New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 676010 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Last visit > 30 days ago
Closed: Jun 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug


Show other hotlists

Hotlists containing this issue:
Hotlist-AsmJsParser


Sign in to add a comment

VariableLocation::PARAMETER == expr->obj()->AsVariableProxy()->var()->location()

Project Member Reported by ClusterFuzz, Dec 20 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5438816367411200

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  VariableLocation::PARAMETER == expr->obj()->AsVariableProxy()->var()->location()
  
Regressed: V8: r41514:41515

Minimized Testcase (7.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95pfI_v5eLMHnbUxuM8rznCG6b9qDz6tAjb-FpVOwNLGlrhrjHCU7TnZlHZeq6XaymcPp9UYTImrgo2W_cT6paiiLbxENVlLcX5i2yihobvJV32uD5NK8FSZnFo659Vv0Rvaqb5_mUa-43M3TR4uB9DhKnDpQ?testcase_id=5438816367411200

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: -mstarzinger@chromium.org titzer@chromium.org
Owner: bradnelson@chromium.org
Status: Assigned (was: Untriaged)
Cc: bradnelson@chromium.org
Owner: aseemgarg@chromium.org
Aseem, can you take a look at this one?
It looks like arguments being special ends up causing env to be from the context. This is probably just a matter of checking the same condition in the typer earlier.

This repros with the following:

function Module(stdlib, env, heap) {
  "use asm";

  var a = new stdlib.Int32Array(heap);
  var b = new stdlib.Float32Array(heap);
  var fround = stdlib.Math.fround;
  var value = env.value|0;

  function foo() {
    var x = fround(0.0);
    x = (a[0]=value|0,fround(b[0]));
    return fround(x);
  }

  return arguments.length;
}

Module();

Labels: Hotlist-Asm
Should no longer happen with the new validator. I triggered a redo on ClusterFuzz.
Status: WontFix (was: Assigned)
No longer applies to new validator.

Sign in to add a comment