Crash in v8::internal::wasm::WasmFullDecoder::CreateOrMergeIntoPhi |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5328558069383168 Fuzzer: afl_v8_wasm_code_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000060 Crash State: v8::internal::wasm::WasmFullDecoder::CreateOrMergeIntoPhi v8::internal::wasm::WasmFullDecoder::MergeValuesInto v8::internal::wasm::WasmFullDecoder::DecodeFunctionBody Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=421457:421501 Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96RaupPbCzv2hlwcaZ7yTiDZvlUWoq0VQvnckUlsHKm9gi2_Ug8G8QTA15EGS5q9aFu-JX-wnSGEnhTHzVt3Zhryqnup9GZhTnXF15rHe7XXJDY4hWgEyie77VTPgt3deMqmqaalFm9YCnCPMA0fRkdL068tQ?testcase_id=5328558069383168 Issue manually filed by: nyerramilli See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 10 2016
,
Oct 10 2016
,
Oct 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/0e1f6d8bfc62a09163a758322bd26a3e8696ef2c commit 0e1f6d8bfc62a09163a758322bd26a3e8696ef2c Author: ahaas <ahaas@chromium.org> Date: Thu Oct 13 08:21:32 2016 [wasm] Do not create TF nodes during verification BUG= chromium:654377 TEST=mjsunit/regress/wasm/regression-654377 R=titzer@chromium.org Review-Url: https://codereview.chromium.org/2403013002 Cr-Commit-Position: refs/heads/master@{#40246} [modify] https://crrev.com/0e1f6d8bfc62a09163a758322bd26a3e8696ef2c/src/wasm/ast-decoder.cc [add] https://crrev.com/0e1f6d8bfc62a09163a758322bd26a3e8696ef2c/test/mjsunit/regress/wasm/regression-654377.js
,
Oct 14 2016
ClusterFuzz has detected this issue as fixed in range 424989:425001. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5328558069383168 Fuzzer: afl_v8_wasm_code_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000060 Crash State: v8::internal::wasm::WasmFullDecoder::CreateOrMergeIntoPhi v8::internal::wasm::WasmFullDecoder::MergeValuesInto v8::internal::wasm::WasmFullDecoder::DecodeFunctionBody Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=421457:421501 Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=424989:425001 Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96RaupPbCzv2hlwcaZ7yTiDZvlUWoq0VQvnckUlsHKm9gi2_Ug8G8QTA15EGS5q9aFu-JX-wnSGEnhTHzVt3Zhryqnup9GZhTnXF15rHe7XXJDY4hWgEyie77VTPgt3deMqmqaalFm9YCnCPMA0fRkdL068tQ?testcase_id=5328558069383168 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 14 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by nyerramilli@chromium.org
, Oct 10 2016Components: Blink>JavaScript Tools>Test>FindIt>NoResult
Labels: findit-wrong Te-Logged