New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 724973 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit 15 days ago
Closed: May 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Security



Sign in to add a comment

CHECK failure: is_valid in conversions-inl.h

Project Member Reported by ClusterFuzz, May 22 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6023488715620352

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  is_valid in conversions-inl.h
  v8::internal::NumberToSize
  v8::internal::ValidateAtomicAccess
  
Sanitizer: address (ASAN)

Regressed: V8: 44625:44626

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6023488715620352


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Labels: Restrict-View-SecurityTeam Type-Bug-Security
Owner: ishell@chromium.org
Status: Assigned (was: Untriaged)
Cast assert seems scary, hiding this to let v8 sheriff to triage.

Comment 2 by aarya@google.com, May 23 2017

Cc: mstarzinger@chromium.org
Cc: ishell@chromium.org aseemgarg@chromium.org jarin@chromium.org
Owner: binji@chromium.org
Regression range and repro points at 7b300ba2e966c0d104d3755707a6d59a74944771. Note that I can only reproduce this on 32-bit architectures (i.e. tried ia32 and ARM, both reproduce).
Project Member

Comment 5 by bugdroid1@chromium.org, May 31 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/89a6f9c138772e7f8c83f8a68ad95a4ea37a18a5

commit 89a6f9c138772e7f8c83f8a68ad95a4ea37a18a5
Author: Ben Smith <binji@chromium.org>
Date: Wed May 31 15:08:52 2017

Fix Check failure on OOB access in Atomics.wait

Bug:  chromium:724973 
Change-Id: I227b30b50f92fac7d6cf3ec3369e324282352ccb
Reviewed-on: https://chromium-review.googlesource.com/514348
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Ben Smith <binji@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45643}
[modify] https://crrev.com/89a6f9c138772e7f8c83f8a68ad95a4ea37a18a5/src/builtins/builtins-sharedarraybuffer.cc
[modify] https://crrev.com/89a6f9c138772e7f8c83f8a68ad95a4ea37a18a5/test/mjsunit/harmony/futex.js

Comment 6 by binji@chromium.org, May 31 2017

Status: Fixed (was: Assigned)
Project Member

Comment 7 by ClusterFuzz, Jun 1 2017

ClusterFuzz has detected this issue as fixed in range 45642:45643.

Detailed report: https://clusterfuzz.com/testcase?key=6023488715620352

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  is_valid in conversions-inl.h
  v8::internal::NumberToSize
  v8::internal::ValidateAtomicAccess
  
Sanitizer: address (ASAN)

Regressed: V8: 44625:44626
Fixed: V8: 45642:45643

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6023488715620352


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by sheriffbot@chromium.org, Jun 1 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 9 by sheriffbot@chromium.org, Sep 7 2017

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment