Crash in v8::internal::wasm::UnwrapImportWrapper with lazy compilation |
||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4863300197416960 Fuzzer: inferno_js_fuzzer Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x2fd8a4b4 Crash State: v8::internal::wasm::UnwrapImportWrapper v8::internal::wasm::InstanceBuilder::ProcessImports v8::internal::wasm::InstanceBuilder::Build Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=477767:477864 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4863300197416960 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 22 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5587107656761344.
,
Jun 22 2017
Any idea why all these wasm bugs dont reproduce on LINUX job types.
,
Jun 22 2017
Sorry missed flags, let me add those first.
,
Jun 22 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6621460897726464.
,
Jun 22 2017
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5830117736841216.
,
Jun 22 2017
Detailed report: https://clusterfuzz.com/testcase?key=6621460897726464 Job Type: linux_asan_d8_dbg Crash Type: CHECK failure Crash Address: Crash State: !it.done() in wasm-module.cc v8::internal::wasm::UnwrapImportWrapper UnwrapOrCompileImportWrapper Sanitizer: address (ASAN) Regressed: V8: 44043:44044 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6621460897726464 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 22 2017
Lowering priority, as this requires the --wasm-lazy-compilation command line flag. It's also not security relevant. The problem is that one instance imports an exported wasm function, and then tries to unwrap the js-to-wasm wrapper, but because this is using lazy compilation, there is no embedded WASM_FUNCTION code object. Hence a DCHECK fails / it crashes (depending on build mode).
,
Jun 23 2017
,
Jun 28 2017
,
Jun 30 2017
Detailed report: https://clusterfuzz.com/testcase?key=6153054247452672 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !it.done() in wasm-module.cc Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6153054247452672 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 5 2017
Detailed report: https://clusterfuzz.com/testcase?key=6104298315579392 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !it.done() in wasm-module.cc Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6104298315579392 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 17 2017
Issue 744320 has been merged into this issue.
,
Aug 24 2017
,
Sep 16 2017
ClusterFuzz has detected this issue as fixed in range 48037:48038. Detailed report: https://clusterfuzz.com/testcase?key=6621460897726464 Job Type: linux_asan_d8_dbg Crash Type: CHECK failure Crash Address: Crash State: !it.done() in wasm-module.cc v8::internal::wasm::UnwrapImportWrapper UnwrapOrCompileImportWrapper Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=44043:44044 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48037:48038 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6621460897726464 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 16 2017
ClusterFuzz testcase 6398594272985088 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 24 2017
ClusterFuzz testcase 4863300197416960 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Sep 25 2017
,
Oct 1 2017
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
,
Oct 17 2017
ClusterFuzz has detected this issue as fixed in range 509045:509081. Detailed report: https://clusterfuzz.com/testcase?key=4863300197416960 Fuzzer: inferno_js_fuzzer Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x388e1496 Crash State: v8::internal::wasm::UnwrapImportWrapper v8::internal::wasm::InstanceBuilder::ProcessImports v8::internal::wasm::InstanceBuilder::Build Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=477767:477864 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=509045:509081 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4863300197416960 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 7 2017
,
Aug 8
This is fixed, either by the jump table or already before that. |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by infe...@chromium.org
, Jun 22 2017Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)