CHECK failure: val <= std::min(static_cast<size_t>(std::numeric_limits<N>::max()), static_cast< |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6163063559684096 Fuzzer: mbarbella_js_mutation Job Type: linux_cfi_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: val <= std::min(static_cast<size_t>(std::numeric_limits<N>::max()), static_cast< Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=472684:472755 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6163063559684096 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 19 2017
The test case creates a function with 65535 parameters. The BytecodeGraphBuilder then tries to create a Start node with value_output_count=65540, which is out of bounds for the uint16_t range. Benedikt, can you take this over?
,
May 19 2017
,
May 19 2017
Issue 724406 has been merged into this issue.
,
May 27 2017
,
May 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f7f03da0d3d4c0cd065410b918762951ffa97497 commit f7f03da0d3d4c0cd065410b918762951ffa97497 Author: Michael Starzinger <mstarzinger@chromium.org> Date: Mon May 29 15:49:06 2017 [turbofan] Fix value output count range on Operator. This widens the range of value output counts to 32 bit on the {Operator} class. Note that the limit imposed by the parser is 65535 parameters for each function, but the {Start} node has additional value outputs. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-724153 BUG= chromium:724153 Change-Id: I21b5d947cc2305b255ddbbff6ec1dfa5c02784c7 Reviewed-on: https://chromium-review.googlesource.com/517489 Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#45573} [modify] https://crrev.com/f7f03da0d3d4c0cd065410b918762951ffa97497/src/compiler/bytecode-graph-builder.cc [modify] https://crrev.com/f7f03da0d3d4c0cd065410b918762951ffa97497/src/compiler/bytecode-graph-builder.h [modify] https://crrev.com/f7f03da0d3d4c0cd065410b918762951ffa97497/src/compiler/operator.cc [modify] https://crrev.com/f7f03da0d3d4c0cd065410b918762951ffa97497/src/compiler/operator.h [modify] https://crrev.com/f7f03da0d3d4c0cd065410b918762951ffa97497/src/compiler/pipeline.cc [add] https://crrev.com/f7f03da0d3d4c0cd065410b918762951ffa97497/test/mjsunit/regress/regress-crbug-724153.js
,
May 29 2017
,
Jun 1 2017
ClusterFuzz has detected this issue as fixed in range 474309:475964. Detailed report: https://clusterfuzz.com/testcase?key=6163063559684096 Fuzzer: mbarbella_js_mutation Job Type: linux_cfi_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: val <= std::min(static_cast<size_t>(std::numeric_limits<N>::max()), static_cast< Sanitizer: cfi (CFI) Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=472684:472755 Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_d8&range=474309:475964 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6163063559684096 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by clemensh@chromium.org
, May 19 2017