Issue metadata
Sign in to add a comment
|
Security: Crash in WebAssembly
Reported by
chromium...@gmail.com,
Jan 20 2017
|
||||||||||||||||||||||||
Issue descriptionChrome Version: 57.0.2988.0 Operating System: Windows 7 REPRODUCTION CASE This issue 679947 seems like still repro in 57.0.2988.0 gdeepti@ Could you please take a look at this report? Thanks!
,
Jan 21 2017
,
Jan 21 2017
Windbg output: rax=000000000b400000 rbx=000000000321b038 rcx=0000027b4e402311 rdx=000000000030cf40 rsi=000000000b41f286 rdi=000000000030cf40 rip=000007fed396282f rsp=000000000030cee0 rbp=0000027b4e402311 r8=0000000000000000 r9=000000000321b088 r10=000000000321b078 r11=000000000030cf60 r12=0000000000000000 r13=000000000030d310 r14=fffffffffff80000 r15=00000000031bde90 iopl=0 nv up ei pl nz na po nc cs=0033 ss=0000 ds=0000 es=0000 fs=0053 gs=002b efl=00010206 *** WARNING: Unable to verify checksum for chrome_child.dll chrome_child!v8::internal::WasmInstanceWrapper::instance_object+0x23: 000007fe`d396282f 488b5838 mov rbx,qword ptr [rax+38h] ds:00000000`0b400038=???????????????? 0:000> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site 00000000`0030cee0 000007fe`d395e862 chrome_child!v8::internal::WasmInstanceWrapper::instance_object+0x23 [c:\b\build\slave\win64-pgo\build\src\v8\src\wasm\wasm-objects.h @ 420] 00000000`0030cf10 000007fe`d39580db chrome_child!v8::internal::wasm::GrowWebAssemblyMemory+0xde [c:\b\build\slave\win64-pgo\build\src\v8\src\wasm\wasm-module.cc @ 2338] 00000000`0030cf90 000007fe`d299243f chrome_child!v8::`anonymous namespace'::WebAssemblyMemoryGrow+0x12b [c:\b\build\slave\win64-pgo\build\src\v8\src\wasm\wasm-js.cc @ 649] 00000000`0030d010 000007fe`d2992025 chrome_child!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>+0x31f [c:\b\build\slave\win64-pgo\build\src\v8\src\builtins\builtins-api.cc @ 106] 00000000`0030d250 000007fe`d2991f36 chrome_child!v8::internal::Builtin_Impl_HandleApiCall+0xe1 [c:\b\build\slave\win64-pgo\build\src\v8\src\builtins\builtins-api.cc @ 135] 00000000`0030d2f0 0000029e`b4a0442b chrome_child!v8::internal::Builtin_HandleApiCall+0x32 [c:\b\build\slave\win64-pgo\build\src\v8\src\builtins\builtins-api.cc @ 123] 00000000`0030d330 000007fe`d280fccf 0x29e`b4a0442b 00000000`0030d338 0000032b`97e23359 chrome_child!v8::internal::Runtime_NewClosure_Tenured+0x1a3
,
Jan 23 2017
Same issue as 682874, as described there - version of v8 was rolled back in chrome so the fix was not in the chrome rev tested here.
,
May 3 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jan 20 2017Components: Blink>JavaScript>WebAssembly