Issue metadata
Sign in to add a comment
|
Crash in v8::internal::Simulator::DecodeType3 |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6475380073693184 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0xda7849bc Crash State: v8::internal::Simulator::DecodeType3 v8::internal::Simulator::InstructionDecode v8::internal::Simulator::Execute Recommended Security Severity: Medium Regressed: V8: r40895:40896 Minimized Testcase (0.17 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96jGGc4pqJxLr8lnxWkVEDz6-1z-DN5P60KeGdXgO2Ywz8nTqhsDrW45uAzL_U5XHFBCOLd1447MztdrbdMmEjEQgASY9lANSjxt3XMWO587HcYGgvebm79m1nIjc_dmlSkdsVr1tENgpt7beY33QS0SDg3OA?testcase_id=6475380073693184 var v37 = {}; var v45 = {}; Object.prototype.__defineGetter__(0, function() { this[1] = -2147483648; this[1] = v45; this[1] = Array(0x8000).join(); }); v81 = v37[0]; Issue manually filed by: titzer See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 11 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5482593819820032 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0xda2849bc Crash State: v8::internal::Simulator::DecodeTypeImmediate v8::internal::Simulator::InstructionDecode v8::internal::Simulator::Execute Recommended Security Severity: Medium Regressed: V8: r40895:40896 Minimized Testcase (0.24 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97qYqCP0AdZv3HSwDhzHUVc7pC6Q3zXFAVxdABUaNZ3E_g2fegITFaPriB-R-VI2p14bURK6hx9e_gXmtfkQhJmZw-dmZ-mFEfwPaaAT4pKSRLsnh87w957EpkWSTvSC_b5eBYY0xwpdfL10TWOVUFCiAAF2Q?testcase_id=5482593819820032 var v0 = {}; Object.prototype.__defineGetter__(0, function() { this[1] = -2147483648; this[0] = v0; }) Object.prototype.__defineSetter__(0, function() { this[1] = v0; this[0] = Array(0x8000).join(); }); v61 = new Intl.NumberFormat(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 11 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/567904f1a784595f606dd855684f25dc4358abeb commit 567904f1a784595f606dd855684f25dc4358abeb Author: jkummerow <jkummerow@chromium.org> Date: Fri Nov 11 13:01:49 2016 [ic] Fix elements conversion in KeyedStoreGeneric A SmiUntag() was missing when loading the old backing store's length. BUG= chromium:664469 Review-Url: https://codereview.chromium.org/2492783004 Cr-Commit-Position: refs/heads/master@{#40921} [modify] https://crrev.com/567904f1a784595f606dd855684f25dc4358abeb/src/ic/keyed-store-generic.cc [add] https://crrev.com/567904f1a784595f606dd855684f25dc4358abeb/test/mjsunit/regress/regress-crbug-664469.js
,
Nov 11 2016
,
Nov 11 2016
,
Nov 12 2016
ClusterFuzz has detected this issue as fixed in range 40919:40926. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5482593819820032 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_mipsel_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0xda2849bc Crash State: v8::internal::Simulator::DecodeTypeImmediate v8::internal::Simulator::InstructionDecode v8::internal::Simulator::Execute Recommended Security Severity: Medium Regressed: V8: r40895:40896 Fixed: V8: r40919:40926 Minimized Testcase (0.24 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97qYqCP0AdZv3HSwDhzHUVc7pC6Q3zXFAVxdABUaNZ3E_g2fegITFaPriB-R-VI2p14bURK6hx9e_gXmtfkQhJmZw-dmZ-mFEfwPaaAT4pKSRLsnh87w957EpkWSTvSC_b5eBYY0xwpdfL10TWOVUFCiAAF2Q?testcase_id=5482593819820032 var v0 = {}; Object.prototype.__defineGetter__(0, function() { this[1] = -2147483648; this[0] = v0; }) Object.prototype.__defineSetter__(0, function() { this[1] = v0; this[0] = Array(0x8000).join(); }); v61 = new Intl.NumberFormat(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 12 2016
ClusterFuzz has detected this issue as fixed in range 40919:40926. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6475380073693184 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0xda7849bc Crash State: v8::internal::Simulator::DecodeType3 v8::internal::Simulator::InstructionDecode v8::internal::Simulator::Execute Recommended Security Severity: Medium Regressed: V8: r40895:40896 Fixed: V8: r40919:40926 Minimized Testcase (0.17 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96jGGc4pqJxLr8lnxWkVEDz6-1z-DN5P60KeGdXgO2Ywz8nTqhsDrW45uAzL_U5XHFBCOLd1447MztdrbdMmEjEQgASY9lANSjxt3XMWO587HcYGgvebm79m1nIjc_dmlSkdsVr1tENgpt7beY33QS0SDg3OA?testcase_id=6475380073693184 var v37 = {}; var v45 = {}; Object.prototype.__defineGetter__(0, function() { this[1] = -2147483648; this[1] = v45; this[1] = Array(0x8000).join(); }); v81 = v37[0]; See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 14 2016
,
Feb 17 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28
|
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by titzer@chromium.org
, Nov 11 2016Status: Assigned (was: Untriaged)