New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 680314 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

lang_arg->length() <= 3 in runtime-i18n.cc

Project Member Reported by ClusterFuzz, Jan 11 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6572666975944704

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  lang_arg->length() <= 3 in runtime-i18n.cc
  
Sanitizer: address (ASAN)

Regressed: V8: r42245:42246

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv945kPuiItU7EF_Qr5F3FbLDTB8WlxOUoiKX75q8YMvyV2QTtnX0GMXjcNSDnT4rR8Msn0cmuA8beVKiXf1LI9ug8fJ9aDGdxyVr1VwAnAwaiiu7y0Xyh2LVHm5dYKARxGwIudtXtN-6iC9GmJETktM_bGFk_UalglTnuv0Gv2maoBaMZbWUwyj5-52ChZDz65GvTm-K-Iu-v3N_QHbbLjxBjHMlWiZwycNvnq5stTHpMfQqsKIbpze3AgQ5fZmTZIkM0un03ip47c6UbysxcHADKmrbYQtUiKSw38mINdShnlQoEAvCP24cOLnGzTi3t_Ea1mLRcClO58TdnbiK_4u-Maszy5nIF7Py3SH0sFeIisSoh4JjPn-UPjb_O8dFE1oXUY8zJ7QXM3iU7--qpH_-OcywdQ?testcase_id=6572666975944704
 v6 = new Boolean(); 
 v10 = new String(); 
 v19 = v6.toString(); 
 v23 = v10.toLocaleUpperCase(v19); 


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: msrchandra@chromium.org
Labels: Test-Predator-Wrong
Owner: js...@chromium.org
Status: Assigned (was: Untriaged)
Find it did not provide any possible suspects.
Assigning to the concern owner from the CL --
https://chromium.googlesource.com/v8/v8/+log/84d3abe390f9c44427e3be4a4f0d6b8adc2a0614..db883422c88d1c9c2b0c4991ccc8197d07bc0ba6?pretty=fuller

@jshin -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by js...@chromium.org, Jan 12 2017

v6 = new Boolean(); 
 v10 = new String(); 
 v19 = v6.toString(); 
 v23 = v10.toLocaleUpperCase(v19); 

This is very strange. v19 is "false" and it should fail isStructuallyValid() test leading to an invalid arg exception even before reaching runtime-i18n.cc. 

Comment 3 by js...@chromium.org, Jan 12 2017

Status: Started (was: Assigned)
DCHECK was wrong. It should be '8'. I overlooked the fact that BCP 47 has 'reserved' provision for longer primary language tag (up to 8 chars long). 

https://tools.ietf.org/html/bcp47#section-2.2.1


Project Member

Comment 4 by ClusterFuzz, Jan 14 2017

ClusterFuzz has detected this issue as fixed in range 42342:42343.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6572666975944704

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  lang_arg->length() <= 3 in runtime-i18n.cc
  
Sanitizer: address (ASAN)

Regressed: V8: r42245:42246
Fixed: V8: r42342:42343

Minimized Testcase (0.10 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv945kPuiItU7EF_Qr5F3FbLDTB8WlxOUoiKX75q8YMvyV2QTtnX0GMXjcNSDnT4rR8Msn0cmuA8beVKiXf1LI9ug8fJ9aDGdxyVr1VwAnAwaiiu7y0Xyh2LVHm5dYKARxGwIudtXtN-6iC9GmJETktM_bGFk_UalglTnuv0Gv2maoBaMZbWUwyj5-52ChZDz65GvTm-K-Iu-v3N_QHbbLjxBjHMlWiZwycNvnq5stTHpMfQqsKIbpze3AgQ5fZmTZIkM0un03ip47c6UbysxcHADKmrbYQtUiKSw38mINdShnlQoEAvCP24cOLnGzTi3t_Ea1mLRcClO58TdnbiK_4u-Maszy5nIF7Py3SH0sFeIisSoh4JjPn-UPjb_O8dFE1oXUY8zJ7QXM3iU7--qpH_-OcywdQ?testcase_id=6572666975944704
 v6 = new Boolean(); 
 v10 = new String(); 
 v19 = v6.toString(); 
 v23 = v10.toLocaleUpperCase(v19); 


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Jan 14 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 6572666975944704 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment