CHECK failure: *instance == wasm::GetOwningWasmInstance(*caller_code) in wasm-module.cc |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4850576155475968 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: *instance == wasm::GetOwningWasmInstance(*caller_code) in wasm-module.cc v8::internal::wasm::CompileLazy __RT_impl_Runtime_WasmCompileLazy Sanitizer: address (ASAN) Regressed: V8: 44043:44044 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4850576155475968 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 7 2017
,
Jul 7 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 11 2017
A friendly reminder that M61 branch is coming soon on 07/20! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix ASAP to trunk. This way we branch M61 from a high quality trunk. Thank you.
,
Jul 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/485786b43a5d3eb0e737b319ea196244eb913d82 commit 485786b43a5d3eb0e737b319ea196244eb913d82 Author: Clemens Hammacher <clemensh@chromium.org> Date: Thu Jul 13 09:35:36 2017 [wasm] Fix wrong DCHECK It's ok that the instance of the called code object is different from the caller instance. This happens if one instance calls an exported function of another instance. R=ahaas@chromium.org Bug: chromium:739768 Change-Id: I6afa8332a9b33fe32e9332cdca573053f058421d Reviewed-on: https://chromium-review.googlesource.com/568494 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#46624} [modify] https://crrev.com/485786b43a5d3eb0e737b319ea196244eb913d82/src/wasm/wasm-module.cc [add] https://crrev.com/485786b43a5d3eb0e737b319ea196244eb913d82/test/mjsunit/regress/wasm/regression-739768.js
,
Jul 13 2017
Fixed. It was just a wrong DCHECK, so no security implications. Removing labels.
,
Jul 14 2017
ClusterFuzz has detected this issue as fixed in range 46623:46624. Detailed report: https://clusterfuzz.com/testcase?key=4850576155475968 Fuzzer: inferno_js_fuzzer Job Type: linux_asan_d8_v8_arm64_dbg Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: *instance == wasm::GetOwningWasmInstance(*caller_code) in wasm-module.cc v8::internal::wasm::CompileLazy __RT_impl_Runtime_WasmCompileLazy Sanitizer: address (ASAN) Regressed: V8: 44043:44044 Fixed: V8: 46623:46624 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4850576155475968 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||
►
Sign in to add a comment |
||||
Comment 1 by infe...@chromium.org
, Jul 6 2017Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Labels: Pri-1
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)