AllowCodeDependencyChange::IsAllowed() in objects.cc |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6398020657872896 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: AllowCodeDependencyChange::IsAllowed() in objects.cc Regressed: V8: r41514:41515 Minimized Testcase (7.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94EopFKi-UzdXCVm3JTdjeksWgeBux4FfoGLUEOgNpN4Wncf0ddPPrpR0KMGEXWny3pbrJ2R6WZc_eucqfoTKdiusodDvq1BNNBV2eFvGT_i9Wro0lxcL6txDxcCUyhM7RzAgsOY0qkuLrjbw1r3G8K4m6fIw?testcase_id=6398020657872896 Issue manually filed by: titzer See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 8 2016
Unable to repro.
,
Dec 8 2016
Reproduces with 05b6741f0184662542487c3982b64beba587135b (the crashing revision mentioned in the CF report) but no longer with tip-of-tree. I kicked off a bisection on CF so that it figures out which change fixed it, it should post a comment here once bisection finished. Reproduces as follows ... $ ./out/x64.debug/d8 --ignition-staging ~/Downloads/ClusterFuzz/6398020657872896/mutant15348_pointer-masking.js
,
Dec 8 2016
ClusterFuzz has detected this issue as fixed in range 41575:41576. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6398020657872896 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: AllowCodeDependencyChange::IsAllowed() in objects.cc Regressed: V8: r41514:41515 Fixed: V8: r41575:41576 Minimized Testcase (7.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94EopFKi-UzdXCVm3JTdjeksWgeBux4FfoGLUEOgNpN4Wncf0ddPPrpR0KMGEXWny3pbrJ2R6WZc_eucqfoTKdiusodDvq1BNNBV2eFvGT_i9Wro0lxcL6txDxcCUyhM7RzAgsOY0qkuLrjbw1r3G8K4m6fIw?testcase_id=6398020657872896 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 8 2016
ClusterFuzz testcase 6398020657872896 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 13 2016
,
Dec 13 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6118408321236992 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: AllowCodeDependencyChange::IsAllowed() in objects.cc Regressed: V8: r41514:41515 Minimized Testcase (6.07 Kb): https://cluster-fuzz.appspot.com/download/AMIfv969TiUSePR40QuIodOuk-0nx0iXgbxSSAxKVdfobaRPluuOs5DoCziWqNigdBa2DAFpBeVQJHB7zBXxX9M5DCr0fdtnqwjge9QO3WMmq34y-TSucOIIiKlcoeP0MZ4JVBXAGVFABXF2wrYEbYRFdQXV4CJGcQ?testcase_id=6118408321236992 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 13 2016
Still reproduces on ToT:
out/x64.debug/d8 -e "load('test.js');" --ignition-staging
===== test.js ====
var if1 = (function Module() {
"use asm";
function if1(i, j) {
i = i|0;
j = j|0;
if (i = i | 0) return 0;
return 1;
}
return {if1: if1};
})().if1;
,
Dec 13 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5976352110149632 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !isolate->has_pending_exception() in compiler.cc Regressed: V8: r41514:41515 Minimized Testcase (0.73 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94oQv8MculpuuZXoB3miBfGjCZd8v5nnurrzKR_ty-TsQP_WtJd4AixgLdQEOWrSr_0vPXrwkVnMeNKBnsNeC21qSlTU_9lSWsQsgOQiwEPt82zTSoJYFwnEGxgKCLyKRQPyUonLT7VWEwTX7sa-ubHCKL1tQ?testcase_id=5976352110149632 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 13 2016
CF points to 3e8a67e5406be46e971908d69af93bf92b6ff980.
,
Jan 11 2017
ClusterFuzz has detected this issue as fixed in range 42190:42191. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5976352110149632 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !isolate->has_pending_exception() in compiler.cc Sanitizer: address (ASAN) Regressed: V8: r41514:41515 Fixed: V8: r42190:42191 Minimized Testcase (0.73 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94oQv8MculpuuZXoB3miBfGjCZd8v5nnurrzKR_ty-TsQP_WtJd4AixgLdQEOWrSr_0vPXrwkVnMeNKBnsNeC21qSlTU_9lSWsQsgOQiwEPt82zTSoJYFwnEGxgKCLyKRQPyUonLT7VWEwTX7sa-ubHCKL1tQ?testcase_id=5976352110149632 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 12 2017
ClusterFuzz has detected this issue as fixed in range 42220:42221. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6118408321236992 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: AllowCodeDependencyChange::IsAllowed() in objects.cc Sanitizer: address (ASAN) Regressed: V8: r41514:41515 Fixed: V8: r42220:42221 Minimized Testcase (6.07 Kb): https://cluster-fuzz.appspot.com/download/AMIfv969TiUSePR40QuIodOuk-0nx0iXgbxSSAxKVdfobaRPluuOs5DoCziWqNigdBa2DAFpBeVQJHB7zBXxX9M5DCr0fdtnqwjge9QO3WMmq34y-TSucOIIiKlcoeP0MZ4JVBXAGVFABXF2wrYEbYRFdQXV4CJGcQ?testcase_id=6118408321236992 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||
►
Sign in to add a comment |
|||
Comment 1 by titzer@chromium.org
, Dec 7 2016Status: Assigned (was: Untriaged)