is_uint24(link) in assembler-arm.cc |
||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6080317679206400 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: is_uint24(link) in assembler-arm.cc Minimized Testcase (5.83 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97JXUZTXnVArA0oH5StIQHbDLKUmuuGCJYOcVMD5MIWd0ChcZ7n96-HhoJOaTE2fNlZqGuR-txEgz1jVcVNGJAn30nzD6Eglg0Eb7KXgGPVl_2ET_vLWHEYAmylbM-KaUwChCB5BCH2YYZzZtUgQa3CfZXFJA?testcase_id=6080317679206400 Issue manually filed by: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||
►
Sign in to add a comment |
||
Comment 1 by ishell@chromium.org
, Sep 22 2016Labels: -OS-Linux OS-All
Owner: yangguo@chromium.org
Status: Assigned (was: Untriaged)
While compiling a code for a regexp on arm we are trying to generate a jump by the offset that does not fit into 24 bits. Reproduces on TOT. Smaller repro: out/arm.debug/d8 --predictable test.js ===== test.js ===== var src = "(?:"; src += "x|".repeat(948350); src += "aa)"; var r = new RegExp(src, ""); r.test("foo");