Detailed report: https://clusterfuzz.com/testcase?key=6597912550440960 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: i_isolate->has_pending_exception() in wasm-js.cc Sanitizer: address (ASAN) Regressed: V8: 44668:44669 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95kKlUcsqsvcp8aMGvFYyn01Afr6n0J-2EfZpgOuEUGGdK0w8vt-dRc9t4RCrluLCgLM7kTWpIXijqtzcxR_-u7Hdm-MDavwMPFnacl7S7Gjb66JbSHXiV0E2Hg91zunKgQxEG33TRqwDBdxWAaK4ps_HZ_hUbp3FnZoZn9513J5uOrp7rx02JOlXsD4JiDEDd76GqCu4TWJt44ODHnksC4PqnKXQAhZ0fSNciSNcU6EvyJb95r8ZHeqWN6686Ydq6gWS_1cEjByE7ClipALsZfmZTaeo_YW-0wjtE_AaB5NaBDu2r_gyVpVH-yFay3jxv5uoscaXFr7X5EAdcsQXaCxbfa4QIT_05VPqGH0XATifg_gO0?testcase_id=6597912550440960 Issue manually filed by: ishell See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
The issue bisects to 71cf4890d0a2bc3ac47597d724676df871a572d5, PTAL.
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/9cc672911fc08925dcfda160afe2f0624f5af1cb commit 9cc672911fc08925dcfda160afe2f0624f5af1cb Author: mtrofin <mtrofin@chromium.org> Date: Tue Apr 18 19:15:12 2017 [wasm] Fix DCHECK handiling pending exceptions. + additional fixes uncovered by bug, and addressed remaining feedback from original CL (https://codereview.chromium.org/2806073002/). Note that the regression test differs slightly from the bug reported one, in that it catches the RangeError which will eventually be thrown due to call stack size being exceeded. BUG= chromium:712569 Review-Url: https://codereview.chromium.org/2825073002 Cr-Commit-Position: refs/heads/master@{#44700} [modify] https://crrev.com/9cc672911fc08925dcfda160afe2f0624f5af1cb/src/wasm/wasm-js.cc [add] https://crrev.com/9cc672911fc08925dcfda160afe2f0624f5af1cb/test/mjsunit/regress/wasm/regress-712569.js
ClusterFuzz has detected this issue as fixed in range 44699:44700. Detailed report: https://clusterfuzz.com/testcase?key=6597912550440960 Fuzzer: v8_builtins_generator Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: i_isolate->has_pending_exception() in wasm-js.cc Sanitizer: address (ASAN) Regressed: V8: 44668:44669 Fixed: V8: 44699:44700 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95kKlUcsqsvcp8aMGvFYyn01Afr6n0J-2EfZpgOuEUGGdK0w8vt-dRc9t4RCrluLCgLM7kTWpIXijqtzcxR_-u7Hdm-MDavwMPFnacl7S7Gjb66JbSHXiV0E2Hg91zunKgQxEG33TRqwDBdxWAaK4ps_HZ_hUbp3FnZoZn9513J5uOrp7rx02JOlXsD4JiDEDd76GqCu4TWJt44ODHnksC4PqnKXQAhZ0fSNciSNcU6EvyJb95r8ZHeqWN6686Ydq6gWS_1cEjByE7ClipALsZfmZTaeo_YW-0wjtE_AaB5NaBDu2r_gyVpVH-yFay3jxv5uoscaXFr7X5EAdcsQXaCxbfa4QIT_05VPqGH0XATifg_gO0?testcase_id=6597912550440960 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by ishell@chromium.org
, Apr 18 2017Owner: mtrofin@chromium.org
Status: Assigned (was: Untriaged)