Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6289287198015488 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_asan_chrome_v8 Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x0000000003fc Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::Function::Call Sanitizer: address (ASAN) Regressed: V8: 43303:43324 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97zGKs_fs_mtTPvJRdc_12BtaTv_nlnv91q5T_2SVPPcY98Sa0K8fYxCbODhLHBn3zxLwPyHT1zgop181mdk5oj6-nWWLcWPe8zTxWO0027qic9og_1z6yZKcy5RdiOK_U69LYwE7zJoq69-Gu55iXhSufXTOvvfRlNZEHZkZdRpAU3imQuMOvm0Czf9obi5sO1hejzoc0FnE0D1sU-B-W7VwHfP5hrSPI-Zr2a-X6bMbTM78Ve9z5a3apicJgZvAJk0Rkc0jMAxZEKnBDPuWEyNYq8D5K9gKaL3fuUAlvEeCmSrMWbpm8TIb8EQStqSLSgav1fNa8mOMrp18r_NO-YQrBkHtJlAVdRsKie71vr0Mpjnl4?testcase_id=6289287198015488 Issue manually filed by: titzer See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Working on reproducing this, as this didn't repro easily with Clusterfuzz's testcase and the associated build. Looks to be an issue with instantiating asm.js across workers...
Yep, the repro requires --validate-asm
Comment 1 by titzer@chromium.org
, Feb 24 2017