreeDead v8::internal::MarkCompactCollector::Sweeper::RawSweep Recommended Security Severity: High Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938 Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 15 2016
ClusterFuzz has detected this issue as fixed in range 417914:417938. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Attempting free Crash Address: add Crash State: void v8::internal::LocalArrayBufferTracker::Free< v8::internal::ArrayBufferTracker::FreeDead v8::internal::MarkCompactCollector::Sweeper::RawSweep Recommended Security Severity: High Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938 Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 16 2016
ClusterFuzz has detected this issue as fixed in range 417914:417938. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Attempting free Crash Address: add Crash State: void v8::internal::LocalArrayBufferTracker::Free< v8::internal::ArrayBufferTracker::FreeDead v8::internal::MarkCompactCollector::Sweeper::RawSweep Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=415949:415984 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938 Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 16 2016
,
Sep 16 2016
,
Sep 17 2016
ClusterFuzz has detected this issue as fixed in range 417914:417938. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Attempting free Crash Address: add Crash State: void v8::internal::LocalArrayBufferTracker::Free< v8::internal::ArrayBufferTracker::FreeDead v8::internal::MarkCompactCollector::Sweeper::RawSweep Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=415621:415679 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938 Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 18 2016
ClusterFuzz has detected this issue as fixed in range 417914:417938. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Attempting free Crash Address: add Crash State: void v8::internal::LocalArrayBufferTracker::Free< v8::internal::ArrayBufferTracker::FreeDead v8::internal::MarkCompactCollector::Sweeper::RawSweep Recommended Security Severity: High Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938 Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 19 2016
,
Sep 19 2016
ClusterFuzz has detected this issue as fixed in range 417914:417938. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Attempting free Crash Address: add Crash State: void v8::internal::LocalArrayBufferTracker::Free< v8::internal::ArrayBufferTracker::FreeDead v8::internal::MarkCompactCollector::Sweeper::RawSweep Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=415949:415984 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938 Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 20 2016
ClusterFuzz has detected this issue as fixed in range 417914:417938. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Attempting free Crash Address: add Crash State: void v8::internal::LocalArrayBufferTracker::Free< v8::internal::ArrayBufferTracker::FreeDead v8::internal::MarkCompactCollector::Sweeper::RawSweep Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=415621:415679 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938 Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 21 2016
ClusterFuzz has detected this issue as fixed in range 417914:417938. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Attempting free Crash Address: add Crash State: void v8::internal::LocalArrayBufferTracker::Free< v8::internal::ArrayBufferTracker::FreeDead v8::internal::MarkCompactCollector::Sweeper::RawSweep Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=415621:415679 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938 Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 21 2016
ClusterFuzz has detected this issue as fixed in range 417914:417938. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4948314439286784 Fuzzer: v8_wasm_asmjs_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Attempting free Crash Address: add Crash State: void v8::internal::LocalArrayBufferTracker::Free< v8::internal::ArrayBufferTracker::FreeDead v8::internal::MarkCompactCollector::Sweeper::RawSweep Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=415621:415679 Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=417914:417938 Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Lf_jUStEIs__gC438rXwPFyFTZT7E6h5TEUqfr0K4eOaPLHQWwkyl6PxCgLyBP7i6EWHUgYqTKSR9SwsgdWULxHL6g7sr5n57GI_N8sCJYZfXvwu2O8xqxrbTwZcNng32yYmGLIm-DmsXNq2XeOBB0Goaiw?testcase_id=4948314439286784 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 23 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Sep 7 2016Components: Blink>JavaScript>WebAssembly
Labels: Pri-1
Owner: ahaas@chromium.org