Crash in v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5624175140274176 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE v8::internal::ElementsAccessorBase<v8::internal::SlowSloppyArgumentsElementsAcce v8::internal::__RT_impl_Runtime_ArrayIndexOf Regressed: V8: r38799:38800 Minimized Testcase (0.95 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ETav4XQ1d61LD2S5IjmdsDkPd8WwMnr--240dg55-gACkstSgb5BWA3H8srEwhObdGJ6U1Mjbq1Kv-2q73UmqA66kI8Y2X_Gaw74Kz6GVz_J4ooq7M_e4b-1Rh0nebU2M4Wd5yZpFRWjC8iaoEo1JvP3iBw?testcase_id=5624175140274176 Issue manually filed by: mmohammad See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 10 2016
I can repro on a standard debug build.
,
Sep 10 2016
cbruni@ could you post the repro, or privately email it to me? I can take a look at this
,
Sep 10 2016
Nevermind, I got it.
,
Sep 10 2016
I assigned before checking... just got the CL ready.
,
Sep 10 2016
,
Sep 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/621f4af7200ef76bfafa671efa6121bb9b6fb630 commit 621f4af7200ef76bfafa671efa6121bb9b6fb630 Author: cbruni <cbruni@chromium.org> Date: Mon Sep 12 17:31:25 2016 [elements] Handlify SloppyArguments IndexOfValueImpl The raw pointer to the parameter_map might get stale in case of accessors present on the arguments object. Drive-by-fix: use nullptr instead of the_hole with isolate access. BUG= chromium:645680 Review-Url: https://codereview.chromium.org/2332503002 Cr-Commit-Position: refs/heads/master@{#39359} [modify] https://crrev.com/621f4af7200ef76bfafa671efa6121bb9b6fb630/src/elements.cc [modify] https://crrev.com/621f4af7200ef76bfafa671efa6121bb9b6fb630/test/mjsunit/array-indexing-receiver.js [add] https://crrev.com/621f4af7200ef76bfafa671efa6121bb9b6fb630/test/mjsunit/regress/regress-645680.js
,
Sep 13 2016
ClusterFuzz has detected this issue as fixed in range 39358:39359. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5624175140274176 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE v8::internal::ElementsAccessorBase<v8::internal::SlowSloppyArgumentsElementsAcce v8::internal::__RT_impl_Runtime_ArrayIndexOf Regressed: V8: r38799:38800 Fixed: V8: r39358:39359 Minimized Testcase (0.95 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ETav4XQ1d61LD2S5IjmdsDkPd8WwMnr--240dg55-gACkstSgb5BWA3H8srEwhObdGJ6U1Mjbq1Kv-2q73UmqA66kI8Y2X_Gaw74Kz6GVz_J4ooq7M_e4b-1Rh0nebU2M4Wd5yZpFRWjC8iaoEo1JvP3iBw?testcase_id=5624175140274176 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 13 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mmohammad@chromium.org
, Sep 9 2016Owner: jkummerow@chromium.org
Status: Assigned (was: Untriaged)