Use-after-poison in v8::internal::compiler::InstructionSelector::VisitNode |
||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5348947804815360 Fuzzer: mbarbella_js_mutation Job Type: linux_v8_d8_be Platform Id: linux Crash Type: Use-after-poison READ 8 Crash Address: 0x62500005a168 Crash State: v8::internal::compiler::InstructionSelector::VisitNode v8::internal::compiler::InstructionSelector::VisitBlock v8::internal::compiler::InstructionSelector::SelectInstructions Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_v8_d8_be&range=43885:43912 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5348947804815360 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 25 2017
,
Apr 26 2017
,
Apr 26 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 26 2017
We're aiming for an M59 Beta release tomorrow. Can you please take a look to see if this is an RB-Stable security issue?
,
Apr 26 2017
,
Apr 26 2017
,
Apr 27 2017
I reproduce this with the revision that caused the original crash (i.e. f0e3f8ea6f5b614259c6b5f1b87d64f31711f0bb) but it only triggers with --preparser-scope-analysis, a feature we are not yet shipping (neither on Stable nor on Canary). I am hence lowering the priority and removing blocker labels. I am unable to reproduce on tip-of-tree, but assigning anyways because the report might be interesting. Marja, feel free to close or de-duplicate this issue if it is already fixed. Here is how to reproduce against the original revision: $ git checkout f0e3f8ea6f5b614259c6b5f1b87d64f31711f0bb $ make -j1000 x64.debug $ ./out/x64.debug/d8 --always-opt --preparser-scope-analysis ~/Downloads/clusterfuzz-testcase-minimized-5348947804815360.js # # Fatal error in .././src/signature.h, line 27 # Check failed: index < parameter_count_. #
,
Apr 27 2017
,
Apr 28 2017
,
May 1 2017
hi marja@chromium.org can you give an update on this, is this already fixed in trunk? can you point at the revision that might have fixed it?
,
May 2 2017
From #8, looks like this isn't shipping with M59?
,
May 3 2017
I'd assume it's not fixed, but we're indeed not shipping --preparser-scope-analysis (or --experimental-preparser-scope-analysis as it's called now), so it should be fine.
,
May 3 2017
,
May 5 2017
when will this be shipping - m60?
,
May 6 2017
Not in the coming weeks. Why? I'll of course give a second look to all of these bugs before flipping the flag on.
,
May 21 2017
marja: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 25 2017
,
Jun 5 2017
marja: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 6 2017
,
Jul 6 2017
ClusterFuzz testcase 5348947804815360 is flaky and no longer reproduces, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 13 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||||||
►
Sign in to add a comment |
||||||||||||||
Comment 1 by palmer@chromium.org
, Apr 25 2017Components: Blink>JavaScript
Labels: OS-Android OS-Chrome OS-Mac OS-Windows Pri-1
Owner: jochen@chromium.org
Status: Assigned (was: Untriaged)