Integer-overflow in v8::internal::JSReceiver::GetCreationContext |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5847930704756736 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: v8::internal::JSReceiver::GetCreationContext v8::Object::CreationContext blink::ScriptPromisePropertyBase::resolveOrRejectInternal Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Minimized Testcase (1.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv942Es7X1x2BMMaL9oe-4_G7hWivGZ_Ync862nud_Vqx_qTfy4IronmvEl95wYs4RmGSmQnrYf6mC53Yg439tqbQKRG8MTxhPbpYDuCwXERw-acbMyd7zTcYFkNZfO0aR3su6gsUngvkV7Vnjk5B8rdrEoBoMPzqsXdjgz1oqDLr-JQ80hStQU1wXISugKjVtiEdQYQ6KEGsIrRsYFNb1LdQaAqaTx62CRqOBDAgE2mQeHy3ZwfqpsBnZwzR6lqJUETnDgH2XddxxJFO9rVhJO9NZQFsZ6_kEhyDrk572XDMe0zmyBqWFJJ6QIL1h0Im4lWIEzDSpDpbynmHBYfr2XX7jXIrFW-2qEzV4V_R9kniKjUFRxU?testcase_id=5847930704756736 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 18 2017
Please duplicate if it is same issue 675120. thank you.
,
Jan 18 2017
Assigning to CF sheriff for further investigation.
,
Jan 19 2017
Blink-side failure, @eisinger, can you please triage further?
,
Jan 19 2017
ClusterFuzz has detected this issue as fixed in range 444318:444327. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5847930704756736 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_ubsan_chrome Platform Id: linux Crash Type: Integer-overflow Crash Address: Crash State: v8::internal::JSReceiver::GetCreationContext v8::Object::CreationContext blink::ScriptPromisePropertyBase::resolveOrRejectInternal Sanitizer: undefined (UBSAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=444318:444327 Minimized Testcase (1.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv942Es7X1x2BMMaL9oe-4_G7hWivGZ_Ync862nud_Vqx_qTfy4IronmvEl95wYs4RmGSmQnrYf6mC53Yg439tqbQKRG8MTxhPbpYDuCwXERw-acbMyd7zTcYFkNZfO0aR3su6gsUngvkV7Vnjk5B8rdrEoBoMPzqsXdjgz1oqDLr-JQ80hStQU1wXISugKjVtiEdQYQ6KEGsIrRsYFNb1LdQaAqaTx62CRqOBDAgE2mQeHy3ZwfqpsBnZwzR6lqJUETnDgH2XddxxJFO9rVhJO9NZQFsZ6_kEhyDrk572XDMe0zmyBqWFJJ6QIL1h0Im4lWIEzDSpDpbynmHBYfr2XX7jXIrFW-2qEzV4V_R9kniKjUFRxU?testcase_id=5847930704756736 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 19 2017
It looks like there's some caching mechanism for the FontFaceSet.ready promise, but resolveOrReject clears the cache, so when we get the promise multiple times, the second attempt to resolveOrReject appears to fail?
,
Jan 19 2017
ClusterFuzz testcase 5847930704756736 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 19 2017
yukishiino@, is it possible that this is a dup of issue 680013? I can't see the bug, but apparently your commit 9adcf35073ddf2e7213d5472b2edf45575b75eb0 fixed this problem.
,
Jan 19 2017
The minimized repro case looks quite similar to Issue 680013, and it's very very likely to be a dup. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mummare...@chromium.org
, Jan 18 2017