Detailed report: https://clusterfuzz.com/testcase?key=5512697113477120 Fuzzer: inferno_js_fuzzer Job Type: linux_ubsan_vptr_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: unimplemented opcode: 8 in function-body-decoder.cc Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=467314:467323 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5512697113477120 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Combination of --wasm-eh-prototype and --wasm-interpret-all is (currently) illegal. Thinking about a fix.
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/45618a9ab5cc98a5de200b0116670e8c272f0c5f commit 45618a9ab5cc98a5de200b0116670e8c272f0c5f Author: Clemens Hammacher <clemensh@chromium.org> Date: Wed May 31 14:18:08 2017 [wasm] Make prototype flags experimental Most prototype implementations are not fully supported in the interpreter. This is the case at least for exception handling, simd, and atomics. Any function can be redirected to the interpreter though, either by passing --wasm-interpret-all, or by dynamically redirecting to the interpreter for debugging. Making the flags experimental keeps the fuzzer from playing around with these flags. Drive-by: Refactor tests which explicitly set the prototype flag to use a new scope for that. R=ahaas@chromium.org BUG= chromium:727584 Change-Id: I67da79f579f1ac93c67189afef40c6524bdd4430 Reviewed-on: https://chromium-review.googlesource.com/519402 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#45639} [modify] https://crrev.com/45618a9ab5cc98a5de200b0116670e8c272f0c5f/src/flag-definitions.h [modify] https://crrev.com/45618a9ab5cc98a5de200b0116670e8c272f0c5f/src/isolate.cc [modify] https://crrev.com/45618a9ab5cc98a5de200b0116670e8c272f0c5f/src/wasm/function-body-decoder-impl.h [modify] https://crrev.com/45618a9ab5cc98a5de200b0116670e8c272f0c5f/src/wasm/function-body-decoder.cc [modify] https://crrev.com/45618a9ab5cc98a5de200b0116670e8c272f0c5f/src/wasm/module-decoder.cc [modify] https://crrev.com/45618a9ab5cc98a5de200b0116670e8c272f0c5f/test/cctest/BUILD.gn [modify] https://crrev.com/45618a9ab5cc98a5de200b0116670e8c272f0c5f/test/cctest/cctest.gyp [modify] https://crrev.com/45618a9ab5cc98a5de200b0116670e8c272f0c5f/test/cctest/wasm/test-run-wasm-simd.cc [modify] https://crrev.com/45618a9ab5cc98a5de200b0116670e8c272f0c5f/test/cctest/wasm/test-run-wasm.cc [modify] https://crrev.com/45618a9ab5cc98a5de200b0116670e8c272f0c5f/test/cctest/wasm/wasm-run-utils.h [add] https://crrev.com/45618a9ab5cc98a5de200b0116670e8c272f0c5f/test/common/wasm/flag-utils.h [modify] https://crrev.com/45618a9ab5cc98a5de200b0116670e8c272f0c5f/test/mjsunit/wasm/exceptions.js [modify] https://crrev.com/45618a9ab5cc98a5de200b0116670e8c272f0c5f/test/unittests/wasm/function-body-decoder-unittest.cc [modify] https://crrev.com/45618a9ab5cc98a5de200b0116670e8c272f0c5f/test/unittests/wasm/module-decoder-unittest.cc
ClusterFuzz has detected this issue as fixed in range 476089:476109. Detailed report: https://clusterfuzz.com/testcase?key=5512697113477120 Fuzzer: inferno_js_fuzzer Job Type: linux_ubsan_vptr_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: unimplemented opcode: 8 in function-body-decoder.cc Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=467314:467323 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=476089:476109 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5512697113477120 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 by clemensh@chromium.org
, May 30 2017Status: Assigned (was: Untriaged)