New issue
Advanced search Search tips

Issue 727222 link

Starred by 1 user
Status: Fixed
Owner:
clemensh@chromium.org
Closed: May 2017
Cc:
ahaas@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

CHECK failure: (module_->instance) != nullptr in wasm-compiler.cc

Project Member Reported by ClusterFuzz, May 29 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5104633747079168

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (module_->instance) != nullptr in wasm-compiler.cc
  v8::internal::compiler::WasmGraphBuilder::CurrentMemoryPages
  v8::internal::wasm::WasmFullDecoder::DecodeFunctionBody
  
Sanitizer: address (ASAN)

Regressed: V8: 44043:44044

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5104633747079168


Issue manually filed by: ishell

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ishell@chromium.org, May 29 2017

Cc: ahaas@chromium.org
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
CF points to 8255fb5e9895ef1603ac5504a2affc5cfdcd3b70. PTAL

Comment 2 by clemensh@chromium.org, May 29 2017

Status: Started (was: Assigned)

Comment 3 by clemensh@chromium.org, May 29 2017

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Impact-Head -Security_Severity-High Pri-2 Type-Bug
This is just an obsolete DCHECK, no security implications.
Project Member

Comment 4 by bugdroid1@chromium.org, May 30 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b5203e8f4e20ecb9e3565377cace6eb27dcd90d2

commit b5203e8f4e20ecb9e3565377cace6eb27dcd90d2
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Tue May 30 08:58:09 2017

[wasm] Remove more obsolete DCHECKs

This time for the current memory size. This call also used to use the
context object stored in the instance, hence it required the instance
to be set. This is no longer the case, so the DCHECKs can just be
removed.

R=ahaas@chromium.org
BUG= chromium:727222 

Change-Id: I72a7e3e80c3beb15ecad00c5be068e803456797e
Reviewed-on: https://chromium-review.googlesource.com/517947
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45587}
[modify] https://crrev.com/b5203e8f4e20ecb9e3565377cace6eb27dcd90d2/src/compiler/wasm-compiler.cc
[add] https://crrev.com/b5203e8f4e20ecb9e3565377cace6eb27dcd90d2/test/mjsunit/regress/wasm/regression-727222.js

Comment 5 by clemensh@chromium.org, May 30 2017

Status: Fixed (was: Started)
Project Member

Comment 6 by ClusterFuzz, May 31 2017 

ClusterFuzz has detected this issue as fixed in range 45586:45587.

Detailed report: https://clusterfuzz.com/testcase?key=5104633747079168

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (module_->instance) != nullptr in wasm-compiler.cc
  v8::internal::compiler::WasmGraphBuilder::CurrentMemoryPages
  v8::internal::wasm::WasmFullDecoder::DecodeFunctionBody
  
Sanitizer: address (ASAN)

Regressed: V8: 44043:44044
Fixed: V8: 45586:45587

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5104633747079168


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment