V8 correctness failure in configs: x64,ignition:x64,ignition_eager |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5550232940314624 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_eager sources: 8af Sanitizer: address (ASAN) Regressed: V8: 44141:44142 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv957Nz5PV_YoQbMhxzF8UUukRxtOMPoPIqOY9GwQHE3r8b8qVdKievrJk0S8VohAWKao0U1alG5cmX8SjZOFfFnOA0y5ZnjN3lWgtGm7pyK-eUeCui4elSQQQf3Ey_PtLSTywB1nxMnA3BtZxCB0SWrTkiHQOwDavV2HIyrmJp2E4rLNZf_yx3A8IctdxXCDoL7KNUIeV_jNo6tR1z6ahXusvEgdHQIb93PqJqj1iG2zgZo0Ja10-pZcTr3CU2ApexZo05Ss2MKHsQ_5lqsDqUyuLyVQXizpwAmqvarneu_cibLD-1QvPFk-SQOP3Yrq7PEEXVr7xmSko6MgdgjJKBbzMuN9aX8zmEkfiPUxMInhrTDDpuspJzJe2h-Z1toI3gtM5Q-4c_KpgFUcGY72TKD7NdUaLw?testcase_id=5550232940314624 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 31 2017
Issue 707208 has been merged into this issue.
,
Mar 31 2017
PTAL. Maybe make this non-throwing and properly crashing?
,
Mar 31 2017
,
Mar 31 2017
Nice find, that reserve call is indeed invalid. I've been thinking of reverting the changes from ZoneList -> std::vector anyway because they may be responsible for some perf regressions in chromium:706748. I'll put a CL together.
,
Mar 31 2017
,
Mar 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/686c37839c00e1510625b6cb11a7f18a459eb2a7 commit 686c37839c00e1510625b6cb11a7f18a459eb2a7 Author: jgruber <jgruber@chromium.org> Date: Fri Mar 31 14:38:36 2017 [regexp] Revert to ZoneList usage in @@replace Fixes a crash found by clusterfuzz caused by a call to std::vector::reserve with a huge capacity, and reverts to ZoneList handling as a tentative fix for performance regressions on the slow @@replace path. BUG= chromium:707187 ,chromium:706748, v8:5437 Review-Url: https://codereview.chromium.org/2787343002 Cr-Commit-Position: refs/heads/master@{#44311} [modify] https://crrev.com/686c37839c00e1510625b6cb11a7f18a459eb2a7/src/runtime/runtime-regexp.cc [add] https://crrev.com/686c37839c00e1510625b6cb11a7f18a459eb2a7/test/mjsunit/regress/regress-707187.js
,
Apr 1 2017
ClusterFuzz has detected this issue as fixed in range 44310:44311. Detailed report: https://clusterfuzz.com/testcase?key=5550232940314624 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_eager sources: 8af Sanitizer: address (ASAN) Regressed: V8: 44141:44142 Fixed: V8: 44310:44311 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv957Nz5PV_YoQbMhxzF8UUukRxtOMPoPIqOY9GwQHE3r8b8qVdKievrJk0S8VohAWKao0U1alG5cmX8SjZOFfFnOA0y5ZnjN3lWgtGm7pyK-eUeCui4elSQQQf3Ey_PtLSTywB1nxMnA3BtZxCB0SWrTkiHQOwDavV2HIyrmJp2E4rLNZf_yx3A8IctdxXCDoL7KNUIeV_jNo6tR1z6ahXusvEgdHQIb93PqJqj1iG2zgZo0Ja10-pZcTr3CU2ApexZo05Ss2MKHsQ_5lqsDqUyuLyVQXizpwAmqvarneu_cibLD-1QvPFk-SQOP3Yrq7PEEXVr7xmSko6MgdgjJKBbzMuN9aX8zmEkfiPUxMInhrTDDpuspJzJe2h-Z1toI3gtM5Q-4c_KpgFUcGY72TKD7NdUaLw?testcase_id=5550232940314624 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||
►
Sign in to add a comment |
|||
Comment 1 by machenb...@chromium.org
, Mar 31 2017Status: Available (was: Untriaged)