Issue 677730 link

Starred by 2 users

Issue metadata

Status:	Verified
Owner:	haraken@chromium.org
Closed:	Mar 2017
Cc:	ifratric@google.com
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	All
Pri:	1
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Clusterfuzz ClusterFuzz-Verified

Crash in v8::internal::GlobalHandles::MakeWeak

Project Member Reported by ClusterFuzz, Jan 1 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5969459266453504

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::GlobalHandles::MakeWeak
  blink::ScriptWrappable::setWrapper
  blink::V8DOMWrapper::associateObjectWithWrapper
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=409589:409828

Minimized Testcase (0.37 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96XX68NXlSTTrSbFcKOeZfXHR35mTqKQolZlaLQcieH-5rfrzyBsgLHYpj0C8P_hPY00xspqt1nMHSoIkelMcOY4mm7FdPV14H6uVHBJaEtsEKuo_sM_H5OLlAvv169vR9FCowsV-PLqlWsw1NQcRlzznv6zA?testcase_id=5969459266453504
<script>
var fakestring = {toString: function() {
 /* Dictionary*/ var var00058 = { "patternUnits": [fakestring] }; 
 /* Animation*/ var var00057 = htmlvar00001.animate(var00058); 
return "1" }}
function jsfuzzer() {
 /* HTMLInputElement*/ var var00019 = document.createElement("input"); 
 var00019.width = fakestring; 
}
</script>
<body onload=jsfuzzer()<a id="htmlvar00001"</a>


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by rsesek@chromium.org, Jan 6 2017

Components: Blink>JavaScript
Labels: -OS-Mac OS-All
Owner: haraken@chromium.org
Status: Assigned (was: Untriaged)

haraken: Could this be from https://chromium.googlesource.com/chromium/src/+/120fd684181b5730f243f87189d498ce5f0a1f8d ?

Project Member

Comment 2 by ClusterFuzz, Mar 10 2017

ClusterFuzz has detected this issue as fixed in range 456043:456056.

Detailed report: https://clusterfuzz.com/testcase?key=5969459266453504

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::GlobalHandles::MakeWeak
  blink::ScriptWrappable::setWrapper
  blink::V8DOMWrapper::associateObjectWithWrapper
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=409589:409828
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=456043:456056

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96XX68NXlSTTrSbFcKOeZfXHR35mTqKQolZlaLQcieH-5rfrzyBsgLHYpj0C8P_hPY00xspqt1nMHSoIkelMcOY4mm7FdPV14H6uVHBJaEtsEKuo_sM_H5OLlAvv169vR9FCowsV-PLqlWsw1NQcRlzznv6zA?testcase_id=5969459266453504


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Project Member

Comment 3 by ClusterFuzz, Mar 10 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)

ClusterFuzz testcase 5969459266453504 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

►

Issue 677730 link

Issue metadata

Crash in v8::internal::GlobalHandles::MakeWeak

Issue description

Comment 1 by rsesek@chromium.org, Jan 6 2017

Comment 1 Deleted

Comment 2 by ClusterFuzz, Mar 10 2017

Comment 2 Deleted

Comment 3 by ClusterFuzz, Mar 10 2017

Comment 3 Deleted

Sign in to add a comment