Crash in v8::ShellArrayBufferAllocator::Allocate |
||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6742528012582912 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000000 Crash State: v8::ShellArrayBufferAllocator::Allocate v8::internal::JSArrayBuffer::SetupAllocatingData v8::internal::Builtin_Impl_ArrayBufferConstructor_ConstructStub Regressed: V8: r41153:41154 Minimized Testcase (0.15 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96yyTldj3G2hL3PzmNvA9esjjm_sdP4-E0Sza99xeB3nup_OQH0grQlDv-sF5vQ-0dfpHVHEuTINbanMTDuZoODFvd36YOTpsEdZ0TXZVNFinC1C550yUk9Na8vdxxLhHqmty3GyhbiUMQJIxOTxTs2p5-xog?testcase_id=6742528012582912 RangeError.prototype.__defineGetter__("name", function() { return 2147483647; }) v40 = new RangeError(); v65 = new ArrayBuffer(v40); v78 = v65.slice(); Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 22 2016
Looks like the zero-initialized check should only run if data is not null.
,
Nov 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/5a1fbe24ba7052b410a09695e0bed3ac571e0ac4 commit 5a1fbe24ba7052b410a09695e0bed3ac571e0ac4 Author: titzer <titzer@chromium.org> Date: Tue Nov 22 12:36:20 2016 [d8] Do not try to verify zero-ness of failed virtual memory allocation. BUG= chromium:667603 R=clemensh@chromium.org Review-Url: https://codereview.chromium.org/2519363002 Cr-Commit-Position: refs/heads/master@{#41174} [modify] https://crrev.com/5a1fbe24ba7052b410a09695e0bed3ac571e0ac4/src/d8.cc [add] https://crrev.com/5a1fbe24ba7052b410a09695e0bed3ac571e0ac4/test/mjsunit/regress/regress-667603.js
,
Nov 22 2016
,
Nov 23 2016
ClusterFuzz has detected this issue as fixed in range 41173:41174. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6742528012582912 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_ignition_v8_arm_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x00000000 Crash State: v8::ShellArrayBufferAllocator::Allocate v8::internal::JSArrayBuffer::SetupAllocatingData v8::internal::Builtin_Impl_ArrayBufferConstructor_ConstructStub Regressed: V8: r41153:41154 Fixed: V8: r41173:41174 Minimized Testcase (0.15 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96yyTldj3G2hL3PzmNvA9esjjm_sdP4-E0Sza99xeB3nup_OQH0grQlDv-sF5vQ-0dfpHVHEuTINbanMTDuZoODFvd36YOTpsEdZ0TXZVNFinC1C550yUk9Na8vdxxLhHqmty3GyhbiUMQJIxOTxTs2p5-xog?testcase_id=6742528012582912 RangeError.prototype.__defineGetter__("name", function() { return 2147483647; }) v40 = new RangeError(); v65 = new ArrayBuffer(v40); v78 = v65.slice(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||
►
Sign in to add a comment |
||
Comment 1 by msrchandra@chromium.org
, Nov 22 2016Labels: Test-Predator-Wrong-CLs
Owner: titzer@chromium.org
Status: Assigned (was: Untriaged)