New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 673241 link

Starred by 2 users
Status: Fixed
Owner:
clemensh@chromium.org
Closed: Dec 2016
Cc:
bradnelson@chromium.org
mstarzinger@chromium.org
titzer@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in callee_pc

Project Member Reported by ClusterFuzz, Dec 12 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6302334926979072

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  callee_pc
  v8::internal::WasmFrame::at_to_number_conversion
  v8::internal::Isolate::CaptureSimpleStackTrace
  
Regressed: V8: r41612:41613

Minimized Testcase (7.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96cJCXI-i4kvNoS0C601xlZQll2jCcJ1HOluhdittuwztCax2QP6p8J4TS2e7M_EfolprAsOBgwNdXhAr2S-T6S1896MmyCLypAbestljxiyZkNPRSJ4O3Mk5hbq41rsrpWak0uCnF8EQ8udYeBna6lPUlZ1Q?testcase_id=6302334926979072

Issue manually filed by: ishell

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ishell@chromium.org, Dec 12 2016

Cc: titzer@chromium.org bradnelson@chromium.org
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
CF points to 890d28f3615769c3aa82b1bdf7df12c55774f909

Comment 2 by clemensh@chromium.org, Dec 12 2016

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Dec 12 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c69b48adc4cd4c36c44eac8efcac51bdbb1fdc5c

commit c69b48adc4cd4c36c44eac8efcac51bdbb1fdc5c
Author: clemensh <clemensh@chromium.org>
Date: Mon Dec 12 12:29:50 2016

[wasm] Handle potentially null callee-pc

This only happens if there is a asm.js-wasm-frame on top of the stack
trace, which was not covered by our tests so far. The regression test
create a stack overflow in asm.js code, triggering this case.

R=mstarzinger@chromium.org
CC=titzer@chromium.org, bradnelson@chromium.org
BUG= chromium:673241 

Review-Url: https://codereview.chromium.org/2562333002
Cr-Commit-Position: refs/heads/master@{#41639}

[modify] https://crrev.com/c69b48adc4cd4c36c44eac8efcac51bdbb1fdc5c/src/frames.h
[add] https://crrev.com/c69b48adc4cd4c36c44eac8efcac51bdbb1fdc5c/test/mjsunit/regress/regress-673241.js

Comment 4 by clemensh@chromium.org, Dec 12 2016

Status: Fixed (was: Started)
Project Member

Comment 5 by ClusterFuzz, Dec 13 2016 

ClusterFuzz has detected this issue as fixed in range 41638:41639.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6302334926979072

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  callee_pc
  v8::internal::WasmFrame::at_to_number_conversion
  v8::internal::Isolate::CaptureSimpleStackTrace
  
Regressed: V8: r41612:41613
Fixed: V8: r41638:41639

Minimized Testcase (7.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96cJCXI-i4kvNoS0C601xlZQll2jCcJ1HOluhdittuwztCax2QP6p8J4TS2e7M_EfolprAsOBgwNdXhAr2S-T6S1896MmyCLypAbestljxiyZkNPRSJ4O3Mk5hbq41rsrpWak0uCnF8EQ8udYeBna6lPUlZ1Q?testcase_id=6302334926979072

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment