Issue metadata
Sign in to add a comment
|
length_obj->IsSmi() in runtime-typedarray.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5795890642288640 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: length_obj->IsSmi() in runtime-typedarray.cc Regressed: V8: r39770:39771 Minimized Testcase (0.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94dhDomzw6WOAece_TkCvyM8pUYovq2PRxV0kSVW4bZoslxyL8aMGnye_qaaF964E0nwefuwN_duytOWCfmoMTBZdxK4tkFYDYXehOWWYLbHG9G0DaapIJ_PQABuIAcdJt4KpKWyONgpc2H0sEbxMZSDBU34A?testcase_id=5795890642288640 Issue manually filed by: brajkumar See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 28 2016
Awesome, I added that CHECK yesterday because I suspected more bugs, and ClusterFuzz found an amazingly easy repro (for something that can easily turn into a serious security issue) within hours. Fix is in-flight, including the further minimized repro from ClusterFuzz.
,
Sep 28 2016
ClusterFuzz has detected this issue as fixed in range 39801:39802. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5795890642288640 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: length_obj->IsSmi() in runtime-typedarray.cc Regressed: V8: r39770:39771 Fixed: V8: r39801:39802 Minimized Testcase (0.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94dhDomzw6WOAece_TkCvyM8pUYovq2PRxV0kSVW4bZoslxyL8aMGnye_qaaF964E0nwefuwN_duytOWCfmoMTBZdxK4tkFYDYXehOWWYLbHG9G0DaapIJ_PQABuIAcdJt4KpKWyONgpc2H0sEbxMZSDBU34A?testcase_id=5795890642288640 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 28 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 28 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/15a449b141bbecd70a3eaa6fba401b74e0810796 commit 15a449b141bbecd70a3eaa6fba401b74e0810796 Author: bmeurer <bmeurer@chromium.org> Date: Wed Sep 28 05:49:23 2016 [typedarray] Properly initialize JSTypedArray::length with Smi. Even after https://codereview.chromium.org/2371963002 we still did not always store a Smi into the JSTypedArray::length field, the runtime function %TypedArrayInitializeFromArrayLike was still storing whatever it got from the JavaScript code, which is highly dependent on internal decisions of the ICs and the representation selection in the optimizing compilers, so that's pretty fragile. R=verwaest@chromium.org BUG= chromium:650933 Review-Url: https://codereview.chromium.org/2377943002 Cr-Commit-Position: refs/heads/master@{#39802} [modify] https://crrev.com/15a449b141bbecd70a3eaa6fba401b74e0810796/src/runtime/runtime-typedarray.cc [add] https://crrev.com/15a449b141bbecd70a3eaa6fba401b74e0810796/test/mjsunit/regress/regress-crbug-650933.js
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by brajkumar@chromium.org
, Sep 28 2016Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)