!obj->IsMap() in code-serializer.cc |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4608380184559616 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: !obj->IsMap() in code-serializer.cc v8::internal::CodeSerializer::SerializeObject v8::internal::Serializer::ObjectSerializer::SerializePrologue v8::internal::Serializer::ObjectSerializer::Serialize Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=426989:426991 Minimized Testcase (0.05 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96U3CKmngH2qS8bLO-Jtsu6kuaYxvxNFGZxFOwNKI2chcrB1wcP0BA0OziLOWpZGRHWlZCirvgspQcWi9kWh_XhjEuEOnbM3UtQQyQbdAgzthuQvhfcZjQwXqWhxllApiBX8jLuP-WKs40JVOaFqX4IvCYlEg?testcase_id=4608380184559616 function __f_45() { "use asm"; return { }; } Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 19 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4772847529754624 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !obj->IsMap() in code-serializer.cc Regressed: V8: r41742:41743 Minimized Testcase (0.07 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv956KmswdlsoHxfDMZD0yCiUPuQccUQ-At9-TjFLs23B30T-ASBg8S-YKVQx4YIpyvBLyWkwytF-XxkZoh3pVbzUMzUfzQKjG0xbTJQXpnyk4lsITGJNE-35UznusGy7UWsPlr9KJepcC1V8PGxDgNx5p52r0A?testcase_id=4772847529754624 __v_1 = (function() { "use asm"; return function __f_1() { } })(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 19 2016
CF points to 93e53da4c846327760c412227a6a5983c9ca86fb.
,
Dec 19 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/07fa0f496788fcca67c21e30064eea6273939b09 commit 07fa0f496788fcca67c21e30064eea6273939b09 Author: yangguo <yangguo@chromium.org> Date: Mon Dec 19 10:53:02 2016 [serializer] do not serialize script wrappers. The scenario here: the asm function fails asm validation, so we emit a message. In doing so, we create a JSValue wrapper for the script object that we cache on the script object. This wrapper is context-dependent and causes the code serializer to choke. R=mtrofin@chromium.org, titzer@chromium.org BUG= chromium:674446 ,chromium:673321 Review-Url: https://codereview.chromium.org/2586943003 Cr-Commit-Position: refs/heads/master@{#41794} [modify] https://crrev.com/07fa0f496788fcca67c21e30064eea6273939b09/src/snapshot/code-serializer.cc [add] https://crrev.com/07fa0f496788fcca67c21e30064eea6273939b09/test/mjsunit/regress/wasm/regression-674447.js
,
Dec 19 2016
Yang as owner, since he already provided a fix.
,
Dec 20 2016
ClusterFuzz has detected this issue as fixed in range 41793:41794. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4772847529754624 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !obj->IsMap() in code-serializer.cc Regressed: V8: r41742:41743 Fixed: V8: r41793:41794 Minimized Testcase (0.07 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv956KmswdlsoHxfDMZD0yCiUPuQccUQ-At9-TjFLs23B30T-ASBg8S-YKVQx4YIpyvBLyWkwytF-XxkZoh3pVbzUMzUfzQKjG0xbTJQXpnyk4lsITGJNE-35UznusGy7UWsPlr9KJepcC1V8PGxDgNx5p52r0A?testcase_id=4772847529754624 __v_1 = (function() { "use asm"; return function __f_1() { } })(); See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 20 2016
|
||||
►
Sign in to add a comment |
||||
Comment 1 by hablich@chromium.org
, Dec 15 2016Status: Assigned (was: Untriaged)