!compiled.is_null() in asm-js.cc |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4711417350717440 Fuzzer: decoder_langfuzz Job Type: linux_asan_d8_ignition_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !compiled.is_null() in asm-js.cc Regressed: V8: r41514:41515 Minimized Testcase (14.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94O3_UduRn0280v9uj8HAndP0ckNlNSSjKUW_gQ9pVvJXBwiCLYZGp9xaJFW1ywH_bcP1LSq6-JJ1nmq-JbIv-h7dnm0vQiUrWxhy1LKRkWIMHEW30mjmaEMoMHbkiAjMhfNVAGeLUGKQuW0CUnnXjWQFhwuA?testcase_id=4711417350717440 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 20 2016
,
Jan 17 2017
,
Jan 17 2017
Repros with:
function asmModule(){
'use asm';
function func() {
var a = 0, e = 0;
a = (e = (e >>> 0)) | 0;
}
return { func: func };
}
asmModule();
,
Jan 17 2017
Aseem can you take a look? This appears to be something similar to the other one you found where assignment expressions used in other assignments cause problems generating valid wasm.
,
Jan 20 2017
This should be problematic as e is being assigned an unsigned value. However, we should be catching it in Typer itself. Will see why it is passing through.
,
May 30 2017
Should no longer happen with the new validator. I triggered a redo on ClusterFuzz.
,
Jun 8 2017
No longer applies to new validator. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by hablich@chromium.org
, Dec 20 2016