Detailed report: https://clusterfuzz.com/testcase?key=6331903482527744 Fuzzer: libfuzzer_v8_wasm_imports_section_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Fatal error Crash Address: Crash State: v8::Isolate::DisposeSignalHandler v8::Utils::ReportApiFailure v8::Utils::ApiCheck Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=462046:462067 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95kAqb4d1xbeotx5Lep_TTOLtPnSQaRAW8h-WlZfimzCy5FZZYtK5eIdq3y7mlF80-6WJz1jeYuSwpT2gQ462on8A-1ymSrv3LAgZOG14Vu4goWv6q_-St9rd_2dWYcJSVVAJktihDkpEbUhMZ6DyMEu738hRe6PqA-OKWirmlcdfCTOkbuHQk7ZS9kHRlDSO-iU4rDPy41BqfzbhCspdOlMX1Modb1qS2gLfT8LAaeTq-Lfq0U0TVywMi07pf9BLh7Yi_TY44VM1pTDM8MRCE2dWIxXbpBJpndF2aGppY57STDtQGOMsO5glshfLVd5XX_vTb8wZby7SYwJYIb2NA72AMY73nG0N79FWTYCv5iTBOLNnUK2kwvpXJacGEQjzSuZXfTqta7Iw2iBlJFNXUMYBRkVg?testcase_id=6331903482527744 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
Most likely caused by 02b4d0e6752c7b989aab6ef817f44ceb26741169.
Most likely a dupe of issue 708714 .
Thanks, indeed a duplicate.
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/88e169dc62103ef4eb1cc4a685d7471d921db044 commit 88e169dc62103ef4eb1cc4a685d7471d921db044 Author: Clemens Hammacher <clemensh@chromium.org> Date: Mon Apr 10 13:00:50 2017 [wasm] Stop decoding sections once an error occured We went on decoding the next section, which happened to be the start section. But since the function section had an error, the signature pointer was not still {nullptr} on the start function, leading to a segfault. Drive-by fix: Improve decoder trace output. R=ahaas@chromium.org BUG= chromium:708714 , chromium:708787 Change-Id: I5ae2adb32764b9d154f1ca878019f26ac31839b4 Reviewed-on: https://chromium-review.googlesource.com/472847 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#44521} [modify] https://crrev.com/88e169dc62103ef4eb1cc4a685d7471d921db044/src/wasm/decoder.h [modify] https://crrev.com/88e169dc62103ef4eb1cc4a685d7471d921db044/src/wasm/module-decoder.cc [add] https://crrev.com/88e169dc62103ef4eb1cc4a685d7471d921db044/test/mjsunit/regress/wasm/regression-708714.js
ClusterFuzz has detected this issue as fixed in range 463303:463338. Detailed report: https://clusterfuzz.com/testcase?key=6331903482527744 Fuzzer: libfuzzer_v8_wasm_imports_section_fuzzer Job Type: libfuzzer_chrome_msan Platform Id: linux Crash Type: Fatal error Crash Address: Crash State: v8::Isolate::DisposeSignalHandler v8::Utils::ReportApiFailure v8::Utils::ApiCheck Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=462046:462067 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_msan&range=463303:463338 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95kAqb4d1xbeotx5Lep_TTOLtPnSQaRAW8h-WlZfimzCy5FZZYtK5eIdq3y7mlF80-6WJz1jeYuSwpT2gQ462on8A-1ymSrv3LAgZOG14Vu4goWv6q_-St9rd_2dWYcJSVVAJktihDkpEbUhMZ6DyMEu738hRe6PqA-OKWirmlcdfCTOkbuHQk7ZS9kHRlDSO-iU4rDPy41BqfzbhCspdOlMX1Modb1qS2gLfT8LAaeTq-Lfq0U0TVywMi07pf9BLh7Yi_TY44VM1pTDM8MRCE2dWIxXbpBJpndF2aGppY57STDtQGOMsO5glshfLVd5XX_vTb8wZby7SYwJYIb2NA72AMY73nG0N79FWTYCv5iTBOLNnUK2kwvpXJacGEQjzSuZXfTqta7Iw2iBlJFNXUMYBRkVg?testcase_id=6331903482527744 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by mummare...@chromium.org
, Apr 6 2017Labels: Test-Predator-Wrong M-59