Issue metadata
Sign in to add a comment
|
Crash in v8::internal::Invoke |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5083182063157248 Fuzzer: inferno_js_fuzzer Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x26b10000 Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::Script::Run Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=460544:464119 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5083182063157248 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 9 2017
Bisects to f2531acb1e7ea7c0e1bde2f8230c6b49539dd429. Mircea, please take a look. If this CL really introduced a bug (wrong bounds check -> OOB read), this affects M59.
,
Jun 9 2017
,
Jun 12 2017
,
Jun 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/5db4364f47f4a28e94bde3a468bc471d8adf9fb8 commit 5db4364f47f4a28e94bde3a468bc471d8adf9fb8 Author: Mircea Trofin <mtrofin@chromium.org> Date: Tue Jun 13 16:39:52 2017 [wasm] Correctly reset memory size to default instead of 0. Bug: chromium:731351 Change-Id: I810986cba2f575da9de2c4bb70c250784148eeb5 Reviewed-on: https://chromium-review.googlesource.com/532634 Commit-Queue: Mircea Trofin <mtrofin@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#45918} [modify] https://crrev.com/5db4364f47f4a28e94bde3a468bc471d8adf9fb8/src/wasm/wasm-objects.cc [add] https://crrev.com/5db4364f47f4a28e94bde3a468bc471d8adf9fb8/test/mjsunit/regress/wasm/regression-731351.js
,
Jun 15 2017
ClusterFuzz has detected this issue as fixed in range 479356:479374. Detailed report: https://clusterfuzz.com/testcase?key=5083182063157248 Fuzzer: inferno_js_fuzzer Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x26b10000 Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::Script::Run Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=460544:464119 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=479356:479374 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5083182063157248 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 15 2017
ClusterFuzz testcase 5083182063157248 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jun 15 2017
,
Jun 15 2017
,
Jul 6 2017
,
Jul 6 2017
This bug requires manual review: M60 has already been promoted to the beta branch, so this requires manual review Please contact the milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 7 2017
Approving merge to M60.
,
Jul 10 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/d695244fa49c4c539dd421b06829240e6b1eb2b4 commit d695244fa49c4c539dd421b06829240e6b1eb2b4 Author: Mircea Trofin <mtrofin@chromium.org> Date: Mon Jul 10 15:41:01 2017 Merged: [wasm] Correctly reset memory size to default instead of 0. Revision: 5db4364f47f4a28e94bde3a468bc471d8adf9fb8 BUG= chromium:731351 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=bradnelson@chromium.org Change-Id: Ic8d958110bd645a932d1d0dfead480d659e50045 Reviewed-on: https://chromium-review.googlesource.com/565185 Reviewed-by: Brad Nelson <bradnelson@chromium.org> Commit-Queue: Brad Nelson <bradnelson@chromium.org> Cr-Commit-Position: refs/branch-heads/6.0@{#63} Cr-Branched-From: 97dbf624a5eeffb3a8df36d24cdb2a883137385f-refs/heads/6.0.286@{#1} Cr-Branched-From: 12e6f1cb5cd9616da7b9d4a7655c088778a6d415-refs/heads/master@{#45439} [modify] https://crrev.com/d695244fa49c4c539dd421b06829240e6b1eb2b4/src/wasm/wasm-objects.cc [add] https://crrev.com/d695244fa49c4c539dd421b06829240e6b1eb2b4/test/mjsunit/regress/wasm/regression-731351.js
,
Jul 10 2017
Removed "Merge-Approved" for M60, as the change is now merged.
,
Jul 24 2017
,
Sep 21 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by clemensh@chromium.org
, Jun 9 2017Reproduces in d8 on linux, with flags --validate-asm --expose-gc --stress-opt. Slightly reduced test case: ========================================= gc(); function asm(stdlib, foreign, buffer) { "use asm"; var HEAP32 = new stdlib.Uint32Array(buffer); function load(a) { a = a | 0; return +(HEAP32[a >> 2] >>> 0); } return {load: load}; } function RunAsmJsTest() { buffer = new ArrayBuffer(65536); var asm_module = asm({Uint32Array: Uint32Array}, {}, buffer); asm_module.load(buffer.byteLength); } RunAsmJsTest(); ========================================= Interestingly, the call to {gc} is needed, and also the nesting inside the {RunAsmJsTest} function. Hence it looks like a memory or optimization bug. Bisect is running.