CHECK failure: WasmInstanceObject::IsWasmInstanceObject(*instance_obj) in runtime-test.cc |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5615411944226816 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: WasmInstanceObject::IsWasmInstanceObject(*instance_obj) in runtime-test.cc __RT_impl_Runtime_WasmNumInterpretedCalls v8::internal::Runtime_WasmNumInterpretedCalls Sanitizer: address (ASAN) Regressed: V8: 43854:43855 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5615411944226816 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 19 2017
Detailed report: https://clusterfuzz.com/testcase?key=5950617700007936 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: WasmInstanceObject::IsWasmInstanceObject(*instance_obj) in runtime-test.cc Sanitizer: address (ASAN) Regressed: V8: 43854:43855 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5950617700007936 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 19 2017
+mstarzinger It looks like runtime functions that are being used in tests (e.g. OptimizeFunctionOnNextCall) don't CHECK their argument types, but just return undefined if illegal types are passed. Is this also the right thing to do here? Or better throw a TypeError?
,
May 19 2017
+mstarzinger Please see comment/question on previous comment. Can certainly wait until Monday :) Lowering priority, since this requires --allow-natives-syntax.
,
May 19 2017
,
May 19 2017
Nah, we shouldn't try to harden arbitrary runtime functions unless we explicitly want to fuzz them. The problem here is that "mjsunit" contains files that have the "% FooBar()" patterd and ClusterFuzz picks them up and defeats it's own black list. The correct fix is to fix the affected test cases in the corpus, in this case: - test/mjsunit/wasm/interpreter-mixed.js - test/mjsunit/wasm/interpreter.js Happy to discuss on Monday.
,
May 19 2017
Similar previous occurrences: https://chromium-review.googlesource.com/447398 https://codereview.chromium.org/2682203003
,
May 19 2017
Oh, I see. It's clang-format who reformats "%FooBar()" to "% FooBar()". That's unfortunate. Will create the right fix on Monday then.
,
May 19 2017
Yeah, that's because the "natives syntax" is a V8 hand-made feature and not JavaScript proper. It trips up clang-format grammar rules. Also it actually breaks semicolon insertion (if the previous line before the runtime call is not ended wirh a semicolon, then V8's parser will not recognize the call and think it is a modulus operation).
,
May 22 2017
,
May 22 2017
,
May 23 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/a4eb80f7a6782838bbeec0fa49a74d83bddef7cd commit a4eb80f7a6782838bbeec0fa49a74d83bddef7cd Author: Clemens Hammacher <clemensh@chromium.org> Date: Tue May 23 09:26:56 2017 [wasm] Fix runtime call syntax This is to avoid ClusterFuzz picking up and using those calls. With the proper syntax (no whitespace), they are recognized as runtime calls and will be checked against a whitelist. R=mstarzinger@chromium.org BUG= chromium:724459 Change-Id: I5533f066feeb66f622230b12f79f9d227e2b2465 Reviewed-on: https://chromium-review.googlesource.com/509575 Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#45475} [modify] https://crrev.com/a4eb80f7a6782838bbeec0fa49a74d83bddef7cd/test/mjsunit/wasm/interpreter-mixed.js [modify] https://crrev.com/a4eb80f7a6782838bbeec0fa49a74d83bddef7cd/test/mjsunit/wasm/interpreter.js
,
May 23 2017
The CL addresses the issue by avoiding clusterfuzz picking up the disallowed runtime call.
,
May 23 2017
Issue 725440 has been merged into this issue.
,
Jul 8 2017
ClusterFuzz has detected this issue as fixed in range 46474:46475. Detailed report: https://clusterfuzz.com/testcase?key=5950617700007936 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: WasmInstanceObject::IsWasmInstanceObject(*instance_obj) in runtime-test.cc Sanitizer: address (ASAN) Regressed: V8: 43854:43855 Fixed: V8: 46474:46475 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5950617700007936 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 14 2017
ClusterFuzz testcase 5615411944226816 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Jul 17 2017
The test case still reproduces, but was invalid from the beginning. The fix was to avoid generating such tests in the future.
,
Aug 16 2017
Issue 754963 has been merged into this issue.
,
Sep 18 2017
We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by clemensh@chromium.org
, May 19 2017Status: Assigned (was: Untriaged)