V8 correctness failure in configs: x64,ignition:ia32,ignition |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5266495017058304 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:ia32,ignition sources: a4c Sanitizer: address (ASAN) Regressed: V8: 44115:44116 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5266495017058304 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 10 2017
Needs better mocking.
,
Jul 12 2017
This is actually a spec-violation on our side: 22.2.4.4TypedArray ( object ) ... 9. Let len be ? ToLength(? Get(arrayLike, "length")). 7.1.15ToLength ( argument ) ... 2. If len ≤ +0, return +0. So we should actually accept all negative values and produce a TypedArray with length 0.
,
Jul 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/d11da5891fd3d3790c99ef104174c513c5e3af1e commit d11da5891fd3d3790c99ef104174c513c5e3af1e Author: Peter Marshall <petermarshall@chromium.org> Date: Thu Jul 13 06:43:53 2017 [builtins] Allow TypedArray constructor to accept big negative numbers. Previously we enforced that all lengths for ArrayLike objects must be within Smi range, but all negative numbers should actually be first converted to +0. Bug: chromium:740372 Change-Id: If50de9ce0eeb7cb09e14b8e8803f434350d00508 Reviewed-on: https://chromium-review.googlesource.com/566867 Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#46615} [modify] https://crrev.com/d11da5891fd3d3790c99ef104174c513c5e3af1e/src/code-stub-assembler.cc [modify] https://crrev.com/d11da5891fd3d3790c99ef104174c513c5e3af1e/test/mjsunit/es6/typedarray-construct-by-array-like.js
,
Jul 13 2017
machenbach@, not sure what you mean by mocking with proxies.
,
Jul 13 2017
ClusterFuzz has detected this issue as fixed in range 46614:46615. Detailed report: https://clusterfuzz.com/testcase?key=5266495017058304 Fuzzer: foozzie_js_mutation Job Type: v8_foozzie Platform Id: linux Crash Type: V8 correctness failure Crash Address: Crash State: configs: x64,ignition:ia32,ignition sources: a4c Sanitizer: address (ASAN) Regressed: V8: 44115:44116 Fixed: V8: 46614:46615 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5266495017058304 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 13 2017
ClusterFuzz testcase 5266495017058304 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 13 2017
I a real problem was fixed, then my comment is rather obsolete. I talked about improving this code. Maybe you can cast an eye on it if it's still valid: https://cs.chromium.org/chromium/src/v8/tools/foozzie/v8_mock.js?q=foozzie/&sq=package:chromium&l=90 and https://cs.chromium.org/chromium/src/v8/tools/foozzie/v8_mock_archs.js?l=13 |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by machenb...@chromium.org
, Jul 10 2017Owner: machenb...@chromium.org
Status: Assigned (was: Untriaged)
Reduced repro: new Uint8ClampedArray({length: -1073741825}); Got somehow triggered by https://chromium-review.googlesource.com/c/456707/ Now has a RangeError on ia32. I tried to mock this out with proxies. Seems it's still not sufficient.