Crash in callee_pc |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6302334926979072 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: callee_pc v8::internal::WasmFrame::at_to_number_conversion v8::internal::Isolate::CaptureSimpleStackTrace Regressed: V8: r41612:41613 Minimized Testcase (7.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96cJCXI-i4kvNoS0C601xlZQll2jCcJ1HOluhdittuwztCax2QP6p8J4TS2e7M_EfolprAsOBgwNdXhAr2S-T6S1896MmyCLypAbestljxiyZkNPRSJ4O3Mk5hbq41rsrpWak0uCnF8EQ8udYeBna6lPUlZ1Q?testcase_id=6302334926979072 Issue manually filed by: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 12 2016
,
Dec 12 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/c69b48adc4cd4c36c44eac8efcac51bdbb1fdc5c commit c69b48adc4cd4c36c44eac8efcac51bdbb1fdc5c Author: clemensh <clemensh@chromium.org> Date: Mon Dec 12 12:29:50 2016 [wasm] Handle potentially null callee-pc This only happens if there is a asm.js-wasm-frame on top of the stack trace, which was not covered by our tests so far. The regression test create a stack overflow in asm.js code, triggering this case. R=mstarzinger@chromium.org CC=titzer@chromium.org, bradnelson@chromium.org BUG= chromium:673241 Review-Url: https://codereview.chromium.org/2562333002 Cr-Commit-Position: refs/heads/master@{#41639} [modify] https://crrev.com/c69b48adc4cd4c36c44eac8efcac51bdbb1fdc5c/src/frames.h [add] https://crrev.com/c69b48adc4cd4c36c44eac8efcac51bdbb1fdc5c/test/mjsunit/regress/regress-673241.js
,
Dec 12 2016
,
Dec 13 2016
ClusterFuzz has detected this issue as fixed in range 41638:41639. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6302334926979072 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000000 Crash State: callee_pc v8::internal::WasmFrame::at_to_number_conversion v8::internal::Isolate::CaptureSimpleStackTrace Regressed: V8: r41612:41613 Fixed: V8: r41638:41639 Minimized Testcase (7.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96cJCXI-i4kvNoS0C601xlZQll2jCcJ1HOluhdittuwztCax2QP6p8J4TS2e7M_EfolprAsOBgwNdXhAr2S-T6S1896MmyCLypAbestljxiyZkNPRSJ4O3Mk5hbq41rsrpWak0uCnF8EQ8udYeBna6lPUlZ1Q?testcase_id=6302334926979072 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||
►
Sign in to add a comment |
|||
Comment 1 by ishell@chromium.org
, Dec 12 2016Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)