Issue metadata
Sign in to add a comment
|
<no crash state available> |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6192679416496128 Fuzzer: mbarbella_js_mutation Job Type: linux_ubsan_vptr_d8 Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x14cf2b3e3000 Crash State: NULL Sanitizer: undefined (UBSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=416628:416781 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94FsMXRIiDRC7E_cCx7TgHjPHxttbs60qSqY6dmjvigt2sCQo5rgHottFBWCj1ayXl4oiJCe1fPOu92vtVrEe6n45rhVfrbhlJApP5BuIC9twbfVdI8GQuB5Z896S2Le0-HHj2Oq6k9zK_EpPaoo2mkkO_gszzp_LZY0iyC14T6p_itu8GcID26tcJgVq0_qlfZlE_5kCd2cUZeWZPDojzU8vJSYeECuhscY-W6_qF5qQ9JRassZH_FdZ5rLs4x-V6Ca7rrUzajUbJH2-7NHwA9B9mQM8VWCOmp0zqduj_Cv5zmXuVu_jniFbV9h-3El6KeHvJLUp4TmiNnaNJ_Xp6PRxU2qSCA6ye9ELib1cOsBeVFeZJBqQ4stQm12IL_ucViFp1tfiz-NXSheTWm84Mt6N6bWQ?testcase_id=6192679416496128 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 17 2017
Crashes Chrome Canary 59.0.3043.0 and 57.0.2987.0 on OS X. https://crash.corp.google.com/browse?q=reportid=%27d1d5bf1480000000%27
,
Mar 17 2017
<script>
arr = [];
for (let i = 0; i < 49079; i++) arr[i] = [];
unk = {valueOf: function() { arr.length = 0; }};
arr.indexOf({}, unk);
</script>
Interestingly, the repro seems to be sensitive to the upper-bound value of the loop, and it crashes with a slightly lower top-bound on Canary than on Stable.
,
Mar 17 2017
Users experienced this crash on the following builds: Mac Dev 58.0.3029.19 - 0.63 CPM, 3 reports, 3 clients (signature v8::internal::`anonymous namespace'::Invoke) Linux Beta 57.0.2987.98 - 1.16 CPM, 30 reports, 22 clients (signature v8::internal::`anonymous namespace'::Invoke) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Mar 17 2017
This appears to be a pure JavaScript problem, no DOM involvement.
,
Mar 17 2017
Heh. Isn't this just Issue 702058 ?
,
Mar 17 2017
Users experienced this crash on the following builds: Mac Canary 59.0.3043.0 - 0.82 CPM, 4 reports, 4 clients (signature v8::internal::`anonymous namespace'::Invoke) Linux Beta 57.0.2987.98 - 1.15 CPM, 31 reports, 22 clients (signature v8::internal::`anonymous namespace'::Invoke) If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates. - Go/Fracas
,
Mar 17 2017
,
Mar 17 2017
,
Mar 17 2017
,
Mar 17 2017
,
Mar 18 2017
ClusterFuzz has detected this issue as fixed in range 456626:457732. Detailed report: https://clusterfuzz.com/testcase?key=6192679416496128 Fuzzer: mbarbella_js_mutation Job Type: linux_ubsan_vptr_d8 Platform Id: linux Crash Type: UNKNOWN Crash Address: 0x14cf2b3e3000 Crash State: NULL Sanitizer: undefined (UBSAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=416628:416781 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=456626:457732 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94FsMXRIiDRC7E_cCx7TgHjPHxttbs60qSqY6dmjvigt2sCQo5rgHottFBWCj1ayXl4oiJCe1fPOu92vtVrEe6n45rhVfrbhlJApP5BuIC9twbfVdI8GQuB5Z896S2Le0-HHj2Oq6k9zK_EpPaoo2mkkO_gszzp_LZY0iyC14T6p_itu8GcID26tcJgVq0_qlfZlE_5kCd2cUZeWZPDojzU8vJSYeECuhscY-W6_qF5qQ9JRassZH_FdZ5rLs4x-V6Ca7rrUzajUbJH2-7NHwA9B9mQM8VWCOmp0zqduj_Cv5zmXuVu_jniFbV9h-3El6KeHvJLUp4TmiNnaNJ_Xp6PRxU2qSCA6ye9ELib1cOsBeVFeZJBqQ4stQm12IL_ucViFp1tfiz-NXSheTWm84Mt6N6bWQ?testcase_id=6192679416496128 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 25 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Mar 17 2017