New issue
Advanced search Search tips

Issue 680119 link

Starred by 1 user
Status: Verified
Owner:
titzer@chromium.org
Closed: Jan 2017
Cc:
ahaas@chromium.org
clemensh@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

!v8::internal::FLAG_enable_slow_asserts || (IsWasmInstanceWrapper(fixed_array))

Project Member Reported by ClusterFuzz, Jan 11 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5817177329631232

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (IsWasmInstanceWrapper(fixed_array)) 
  
Sanitizer: address (ASAN)

Regressed: V8: r42213:42214

Minimized Testcase (0.11 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94NTn5XUeZZlsn6Rg-kv7d-fXKJdEXFRPf3Fvv52sNsVlsSZf37XBb2bD1MzUcHMWEk1EGnDMreP7jEFTTKqmdNMU5HCRyOSa6ofYCml3ZW7Rt0iWc2ByJZu-QCuUqLBa5z498xwyCRmky8m7poEp6RvXbIgOjQuGn3qvFl70LZYnO-ydE8_QlgUV2iTrCcWz_3_DuL-eA_7ElFPccslUmJW1GWs4xSjwRwR5xBOf6o4FklQX-oFFu-FPD5_onWNxP7BUVPQWdQp5JQkM21BHpaCI-zc7nx22QBI3VKPgix01sAYULOf8DTH2p5Q3bzmgdG79RTQWDTsYU5qAfhDeMGM3YonjGJ-jmdlHsy4SyUCS-s9hlYM4S2K24hUlvRhqgUYCByTFIiE0M2BB-x0c8mDc_bVA?testcase_id=5817177329631232
var v8 = eval();
 v10 = new Intl.NumberFormat(); 
 v15 = new WebAssembly.Memory(v10); 
 v16 = v15.grow( v8); 


Issue manually filed by: ishell

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ishell@chromium.org, Jan 11 2017

Cc: clemensh@chromium.org ahaas@chromium.org
Owner: titzer@chromium.org
Status: Assigned (was: Untriaged)
PTAL, CF points to 71f5650828ffd0162fcd67d9c6ef570a346a8a84.

Comment 2 by chromium...@gmail.com, Jan 11 2017 

The same crash in  issue 679947 .
Project Member

Comment 3 by ClusterFuzz, Jan 12 2017 

ClusterFuzz has detected this issue as fixed in range 42221:42222.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5817177329631232

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (IsWasmInstanceWrapper(fixed_array)) 
  
Sanitizer: address (ASAN)

Regressed: V8: r42213:42214
Fixed: V8: r42221:42222

Minimized Testcase (0.11 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94NTn5XUeZZlsn6Rg-kv7d-fXKJdEXFRPf3Fvv52sNsVlsSZf37XBb2bD1MzUcHMWEk1EGnDMreP7jEFTTKqmdNMU5HCRyOSa6ofYCml3ZW7Rt0iWc2ByJZu-QCuUqLBa5z498xwyCRmky8m7poEp6RvXbIgOjQuGn3qvFl70LZYnO-ydE8_QlgUV2iTrCcWz_3_DuL-eA_7ElFPccslUmJW1GWs4xSjwRwR5xBOf6o4FklQX-oFFu-FPD5_onWNxP7BUVPQWdQp5JQkM21BHpaCI-zc7nx22QBI3VKPgix01sAYULOf8DTH2p5Q3bzmgdG79RTQWDTsYU5qAfhDeMGM3YonjGJ-jmdlHsy4SyUCS-s9hlYM4S2K24hUlvRhqgUYCByTFIiE0M2BB-x0c8mDc_bVA?testcase_id=5817177329631232
var v8 = eval();
 v10 = new Intl.NumberFormat(); 
 v15 = new WebAssembly.Memory(v10); 
 v16 = v15.grow( v8); 


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Jan 12 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5817177329631232 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment