CHECK failure: (module_->instance) != nullptr in wasm-compiler.cc |
||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4667552239452160 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (module_->instance) != nullptr in wasm-compiler.cc v8::internal::compiler::WasmGraphBuilder::GrowMemory v8::internal::wasm::WasmFullDecoder::DecodeFunctionBody Sanitizer: address (ASAN) Regressed: V8: 44043:44044 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4667552239452160 Issue manually filed by: clemensh See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 26 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 26 2017
,
May 26 2017
Lowering priority, since this requries the --wasm-lazy-compilation command line flag.
,
May 26 2017
Can this check failure have security consequences, if not, please change Type=Bug-Security to Type=Bug
,
May 26 2017
,
May 26 2017
Fix is here: https://chromium-review.googlesource.com/c/516706/
,
May 29 2017
This is not a release blocker.
,
May 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/e011e7efa91ca9825a1e9724454e51448616c5f0 commit e011e7efa91ca9825a1e9724454e51448616c5f0 Author: Clemens Hammacher <clemensh@chromium.org> Date: Mon May 29 11:46:07 2017 [wasm] Remove obsolete DCHECKS WasmGraphBuilder::GrowMemory does not access the module or the instance any more. This was initially needed to reference the context as a HeapConstant in the code. This CL just removes the DCHECKs, which failed with the --wasm-lazy-compilation flag. R=ahaas@chromium.org BUG= chromium:726665 Change-Id: Ieac53fe376256c47e8ef2fafca818a99ff063683 Reviewed-on: https://chromium-review.googlesource.com/516706 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#45556} [modify] https://crrev.com/e011e7efa91ca9825a1e9724454e51448616c5f0/src/compiler/wasm-compiler.cc
,
May 29 2017
,
May 29 2017
,
May 30 2017
ClusterFuzz has detected this issue as fixed in range 45555:45556. Detailed report: https://clusterfuzz.com/testcase?key=4667552239452160 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_v8_arm_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: (module_->instance) != nullptr in wasm-compiler.cc v8::internal::compiler::WasmGraphBuilder::GrowMemory v8::internal::wasm::WasmFullDecoder::DecodeFunctionBody Sanitizer: address (ASAN) Regressed: V8: 44043:44044 Fixed: V8: 45555:45556 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4667552239452160 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 4 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by sheriffbot@chromium.org
, May 26 2017