New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 719382 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: May 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug


Participants' hotlists:
Hotlist-AsmJsParser


Sign in to add a comment

CHECK failure: is_local ? info->kind == VarKind::kLocal : info->kind == VarKind::kGlobal in asm

Project Member Reported by ClusterFuzz, May 8 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6293741462880256

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  is_local ? info->kind == VarKind::kLocal : info->kind == VarKind::kGlobal in asm
  v8::internal::wasm::AsmJsParser::AssignmentExpression
  v8::internal::wasm::AsmJsParser::Expression
  
Sanitizer: address (ASAN)

Regressed: V8: 45077:45078

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6293741462880256


Issue manually filed by: rossberg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Cc: bradnelson@chromium.org
Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)
Project Member

Comment 2 by bugdroid1@chromium.org, May 9 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/17d1530d2122fa1ec73707d1bcfc83431061bed6

commit 17d1530d2122fa1ec73707d1bcfc83431061bed6
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Tue May 09 11:19:45 2017

[asm.js] Fix and test assignment to function imports.

This tests and fixes validation failures caused by assignments to
variables holding functions references (which are all considered
immutable). Such references can come from "stdlib" or "foreign".

R=clemensh@chromium.org
TEST=mjsunit/asm/global-imports
BUG= chromium:719382 

Change-Id: Ic02be765e0773a6cc74a54e11a09d42ffb683cb8
Reviewed-on: https://chromium-review.googlesource.com/500188
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45189}
[modify] https://crrev.com/17d1530d2122fa1ec73707d1bcfc83431061bed6/src/asmjs/asm-parser.cc
[modify] https://crrev.com/17d1530d2122fa1ec73707d1bcfc83431061bed6/test/mjsunit/asm/global-imports.js

Status: Fixed (was: Assigned)
Project Member

Comment 4 by ClusterFuzz, May 10 2017

ClusterFuzz has detected this issue as fixed in range 45188:45189.

Detailed report: https://clusterfuzz.com/testcase?key=6293741462880256

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  is_local ? info->kind == VarKind::kLocal : info->kind == VarKind::kGlobal in asm
  v8::internal::wasm::AsmJsParser::AssignmentExpression
  v8::internal::wasm::AsmJsParser::Expression
  
Sanitizer: address (ASAN)

Regressed: V8: 45077:45078
Fixed: V8: 45188:45189

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6293741462880256


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment