Issue metadata
Sign in to add a comment
|
Bad-cast to v8::internal::compiler::Operator1<v8::internal::UnicodeEncoding, v8::internal::compiler::OpEqualTo<v8::internal::UnicodeEncoding>, v8::internal::compiler::OpHash<v8::internal::UnicodeEncoding> > from v8::internal::compiler::SimplifiedOperatorGlobalCache::StringFromCodePointOperator<(v8::internal::UnicodeEncoding)0>;v8::internal::compiler::UnicodeEncodingOf;v8::internal::compiler::EffectControlLinearizer::LowerStringFromCodePoint |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5639375658680320 Fuzzer: v8_builtins_generator Job Type: linux_ubsan_vptr_d8 Platform Id: linux Crash Type: Bad-cast Crash Address: 0x7f4ce22372f0 Crash State: Bad-cast to v8::internal::compiler::Operator1<v8::internal::UnicodeEncoding, v8::internal::compiler::OpEqualTo<v8::internal::UnicodeEncoding>, v8::internal::compiler::OpHash<v8::internal::UnicodeEncoding> > from v8::internal::compiler::SimplifiedOperatorGlobalCache::StringFromCodePointOperator<(v8::internal::UnicodeEncoding)0> v8::internal::compiler::UnicodeEncodingOf v8::internal::compiler::EffectControlLinearizer::LowerStringFromCodePoint Recommended Security Severity: High Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_d8&range=423265:423386 Minimized Testcase (0.07 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97XnXOcq92VzVlfTnoO-T2ss2WMYjr1b-yYPXthqsUm9n45EE0eGz0hCZIm7fvcn0eyneeB7em3gB5oGBKCkEszDPq29IO7E7zD-QKI7tnYu8A3nrPdlwmqBUVdtV69WJX3DTZiEXYeLDglSuWUmGnm2qxUEA?testcase_id=5639375658680320 v6 = Array(0x8000).join(); v11 = new Set(v6); v35 = new Set(); Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 6 2016
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 6 2016
,
Oct 6 2016
jochen, could you take a look and re-assign as appropriate?
,
Oct 6 2016
,
Oct 6 2016
,
Oct 7 2016
**** Bulk edit - please ignore if not applicable **** This bug is reported as M55 Beta blocker and we're getting closer to M55 Beta promotion. Please plan to have fix ready and merged to M55 branch (2883) by 5:00 PM PT, Monday(10/10) so it has enough baking time in Dev before Beta promotion. Thank you.
,
Oct 13 2016
,
Oct 13 2016
Clusterfuzz suggests the regression might be caused by https://chromium.googlesource.com/v8/v8.git/+/aed32e0f22353527993de8bceaf246fc744558f5 - mind taking a look caitp@ ? Thanks!
,
Oct 13 2016
A quick look at the repro looks like this may be related to the undefined behaviour that Adam fixed in https://bugs.chromium.org/p/v8/issues/detail?id=5498. Is it possible this is caused by having that CL not merged into m55? I'm taking a closer look regardless, but that is probably worth checking.
,
Oct 13 2016
Actually yeah, that patch definitely needs a merge. It would be great if we could escalate that. /CC Hablich and Adam
,
Oct 14 2016
,
Oct 14 2016
Will be merged via https://bugs.chromium.org/p/v8/issues/detail?id=5498.
,
Jan 20 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Oct 6 2016