Use-after-poison in v8::internal::compiler::Node::AppendUse |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6179752663842816 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: Use-after-poison WRITE 4 Crash Address: 0x08d69374 Crash State: v8::internal::compiler::Node::AppendUse v8::internal::compiler::NodeProperties::ReplaceValueInput v8::internal::compiler::EscapeAnalysis::GetOrCreateObjectState Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=450038:450108 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95w-mxfE-PdA2rhx3qXDMFT5T0O4-scC4IMaZNg_BzLZgTGepa9QMZPjtrRntnTOxpTkVnXRM-vLMlC3wKjSdC5krkAD7n7ln788nDTzbQ7RfhIkdgd6tuJlxHOvnSUdXVmqtZPX9UY_DCYrbzL6faw8SsGiwse8PjFMkLd0gsJw8cjF3BTIrTjIqLeaUX0uOElEH31mLVMp10myyhAUhW5XbJGcTJSHbcYnet0XiYNVlUrZ4a04v8CYxZ4_oEmsfVfc0WuVdK4ov5C_W8moQF1t-cdIUtGHLBeu4LF-qNLnSTaXtQFX58pJDzkLSXC1BFgCg633l_Qt738SuZenACUp4CSwBK-rPkKejlkxdOPUx5O1ND_RGSahYZ2Ctoz3mOmObqP4a2wHaErgmFmYgcFQXfN7Q?testcase_id=6179752663842816 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 19 2017
setting to Untriaged so the v8 clusterfuzz sheriffs will see it (https://github.com/v8/v8/wiki/Triaging-issues)
,
Apr 19 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 19 2017
ClusterFuzz has detected this issue as fixed in range 450818:452941. Detailed report: https://clusterfuzz.com/testcase?key=6179752663842816 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: Use-after-poison WRITE 4 Crash Address: 0x08d69374 Crash State: v8::internal::compiler::Node::AppendUse v8::internal::compiler::NodeProperties::ReplaceValueInput v8::internal::compiler::EscapeAnalysis::GetOrCreateObjectState Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=450038:450108 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=450818:452941 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95w-mxfE-PdA2rhx3qXDMFT5T0O4-scC4IMaZNg_BzLZgTGepa9QMZPjtrRntnTOxpTkVnXRM-vLMlC3wKjSdC5krkAD7n7ln788nDTzbQ7RfhIkdgd6tuJlxHOvnSUdXVmqtZPX9UY_DCYrbzL6faw8SsGiwse8PjFMkLd0gsJw8cjF3BTIrTjIqLeaUX0uOElEH31mLVMp10myyhAUhW5XbJGcTJSHbcYnet0XiYNVlUrZ4a04v8CYxZ4_oEmsfVfc0WuVdK4ov5C_W8moQF1t-cdIUtGHLBeu4LF-qNLnSTaXtQFX58pJDzkLSXC1BFgCg633l_Qt738SuZenACUp4CSwBK-rPkKejlkxdOPUx5O1ND_RGSahYZ2Ctoz3mOmObqP4a2wHaErgmFmYgcFQXfN7Q?testcase_id=6179752663842816 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 19 2017
ClusterFuzz testcase 6179752663842816 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Apr 20 2017
,
Apr 20 2017
,
Jul 27 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by palmer@chromium.org
, Apr 19 2017Labels: M-59 OS-Android OS-Chrome OS-Linux OS-Mac Pri-1
Owner: jochen@chromium.org
Status: Assigned (was: Untriaged)