Issue metadata
Sign in to add a comment
|
Crash in v8::internal::Invoke |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6729761343930368 Fuzzer: afl_v8_wasm_call_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0000fffff040 Crash State: v8::internal::Invoke CallInternal v8::internal::Execution::Call Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=446316:446370 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv953zaWEHYm4Nmy9buaXPYGpTKHryo5AVD37u8kvWfzXyxo5JzIGAIv6qift1zUYZ8fBLPtbnNMbonwHdYENS8DpD516ZseoeVdHm2pQ3xK7iikLlMzU5whbAN8ttOQR_fyK1rDD5K15Lt_bSJgGEAcScJlJ1cazcZsbKsrCOi2l1nyb6D0hjItIgmqTC5_wIGH5bT_1iztRTWA2FcO5_mqlh4ykB1530UfyWR4nhuBKuk53VADczwblQjKvtAjoaNN7bjMTGtSI8PM1I6HzZxRYzrZ69eCMe4bEQJzb2K7lHTskAoFaFumhEBzeb-upZH0taS6EaTuALp2nULoW0J3p08CO1C7XfhbkCwG8Zls6fqA6KnB9VUiO3IcWAVxsPG0hyhIGkq7mvjIjkr0gR6IIuYY5oA?testcase_id=6729761343930368 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Feb 6 2017
,
Feb 6 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 6 2017
,
Feb 7 2017
,
Feb 7 2017
,
Feb 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/59bb18867addf9f1d4b64eb6e1f0cf3996da07e0 commit 59bb18867addf9f1d4b64eb6e1f0cf3996da07e0 Author: Andreas Haas <ahaas@chromium.org> Date: Wed Feb 08 10:27:45 2017 [x64] Consider both operands when emitting the REX prefix for testb. The testb instruction requires the REX prefix when either of its operands uses a register with the high bit set. The existing code only considered the register operand. In the test case the REX prefix was not emitted because the testb instruction had the register operand RAX which does not have the high bit set. The REX prefix was necessary though because the memory operand used R8, which has the high bit set. R=bmeurer@chromium.org BUG= chromium:688876 Change-Id: Ib214bebbe75965664f2aea530e29afa95a54f44f Reviewed-on: https://chromium-review.googlesource.com/439145 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#43030} [modify] https://crrev.com/59bb18867addf9f1d4b64eb6e1f0cf3996da07e0/src/x64/assembler-x64.cc [add] https://crrev.com/59bb18867addf9f1d4b64eb6e1f0cf3996da07e0/test/mjsunit/regress/wasm/regression-688876.js
,
Feb 25 2017
ClusterFuzz has detected this issue as fixed in range 447007:452906. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6729761343930368 Fuzzer: afl_v8_wasm_call_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0000fffff040 Crash State: v8::internal::Invoke CallInternal v8::internal::Execution::Call Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=446316:446370 Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=447007:452906 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv953zaWEHYm4Nmy9buaXPYGpTKHryo5AVD37u8kvWfzXyxo5JzIGAIv6qift1zUYZ8fBLPtbnNMbonwHdYENS8DpD516ZseoeVdHm2pQ3xK7iikLlMzU5whbAN8ttOQR_fyK1rDD5K15Lt_bSJgGEAcScJlJ1cazcZsbKsrCOi2l1nyb6D0hjItIgmqTC5_wIGH5bT_1iztRTWA2FcO5_mqlh4ykB1530UfyWR4nhuBKuk53VADczwblQjKvtAjoaNN7bjMTGtSI8PM1I6HzZxRYzrZ69eCMe4bEQJzb2K7lHTskAoFaFumhEBzeb-upZH0taS6EaTuALp2nULoW0J3p08CO1C7XfhbkCwG8Zls6fqA6KnB9VUiO3IcWAVxsPG0hyhIGkq7mvjIjkr0gR6IIuYY5oA?testcase_id=6729761343930368 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 25 2017
ClusterFuzz testcase 6729761343930368 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Feb 25 2017
,
Mar 13 2017
,
Jun 4 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by dominickn@chromium.org
, Feb 6 2017Owner: ahaas@chromium.org
Status: Assigned (was: Untriaged)