Null-dereference READ in v8::internal::GlobalHandles::MakeWeak |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4829301781561344 Fuzzer: lcamtuf_cross_fuzz Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::GlobalHandles::MakeWeak blink::ScriptWrappable::SetWrapper blink::DOMDataStore::SetWrapper Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=474583:474657 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4829301781561344 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
May 29 2017
,
May 29 2017
Assigning to memory sheriff for investigating.
,
May 29 2017
Looks like blink bindings regression
,
May 30 2017
Suspecting https://chromium-review.googlesource.com/c/514923/ from the CL range and stack trace, bashi@ PTAL.
,
May 30 2017
I don't think my change caused the regression. The CL only added forward declarations for generated code and it wouldn't change existing behavior. Assigning to yukishiino@ for triage.
,
May 30 2017
Among 7 suspected CLs that clusterfuzz suggested, the following CL of ulan@ looks most relevant. https://chromium.googlesource.com/v8/v8.git/+/a6da98d86ffab7e1e50319ed12b57fcb366e24ee ulan@, could you let me know what this CL is doing? I know nothing about "new phantom weakness". Does Blink need to change something? Could the CL be related to this issue?
,
May 30 2017
The bisection range from the clusterfuzz report doesn't include ulan's CL: https://chromium.googlesource.com/chromium/src/+log/d9e6b495633f4f1382309dff618aa41af04413ee..4e14abaffe591610d0c3ab3744a18082b51eba84 I'm not sure clusterfuzz's suspected CLs make sense here as they only check last modifications to the source code at the top stack frames, irrespective of the actual bisected CL range.
,
May 30 2017
Ah, I see. Let me take more look.
,
Jun 2 2017
ClusterFuzz has detected this issue as fixed in range 476262:476271. Detailed report: https://clusterfuzz.com/testcase?key=4829301781561344 Fuzzer: lcamtuf_cross_fuzz Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::GlobalHandles::MakeWeak blink::ScriptWrappable::SetWrapper blink::DOMDataStore::SetWrapper Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=474583:474657 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=476262:476271 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4829301781561344 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 2 2017
ClusterFuzz testcase 4829301781561344 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 6 2017
Issue 729390 has been merged into this issue.
,
Jun 6 2017
yukishiino@, did you land a fix in 476262:476271, or did clusterfuzz@ incorrectly close this issue?
,
Jun 7 2017
I didn't land a fix. I think that the issue has not ever been reliably reproducible in the first place, so I wouldn't say that clusterfuzz@ *incorrectly* close this issue, neither. Anyway, I think that this is a dupe of Issue 714130.
,
Jun 16 2017
Issue 733492 has been merged into this issue.
,
Jun 16 2017
Issue 731912 has been merged into this issue. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ClusterFuzz
, May 28 2017