New issue
Advanced search Search tips

Issue 708714 link

Starred by 4 users
Status: Fixed
Owner:
clemensh@chromium.org
Closed: Apr 2017
Cc:
ahaas@chromium.org
clemensh@chromium.org
adamk@chromium.org
titzer@chromium.org
dschuff@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Fatal error in v8::Isolate::Disposev8::Utils::ReportApiFailure

Project Member Reported by ClusterFuzz, Apr 5 2017

Comment 1 by mummare...@chromium.org, Apr 5 2017

Components: Blink>JavaScript
Labels: Test-Predator-Wrong M-59

Comment 2 by mstarzinger@chromium.org, Apr 10 2017

Cc: ahaas@chromium.org
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
Local bisect points to 02b4d0e6752c7b989aab6ef817f44ceb26741169. Reproduces nicely.

Comment 3 by mstarzinger@chromium.org, Apr 10 2017

Components: -Blink>JavaScript Blink>JavaScript>WebAssembly

Comment 4 by clemensh@chromium.org, Apr 10 2017

Status: Started (was: Assigned)

Comment 5 by clemensh@chromium.org, Apr 10 2017

Cc: clemensh@chromium.org
 Issue 708787  has been merged into this issue.

Comment 6 by clemensh@chromium.org, Apr 10 2017 

 Issue 709414  has been merged into this issue.
Project Member

Comment 7 by bugdroid1@chromium.org, Apr 10 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/88e169dc62103ef4eb1cc4a685d7471d921db044

commit 88e169dc62103ef4eb1cc4a685d7471d921db044
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Mon Apr 10 13:00:50 2017

[wasm] Stop decoding sections once an error occured

We went on decoding the next section, which happened to be the start
section. But since the function section had an error, the signature
pointer was not still {nullptr} on the start function, leading to a
segfault.

Drive-by fix: Improve decoder trace output.

R=ahaas@chromium.org
BUG= chromium:708714 ,  chromium:708787 

Change-Id: I5ae2adb32764b9d154f1ca878019f26ac31839b4
Reviewed-on: https://chromium-review.googlesource.com/472847
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#44521}
[modify] https://crrev.com/88e169dc62103ef4eb1cc4a685d7471d921db044/src/wasm/decoder.h
[modify] https://crrev.com/88e169dc62103ef4eb1cc4a685d7471d921db044/src/wasm/module-decoder.cc
[add] https://crrev.com/88e169dc62103ef4eb1cc4a685d7471d921db044/test/mjsunit/regress/wasm/regression-708714.js

Comment 8 by clemensh@chromium.org, Apr 10 2017

Status: Fixed (was: Started)
Project Member

Comment 9 by ClusterFuzz, Apr 11 2017 

ClusterFuzz has detected this issue as fixed in range 463054:463440.

Detailed report: https://clusterfuzz.com/testcase?key=4807975534592000

Fuzzer: libfuzzer_v8_wasm_function_sigs_section_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: Fatal error
Crash Address: 
Crash State:
  v8::Isolate::Disposev8::Utils::ReportApiFailure
  v8_fuzzer::FuzzerSupport::~FuzzerSupport
  v8_fuzzer::DeleteFuzzerSupport
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=462049:462072
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=463054:463440

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95gWe-kwVJhZi2RPf1s-vCTpXR4Is6RsnhgBCgz64B6D0OUyaPjsd7saZvkT7EoJWe8n-9Gz5x0brVscElY22YrL8nSAbkjulCbTaBEDxOYyyqQ3EHETx9rppLOyjPL37F6KDS4SCbq63t2KIhojzKHD3I1KZ7-NrFRe501NK218i_NXvNGJfQ59fEOu7dCYvcYhyfHSJqrhHRiTo-Z7PuXidHvHYH4vMVzA3ltVvrKdqckqTsX2SuFRAOe4i-T-GOa_WQ4s9IMX6wqgPRaXulZPzI55bdbl4mpQJgnHyVVferpslWhQLnttMsrBflrarVnX7U5ppItBtw-yN9sQ_DvWNFYafBpTi35LluwdKyQOXVQruoYXrEt_qNjdBcyLT5HQ0ytzf1sdrlwoJHgUXu72X189Q?testcase_id=4807975534592000


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment