V8 correctness failure in configs: x64,ignition:x64,ignition_asm |
||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5161347760521216 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_asm sources: none Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5161347760521216 Issue manually filed by: machenbach See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 24 2017
Thanks! This is pretty much the same underlying problem as issue v8:6280 describes. I'll take a look.
,
Apr 24 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f06db79c67b9b1e66f24d92170c4e87b387965f8 commit f06db79c67b9b1e66f24d92170c4e87b387965f8 Author: Michael Starzinger <mstarzinger@chromium.org> Date: Mon Apr 24 13:33:35 2017 [asm.js] Treat typed array constructors as stdlib uses. This makes sure that typed array constructors (e.g. Int8Array, ...) used within an asm.js module are considered uses of stdlib values, and hence are checked during module instantiation. R=clemensh@chromium.org TEST=mjsunit/regress/regress-6280 BUG= v8:6280 , chromium:714537 Change-Id: Ic5d689f5319c4dac4e9df3dca4a8cf5a4edd890b Reviewed-on: https://chromium-review.googlesource.com/485521 Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#44800} [modify] https://crrev.com/f06db79c67b9b1e66f24d92170c4e87b387965f8/src/asmjs/asm-js.cc [modify] https://crrev.com/f06db79c67b9b1e66f24d92170c4e87b387965f8/src/asmjs/asm-parser.cc [modify] https://crrev.com/f06db79c67b9b1e66f24d92170c4e87b387965f8/src/asmjs/asm-typer.h [add] https://crrev.com/f06db79c67b9b1e66f24d92170c4e87b387965f8/test/mjsunit/regress/regress-6280.js [modify] https://crrev.com/f06db79c67b9b1e66f24d92170c4e87b387965f8/test/mjsunit/regress/wasm/regression-647649.js
,
Apr 24 2017
,
Apr 25 2017
ClusterFuzz has detected this issue as fixed in range 44799:44800. Detailed report: https://clusterfuzz.com/testcase?key=5161347760521216 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:x64,ignition_asm sources: none Sanitizer: address (ASAN) Fixed: V8: 44799:44800 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5161347760521216 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||
►
Sign in to add a comment |
||
Comment 1 by machenb...@chromium.org
, Apr 24 2017Status: Assigned (was: Untriaged)
// PTAL. Repro: var __f_7 = (function(__v_7, __v_10, __v_11) { "use asm"; var __v_9 = new __v_7.Int32Array(__v_11); function __f_7() {} return __f_7; })(); // Output: # Compared x64,ignition with x64,ignition_asm # # Flags of x64,ignition: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo-filter=~ --hydrogen-filter=~ --nocrankshaft # Flags of x64,ignition_asm: --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo-filter=~ --hydrogen-filter=~ --nocrankshaft --validate-asm --fast-validate-asm --stress-validate-asm --suppress-asm-messages # # Difference: - ./repro.js:3: TypeError: Cannot read property 'Int32Array' of undefined # ### Start of configuration x64,ignition: ./repro.js:3: TypeError: Cannot read property 'Int32Array' of undefined var __v_9 = new __v_7.Int32Array(__v_11); ^ ### End of configuration x64,ignition # ### Start of configuration x64,ignition_asm: ### End of configuration x64,ignition_asm