CHECK failure: !failed_ in asm-parser.cc |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6520604890234880 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !failed_ in asm-parser.cc v8::internal::wasm::AsmJsParser::ForStatement v8::internal::wasm::AsmJsParser::ValidateStatement Sanitizer: address (ASAN) Regressed: V8: 45077:45078 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6520604890234880 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 15 2017
asm.js issue. Assigning to Michi.
,
May 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f2b9c5005c191e307323b631c63ad206586c413d commit f2b9c5005c191e307323b631c63ad206586c413d Author: Michael Starzinger <mstarzinger@chromium.org> Date: Mon May 15 13:19:49 2017 [asm.js] Fix evaluation of first for-statement expression. This makes sure that the evaluation result of the first expression in for-statements is properly dropped, to leave the stack in a balanced state after the statement. It also makes sure validation failures in said expression are handled correctly. R=clemensh@chromium.org TEST=mjsunit/regress/regress-crbug-721835 BUG= chromium:721835 Change-Id: I7e6cff4cea0bbf5aad6a3459e27a08ea814dbdbe Reviewed-on: https://chromium-review.googlesource.com/506148 Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#45299} [modify] https://crrev.com/f2b9c5005c191e307323b631c63ad206586c413d/src/asmjs/asm-parser.cc [modify] https://crrev.com/f2b9c5005c191e307323b631c63ad206586c413d/src/asmjs/asm-parser.h [add] https://crrev.com/f2b9c5005c191e307323b631c63ad206586c413d/test/mjsunit/regress/regress-crbug-721835.js
,
May 15 2017
,
May 16 2017
ClusterFuzz has detected this issue as fixed in range 45298:45299. Detailed report: https://clusterfuzz.com/testcase?key=6520604890234880 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !failed_ in asm-parser.cc v8::internal::wasm::AsmJsParser::ForStatement v8::internal::wasm::AsmJsParser::ValidateStatement Sanitizer: address (ASAN) Regressed: V8: 45077:45078 Fixed: V8: 45298:45299 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6520604890234880 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||
►
Sign in to add a comment |
|||
Comment 1 by bmeu...@chromium.org
, May 15 2017Status: Assigned (was: Untriaged)