Ill in blink::LLVMFuzzerTestOneInput |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6514751699156992 Fuzzer: afl_v8_serialized_script_value_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Ill Crash Address: 0x00000050e519 Crash State: blink::LLVMFuzzerTestOneInput Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=458403:458424 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6514751699156992 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
May 27 2017
,
May 27 2017
,
May 29 2017
Another test harness bug coming up?
,
May 31 2017
It seems that way. ClusterFuzz's FindIt points to this CL: https://chromium.googlesource.com/chromium/src/+/b4d8eb9df2ee1560fd4799da1e6524692e2c8669 It is reproducible with `/google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 6514751699156992`. As the owner of the CL, jbroman@, could you take a look? Thank you.
,
May 31 2017
https://chromium.googlesource.com/chromium/src/+/fda3f3decbf18cec68fed81b8f48add43c3c64b2 seems more likely, but let me try to repro locally.
,
May 31 2017
cc csharrison in case similar issues have arisen from the other fuzzers modified in that CL.
,
May 31 2017
Haven't had any other reports from that CL but it's certainly possible. Let me know what you find.
,
May 31 2017
Nope, FindIt is correctly. Now to figure out why...
,
May 31 2017
And, it's because I am a fool and don't notice when I'm using an obviously null pointer. </headdesk> Patch to follow.
,
Jun 1 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/09c6267d605eabfb49885e147f7de04ff2160641 commit 09c6267d605eabfb49885e147f7de04ff2160641 Author: Jeremy Roman <jbroman@chromium.org> Date: Thu Jun 01 01:17:22 2017 Fix null pointer dereference in SerializedScriptValueFuzzer. Bug: 727010 Change-Id: I8361d0040e1bff9a4e1e45da725f7f9e5157947e Reviewed-on: https://chromium-review.googlesource.com/520206 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Jeremy Roman <jbroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#476127} [modify] https://crrev.com/09c6267d605eabfb49885e147f7de04ff2160641/third_party/WebKit/Source/bindings/core/v8/serialization/SerializedScriptValueFuzzer.cpp
,
Jun 1 2017
ClusterFuzz has detected this issue as fixed in range 476086:476151. Detailed report: https://clusterfuzz.com/testcase?key=6514751699156992 Fuzzer: afl_v8_serialized_script_value_fuzzer Job Type: afl_chrome_asan Platform Id: linux Crash Type: Ill Crash Address: 0x00000050e519 Crash State: blink::LLVMFuzzerTestOneInput Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=458403:458424 Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=476086:476151 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6514751699156992 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 1 2017
,
Jun 2 2017
,
Sep 8 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by sheriffbot@chromium.org
, May 27 2017