Ill in v8::Utils::ReportApiFailure |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6561584297279488 Fuzzer: inferno_js_fuzzer_c Job Type: linux_asan_d8 Platform Id: linux Crash Type: Ill Crash Address: 0x7fad55d09ae8 Crash State: v8::Utils::ReportApiFailure v8::Utils::ApiCheck FromJust Sanitizer: address (ASAN) Regressed: V8: 38799:38800 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6561584297279488 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 2 2017
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 2 2017
,
Jun 6 2017
Looks like an intentional crash to me, but feel free to flip it back to a security bug if this is actually scary.
,
Jun 7 2017
Reproduces locally, bisect isolates the same as CF, a quite old CL: da5d713d73d43aec66ff45c29d06b4857182578b Assigning to Camillo, reviewer of that CL, CCing other reviewers.
,
Jun 7 2017
I agree with #4 that this is not a security issue. We just have to check for exceptions there. CL at https://chromium-review.googlesource.com/c/527173/ .
,
Jun 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/8bc98b5c75d573683b2774f6a78c41855483f332 commit 8bc98b5c75d573683b2774f6a78c41855483f332 Author: Jakob Kummerow <jkummerow@chromium.org> Date: Wed Jun 07 12:33:50 2017 Fix Array.indexOf for Proxies that throw When the slow path for Array.prototype.indexOf calls a Proxy's "has" trap, it must check afterwards whether an exception was thrown. BUG= chromium:728813 Change-Id: I998bba6ddcd65adfed2eefb63b3285da60d2a43c Reviewed-on: https://chromium-review.googlesource.com/527173 Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#45759} [modify] https://crrev.com/8bc98b5c75d573683b2774f6a78c41855483f332/src/runtime/runtime-array.cc [add] https://crrev.com/8bc98b5c75d573683b2774f6a78c41855483f332/test/mjsunit/regress/regress-crbug-728813.js
,
Jun 7 2017
Probably not important enough to backmerge, unless we get reports that users are hitting this in the wild.
,
Jun 8 2017
ClusterFuzz has detected this issue as fixed in range 45758:45759. Detailed report: https://clusterfuzz.com/testcase?key=6561584297279488 Fuzzer: inferno_js_fuzzer_c Job Type: linux_asan_d8 Platform Id: linux Crash Type: Ill Crash Address: 0x7fad55d09ae8 Crash State: v8::Utils::ReportApiFailure v8::Utils::ApiCheck FromJust Sanitizer: address (ASAN) Regressed: V8: 38799:38800 Fixed: V8: 45758:45759 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6561584297279488 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by sheriffbot@chromium.org
, Jun 2 2017