Stack-overflow in v8::internal::compiler::CodeGenerator::AssembleInstruction |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5309557770551296 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: Stack-overflow Crash Address: 0x006c2000 Crash State: v8::internal::compiler::CodeGenerator::AssembleInstruction v8::internal::compiler::CodeGenerator::GenerateCode v8::internal::compiler::GenerateCodePhase::Run Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=455700:456019 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5309557770551296 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 30 2017
,
May 30 2017
The issue is that CodeGenerator::AssembleInstruction() function suddenly requires 30Kb of stack while the stack overflow checks in Runtime::kCompile*() functions only ensure that we have at least 1Kb of available stack.
,
May 31 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/69aa868bb717af38c05449621365cb5d484692c6 commit 69aa868bb717af38c05449621365cb5d484692c6 Author: Igor Sheludko <ishell@chromium.org> Date: Wed May 31 09:26:03 2017 [runtime] Reserve more stack space for compilation. ... to properly handle stack overflows near the hard stack limit. Bug: chromium:716522 Change-Id: I6acdb29f039b9835bdf45b087d6561a05ed837bb Reviewed-on: https://chromium-review.googlesource.com/517799 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#45619} [modify] https://crrev.com/69aa868bb717af38c05449621365cb5d484692c6/src/bootstrapper.cc [modify] https://crrev.com/69aa868bb717af38c05449621365cb5d484692c6/src/globals.h [modify] https://crrev.com/69aa868bb717af38c05449621365cb5d484692c6/src/runtime/runtime-compiler.cc
,
May 31 2017
,
Jun 1 2017
ClusterFuzz has detected this issue as fixed in range 475879:475894. Detailed report: https://clusterfuzz.com/testcase?key=5309557770551296 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8 Platform Id: windows Crash Type: Stack-overflow Crash Address: 0x00de2000 Crash State: v8::internal::compiler::CodeGenerator::AssembleInstruction v8::internal::compiler::CodeGenerator::AssembleCode v8::internal::compiler::PipelineImpl::AssembleCode Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=455700:456019 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=475879:475894 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5309557770551296 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 6 2017
|
||||
►
Sign in to add a comment |
||||
Comment 1 by danno@chromium.org
, May 2 2017Status: Assigned (was: Untriaged)