New issue
Advanced search Search tips

Issue 724153 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Closed: May 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug



Sign in to add a comment

CHECK failure: val <= std::min(static_cast<size_t>(std::numeric_limits<N>::max()), static_cast<

Project Member Reported by ClusterFuzz, May 18 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6163063559684096

Fuzzer: mbarbella_js_mutation
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  val <= std::min(static_cast<size_t>(std::numeric_limits<N>::max()), static_cast<
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=472684:472755

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6163063559684096


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Reproduces in d8, and bisect to....
0f716acadaed1d9e194593543dbe1340d600d6fc: Turn on Ignition + TurboFan :/
Cc: clemensh@chromium.org
Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)
The test case creates a function with 65535 parameters. The BytecodeGraphBuilder then tries to create a Start node with value_output_count=65540, which is out of bounds for the uint16_t range.

Benedikt, can you take this over?
Cc: bmeu...@chromium.org jarin@chromium.org
Owner: mstarzinger@chromium.org
 Issue 724406  has been merged into this issue.
Project Member

Comment 5 by ClusterFuzz, May 27 2017

Labels: OS-Windows
Project Member

Comment 6 by bugdroid1@chromium.org, May 29 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f7f03da0d3d4c0cd065410b918762951ffa97497

commit f7f03da0d3d4c0cd065410b918762951ffa97497
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Mon May 29 15:49:06 2017

[turbofan] Fix value output count range on Operator.

This widens the range of value output counts to 32 bit on the {Operator}
class. Note that the limit imposed by the parser is 65535 parameters for
each function, but the {Start} node has additional value outputs.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-724153
BUG= chromium:724153 

Change-Id: I21b5d947cc2305b255ddbbff6ec1dfa5c02784c7
Reviewed-on: https://chromium-review.googlesource.com/517489
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45573}
[modify] https://crrev.com/f7f03da0d3d4c0cd065410b918762951ffa97497/src/compiler/bytecode-graph-builder.cc
[modify] https://crrev.com/f7f03da0d3d4c0cd065410b918762951ffa97497/src/compiler/bytecode-graph-builder.h
[modify] https://crrev.com/f7f03da0d3d4c0cd065410b918762951ffa97497/src/compiler/operator.cc
[modify] https://crrev.com/f7f03da0d3d4c0cd065410b918762951ffa97497/src/compiler/operator.h
[modify] https://crrev.com/f7f03da0d3d4c0cd065410b918762951ffa97497/src/compiler/pipeline.cc
[add] https://crrev.com/f7f03da0d3d4c0cd065410b918762951ffa97497/test/mjsunit/regress/regress-crbug-724153.js

Status: Fixed (was: Assigned)
Project Member

Comment 8 by ClusterFuzz, Jun 1 2017

ClusterFuzz has detected this issue as fixed in range 474309:475964.

Detailed report: https://clusterfuzz.com/testcase?key=6163063559684096

Fuzzer: mbarbella_js_mutation
Job Type: linux_cfi_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  val <= std::min(static_cast<size_t>(std::numeric_limits<N>::max()), static_cast<
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=472684:472755
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=474309:475964

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6163063559684096


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment