Issue metadata
Sign in to add a comment
|
The browser and d8 crashed caused by segv
Reported by
cdsrc2...@gmail.com,
Jan 23 2017
|
||||||||||||||||||||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Steps to reproduce the problem:
1. launch chromium with these flags.> ./chrome --js-flags="--validate-asm" --no-sandbox ./crash.html
or,
launch d8 with these flags.> ./d8 --validate-asm ./crash.js
What is the expected behavior?
What went wrong?
The browser and d8 crashed caused by segv.And the u8v array index can affect the edx register value.
asn d8 crassh log:
=28027==ERROR: AddressSanitizer: SEGV on unknown address 0x00aa00000013 (pc 0x7f6e22a9669f bp 0x7fff61e85240 sp 0x7fff61e850a0 T0)
==28027==The signal is caused by a READ memory access.
#0 0x7f6e22a9669e (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0xc7969e)
#1 0x7f6e22a7779a (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0xc5a79a)
#2 0x7f6e22426a7c (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x609a7c)
#3 0x7f6e22428311 (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x60b311)
#4 0x7f6e224276d9 (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x60a6d9)
#5 0x7f6e2242719c (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x60a19c)
#6 0x7f6e2243fa49 (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x622a49)
#7 0x7f6e2243f5c2 (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x6225c2)
#8 0x7f6e22421379 (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x604379)
#9 0x7f6e225706d8 (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x7536d8)
#10 0x7f6e225725ed (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0x7555ed)
#11 0x7f6e22928f74 (/home/jinzhe-s/jsfuzzer/x64_debug/d8+0xb0bf74)
chrome windows log:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\chrome_child.dll -
eax=0018dec8 ebx=00000000 ecx=0018ddd8 edx=00000154 esi=0018ddd8 edi=00000154
eip=58ca6b91 esp=0018dd80 ebp=0018dd8c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
chrome_child!ovly_debug_event+0x3256b1:
58ca6b91 8b7a07 mov edi,dword ptr [edx+7] ds:002b:0000015b=????????
k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0018dd8c 58ca6aff chrome_child!ovly_debug_event+0x3256b1
0018dda0 58ca6ad7 chrome_child!ovly_debug_event+0x32561f
0018ddb8 58ca716d chrome_child!ovly_debug_event+0x3255f7
0018de80 58ca655e chrome_child!ovly_debug_event+0x325c8d
0018dea0 594e7402 chrome_child!ovly_debug_event+0x32507e
0018def4 594eb960 chrome_child!GetHandleVerifier+0x39351e
0018df24 594ec54a chrome_child!GetHandleVerifier+0x397a7c
0018dfa4 594e4dbc chrome_child!GetHandleVerifier+0x398666
0018e130 592630d9 chrome_child!GetHandleVerifier+0x390ed8
0018e148 58a34470 chrome_child!GetHandleVerifier+0x10f1f5
0018e2b8 58a340b3 chrome_child!ovly_debug_event+0xb2f90
0018e2ec 588eaf9c chrome_child!ovly_debug_event+0xb2bd3
Did this work before? N/A
Chrome version: 55.0.2883.87 Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 23.0 r0
,
Jan 24 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4996857903448064
,
Jan 24 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=4987370186473472
,
Jan 24 2017
Cashes for me on Chrome 57.0.2977.0 / OSX 10.12.2, but not the latest Canary. bradnelson@: Another short repro for a WebAssembly crash. Could you triage?
,
Jan 24 2017
Affects stable (Chrome 55.0.2883.95) and Beta (Chrome 56.0.2924.67) but not Canary (58.0.2990.0). bradnelson@: Could you help make sure that the fix for this (presumably in other other recent related issues) gets merged to 57?
,
Jan 30 2017
"--validate-asm" is not active on 55, 56 or 57. Good that it is fixed on 58 already. I think this bug can already be closed?
,
May 25 2017
,
Feb 14 2018
This no longer reproduces with d8. Closing as per that and #6.
,
Feb 15 2018
,
Feb 19 2018
,
Feb 26 2018
I'm afraid the VRP panel declined to reward for this bug. Thanks for the report!
,
May 24 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by cdsrc2...@gmail.com
, Jan 23 2017