Issue 697870 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	machenb...@chromium.org
Closed:	Mar 2017
Components:	Blink>JavaScript
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Clusterfuzz Unreproducible v8-foozzie-failure

V8 correctness failure in configs: x64,ignition:x64,ignition_turbo_opt

Project Member Reported by ClusterFuzz, Mar 2 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5098927549579264

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo_opt
  sources: d14
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96pxpl_om2BJ05W5PWF9ssL6JeUwvq-1C-KrJyOceF1EIGAZlVLN8o48LmS_pl9DAV_-1lkXPsHW4WetM6KgwG0E-sLsA_Fu1VHK6jxDkLdMYXWUdML9JVpyJynvXHgmtZ4Hx2S3e03K7Mw-F98-ypRRA-cDEXI1GESD-0vA1pTHkEhdgcPTWWLbvX4tEsv6egVjv9BDDX2T-8UY6wlJIX4dssUGsLnKB3SClFS4kafffhmf6U5d19CZ365YKFw9FAxy91GRALdtV-B5vnjvI7nPyGnbuE6H4j67W9_NOUDgyaDFz-kaWfhLty7liRJR3uTH131sMX9OjlXeWqwonB8Gq_Ty73iE4R25ihFNxPXKktNUKo?testcase_id=5098927549579264


Issue manually filed by: machenbach

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by machenb...@chromium.org, Mar 2 2017

Owner: machenb...@chromium.org
Status: Assigned (was: Untriaged)

// Only repros with a time delay in the harness. Simple repro:

print(new Date())
print((new Date())["constructor"]());

// The second line circumvents the proxy.

Comment 2 by machenb...@chromium.org, Mar 2 2017

// We need to properly mock out all these cases:
print(Date())
print(new Date())
print(new (new Date())["constructor"]());
print((new Date())["constructor"]());

print(Date(10))
print(new Date(10))
print(new (new Date(10))["constructor"]());
print((new Date(10))["constructor"]());

print(new (new Date())["constructor"](10));
print((new Date())["constructor"](10));
print(new (new Date(10))["constructor"](10));
print((new Date(10))["constructor"](10));

Project Member

Comment 3 by bugdroid1@chromium.org, Mar 3 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/bf84d924c36e85e61020288cc339a7d9829ac419

commit bf84d924c36e85e61020288cc339a7d9829ac419
Author: Michael Achenbach <machenbach@chromium.org>
Date: Fri Mar 03 07:56:35 2017

[foozzie] Properly mock out Date

The old proxy only mocked out constructor calls and didn't intercept function application. It also kept the original constructor property, through which non-mocked dates could be constructed again.

BUG= chromium:697870 
NOTRY=true
R=mstarzinger@chromium.org,yangguo@chromium.org

Change-Id: Icb4ef22342424f95463a7a9c57fa0bb8d910ac19
Reviewed-on: https://chromium-review.googlesource.com/448564
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43569}
[modify] https://crrev.com/bf84d924c36e85e61020288cc339a7d9829ac419/tools/foozzie/v8_mock.js

Comment 4 by machenb...@chromium.org, Mar 3 2017

Status: Fixed (was: Assigned)

►

Issue 697870 link

Issue metadata

V8 correctness failure in configs: x64,ignition:x64,ignition_turbo_opt

Issue description

Comment 1 by machenb...@chromium.org, Mar 2 2017

Comment 1 Deleted

Comment 2 by machenb...@chromium.org, Mar 2 2017

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Mar 3 2017

Comment 3 Deleted

Comment 4 by machenb...@chromium.org, Mar 3 2017

Comment 4 Deleted

Sign in to add a comment