Null-dereference READ in v8::internal::compiler::Node::opcode |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5733551747366912 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::compiler::Node::opcode v8::internal::compiler::StateValuesAccess::size v8::internal::compiler::InstructionSelector::GetFrameStateDescriptor Sanitizer: address (ASAN) Regressed: V8: 45719:45720 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5733551747366912 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 7 2017
,
Jun 7 2017
,
Jun 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/66218e4efa7ec0272bb707f21cc793da65954308 commit 66218e4efa7ec0272bb707f21cc793da65954308 Author: Mythri <mythria@chromium.org> Date: Wed Jun 07 12:07:24 2017 [Turbofan] Fix to not leak holes on any edges. This cl: https://chromium-review.googlesource.com/509613 changed CheckNotTaggedHole to not produce any value output. This would mean that in some cases, we could leak hole on value edges. This violates the assumption that we cannot see a hole on several operators. Fixing this back to the original state. Bug: chromium:730254 Change-Id: I3512930e88dbe15e9d9b4b0d276868f354cc2ae2 Reviewed-on: https://chromium-review.googlesource.com/527033 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#45757} [modify] https://crrev.com/66218e4efa7ec0272bb707f21cc793da65954308/src/compiler/js-native-context-specialization.cc [modify] https://crrev.com/66218e4efa7ec0272bb707f21cc793da65954308/src/compiler/opcodes.h [modify] https://crrev.com/66218e4efa7ec0272bb707f21cc793da65954308/src/compiler/simplified-operator.cc [modify] https://crrev.com/66218e4efa7ec0272bb707f21cc793da65954308/src/compiler/typer.cc [modify] https://crrev.com/66218e4efa7ec0272bb707f21cc793da65954308/src/compiler/verifier.cc [add] https://crrev.com/66218e4efa7ec0272bb707f21cc793da65954308/test/mjsunit/regress/regress-730254.js
,
Jun 7 2017
,
Jun 8 2017
ClusterFuzz has detected this issue as fixed in range 45756:45757. Detailed report: https://clusterfuzz.com/testcase?key=5733551747366912 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8 Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::compiler::Node::opcode v8::internal::compiler::StateValuesAccess::size v8::internal::compiler::InstructionSelector::GetFrameStateDescriptor Sanitizer: address (ASAN) Regressed: V8: 45719:45720 Fixed: V8: 45756:45757 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5733551747366912 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 9 2017
Issue 730622 has been merged into this issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by clemensh@chromium.org
, Jun 7 2017Owner: mythria@chromium.org
Status: Assigned (was: Untriaged)