New issue
Advanced search Search tips

Issue 686063 link

Starred by 1 user
Status: WontFix
Owner:
mstarzinger@chromium.org
Closed: Feb 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment

Crash in v8::internal::Invoke

Project Member Reported by ClusterFuzz, Jan 27 2017 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4770566948257792

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x2ad6f208
Crash State:
  v8::internal::Invoke
  _asan::QuickCheckForUnpoisonedRegion
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=446231:446318

Minimized Testcase (0.27 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97mK-6XwviQ0XULuFqv3IrjLLpTMXGo5XXU8Qthm1J9cViQae6nPDMCDIre7TZdVrpZ7ISc0zYQKhgAva4ZgWXecQAK1Dtz9Y3aKhB1pJJZtB3YGXK4uwekngrDlmaMkxQCpy4QeGKM9ZlpmuxTq1R_hBPKCEolvjXyBUEe583tHptQ_ymQxUZLj2k12DU_CU7TLNYpy1chuDVGj2eZlenT-yzMydkAq_HSTB_X1TePss4Wp2uig4SY7uf5k2-K1oKqGfaegXUfiNJNZYQuDeV7A34E50MYi2TQSPLcpbk3Rj5lZNr0OOtZ_4Jthqfvu-kRuULhuQFN8ndwamUXlcQPsJwGWnARpFbcUbstyCcJLUCZCdY?testcase_id=4770566948257792
"use strict";
var __v_10 = {};
try {
__v_23 = { toString: function() { return 42; },
           valueOf: function() { return "37"; } };
} catch(e) {; }
function __f_11() {
    return [].push.apply(__v_10, arguments);
}
__f_11();
%OptimizeFunctionOnNextCall(__f_11);
__f_11(3);


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 1 by sheriffbot@chromium.org, Jan 27 2017

Labels: M-57
Project Member

Comment 2 by sheriffbot@chromium.org, Jan 27 2017

Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 27 2017

Labels: Pri-1

Comment 4 by awhalley@chromium.org, Jan 27 2017

Labels: -M-57 M-58

Comment 5 by est...@chromium.org, Jan 30 2017

Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)
Over to the v8 sheriff to take a look, please

Comment 6 by mstarzinger@chromium.org, Feb 9 2017

Status: WontFix (was: Assigned)
I am unable to reproduce this, even ClusterFuzz can no longer reproduce with the original crash revision. Also the reported stack-trace makes very little sense. Unfortunately this is not actionable from the V8 side, closing.
Project Member

Comment 7 by sheriffbot@chromium.org, May 19 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by ClusterFuzz, Jul 14 2017

Labels: Needs-Feedback
ClusterFuzz testcase 4770566948257792 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Sign in to add a comment