Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4643095439474688 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:ia32,ignition sources: f76 Sanitizer: address (ASAN) Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96mHGMgJ7R6wSIGhTk03DLxVVV24sf017lbx6L5NS2HrxOJp4wCK0HiymUU25OB4y0bCJ-3rWvelRlUBPmucmBU9JipSjrwAvSWdsSxbTN0yO1lclYte468TdUU5YZ1KQiMHsS3eGnQG2wCORhhD3XpNRYnlVOtsJVuPpg16NZQBC_4hGuM4q-LV3Zb8me-g9Xw3VzN0l4lwTDnbDmBRDVZFfFUZ6CkSPi2kOc1JfUQG55XbEo1vcy68PwHQ-VYCxZoO4AMo857G7ZAE46T662VdAsYAcGSsXB0X05cgtzJnjjKRHw-EGSAfj741IRjv3GOLDclauTOR75mHH6SHS0_8FNPfe-scsuEmCxD0Fn_6rnAH3qqfQ7Biea2jRn4-LUoGkjgTuLVbUF4JvuluGquZ3VaVw?testcase_id=4643095439474688 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
// PTAL. I think this error message should be equal among architectures. try { "foo".repeat(1073741824); } catch (e) { print(e.message); } // Output: # Compared x64,ignition with ia32,ignition # # Flags of x64,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1474417455 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft # Flags of ia32,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1474417455 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft # # Difference: - Invalid string length + Invalid count value # ### Start of configuration x64,ignition: Invalid string length ### End of configuration x64,ignition # ### Start of configuration ia32,ignition: Invalid count value ### End of configuration ia32,ignition
Issue 690934 has been merged into this issue.
This particular instance should be easy to fix. We probably have similar issues in other places of the code however (e.g. maximum typed array length).
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/08d84f6d23f3a5243f3c351b498d57c25d7ee7d4 commit 08d84f6d23f3a5243f3c351b498d57c25d7ee7d4 Author: Michael Starzinger <mstarzinger@chromium.org> Date: Tue Feb 28 12:48:39 2017 [string] Fix error message in String.prototype.repeat. R=yangguo@chromium.org TEST=message/regress/regress-crbug-691194 BUG= chromium:691194 Change-Id: I72198e087f88abf89cdd38b99c19e10cbebda08d Reviewed-on: https://chromium-review.googlesource.com/445942 Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#43480} [modify] https://crrev.com/08d84f6d23f3a5243f3c351b498d57c25d7ee7d4/src/js/string.js [add] https://crrev.com/08d84f6d23f3a5243f3c351b498d57c25d7ee7d4/test/message/regress/regress-crbug-691194.js [add] https://crrev.com/08d84f6d23f3a5243f3c351b498d57c25d7ee7d4/test/message/regress/regress-crbug-691194.out
ClusterFuzz has detected this issue as fixed in range 43479:43480. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4643095439474688 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:ia32,ignition sources: f76 Sanitizer: address (ASAN) Fixed: V8: 43479:43480 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96mHGMgJ7R6wSIGhTk03DLxVVV24sf017lbx6L5NS2HrxOJp4wCK0HiymUU25OB4y0bCJ-3rWvelRlUBPmucmBU9JipSjrwAvSWdsSxbTN0yO1lclYte468TdUU5YZ1KQiMHsS3eGnQG2wCORhhD3XpNRYnlVOtsJVuPpg16NZQBC_4hGuM4q-LV3Zb8me-g9Xw3VzN0l4lwTDnbDmBRDVZFfFUZ6CkSPi2kOc1JfUQG55XbEo1vcy68PwHQ-VYCxZoO4AMo857G7ZAE46T662VdAsYAcGSsXB0X05cgtzJnjjKRHw-EGSAfj741IRjv3GOLDclauTOR75mHH6SHS0_8FNPfe-scsuEmCxD0Fn_6rnAH3qqfQ7Biea2jRn4-LUoGkjgTuLVbUF4JvuluGquZ3VaVw?testcase_id=4643095439474688 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by machenb...@chromium.org
, Feb 11 2017Labels: -Pri-1 Pri-2
// PTAL. I think this error message should be equal among architectures. try { "foo".repeat(1073741824); } catch (e) { print(e.message); } // Output: # Compared x64,ignition with ia32,ignition # # Flags of x64,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1474417455 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft # Flags of ia32,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1474417455 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft # # Difference: - Invalid string length + Invalid count value # ### Start of configuration x64,ignition: Invalid string length ### End of configuration x64,ignition # ### Start of configuration ia32,ignition: Invalid count value ### End of configuration ia32,ignition