Issue metadata
Sign in to add a comment
|
Crash in v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5761318101712896 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x00680018 Crash State: v8::internal::InnerPointerToCodeCache::GcSafeFindCodeForInnerPointer v8::internal::InnerPointerToCodeCache::GetCacheEntry v8::internal::StackFrame::ComputeType Recommended Security Severity: Low Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=420859:421045 Minimized Testcase (0.12 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv975YC_J83dO0P4SDge-Q3Qy6k65OcdsNON2lMFSpxV_VtUrDNZJcWIaBUCrJOmTm1LWvxFR0wn6GdRSuYtfCZIfFWYZoPqpuwO-viu2Bd5OOoGy_IYziJetbFUGythCwla_jBRHZbJg9KoRfLXaWOBX3e9zog?testcase_id=5761318101712896 __v_5 = [].entries().__proto__.__proto__[Symbol.iterator]; 1/__v_5(-1E-300); __v_5.__p_979855400 = __v_5[getRandomProperty()]; Additional requirements: Requires Gestures Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 29 2016
,
Sep 29 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 29 2016
,
Sep 29 2016
This bug is reported as M55 Beta blocker.Please try to resolve this before M55 branch on Oct 6th,2016 so it has enough baking time in Dev.
,
Oct 4 2016
related to https://chromium.googlesource.com/v8/v8/+/cc37dff7ba21345b3a867a86127a208e34a3f707 ?
,
Oct 4 2016
jgruber, can you confirm or rule out hablich's guess in C#6? Thanks.
,
Oct 4 2016
Doesn't look related at first glance but I'll take a closer look tomorrow morning.
,
Oct 4 2016
A friendly reminder that M55 Beta launch is coming soon! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.
,
Oct 5 2016
Bisected down to 5784773feb92d06e76d4eb0fb93ed9496b9df30b. d8 repro: $ cat ~/Downloads/fuzz-00638.js __v_5 = [].entries().__proto__.__proto__[Symbol.iterator]; __v_5(0); $ out/debug/d8 --ignition ~/Downloads/fuzz-00638.js Received signal 11 SEGV_ACCERR 7ffcf1d48148 ==== C stack trace =============================== [0x560c23503c0e] [0x560c23503b65] [0x7f8079aab330] [0x7ffcf1d48148] [end of stack trace] Segmentation fault (core dumped) Seems like the call to __v_5(0) messes up the stack.
,
Oct 5 2016
Cannot reproduce on TOT.
,
Oct 5 2016
,
Oct 5 2016
Should be fixed by https://codereview.chromium.org/2381053002/
,
Oct 5 2016
,
Oct 25 2016
,
Jan 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by aarya@google.com
, Sep 28 2016