Issue metadata
Sign in to add a comment
|
Ill in v8::Utils::ReportOOMFailure |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4608523005853696 Fuzzer: libFuzzer_v8_regexp_parser_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: Ill Crash Address: 0x7f5ff622e608 Crash State: v8::Utils::ReportOOMFailure v8::internal::V8::FatalProcessOutOfMemory v8::internal::Assembler::GrowBuffer Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=415616:415651 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4608523005853696 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Jun 21 2017
,
Jun 21 2017
Though doesn't seem to be a security issue, as ochang@ noticed, so I'm removing security labels.
,
Jun 22 2017
I suspect a dupe of crbug.com/686663 , will confirm in a bit.
,
Jun 22 2017
Yep, this has a similar root cause as crbug.com/686663 , i.e. a sequence of boundary checks that cause exponential code growth. crbug.com/v8/6126 collapsed repeated boundary checks (\b\b\b\b -> \b). We could go a step further and collapse the impossible \b\B pattern (which is what triggers the OOM in the current issue) into a simple fail. I opened http://crbug.com/v8/6515 to track this.
,
Sep 4 2017
,
Sep 6 2017
Issue 754414 has been merged into this issue.
,
Sep 7 2017
Issue 762542 has been merged into this issue.
,
Sep 15 2017
Issue 763640 has been merged into this issue. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mmoroz@chromium.org
, Jun 21 2017Components: Blink>JavaScript
Owner: jgruber@chromium.org