Issue metadata
Sign in to add a comment
|
DCHECK failure in !has_pending_exception() in isolate.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5476983193731072 Fuzzer: libFuzzer_v8_regexp_parser_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: !has_pending_exception() in isolate.cc v8::internal::Isolate::Throw Throw<v8::internal::Object> Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5476983193731072 Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. If the fix resolved the issue, please close the bug by marking as Fixed. Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Aug 10 2017
And Official CF sherrif is OOO, asigning to V8 triage sherrif.
,
Aug 10 2017
,
Aug 11 2017
,
Aug 11 2017
Security impact head, as for UNREPRODUCIBLE (actually, unreliably reproducible) bugs. Should you divine an answer to the issue by code inspection, please determine how far back the issue goes and set impact appropriately.
,
Aug 12 2017
,
Aug 23 2017
Same range as https://clusterfuzz.com/v2/testcase-detail/5354029789216768
,
Aug 24 2017
+yangguo +jgruber
This looks like a bug in the regexp fuzzer.
There is a call to {Isolate::clear_pending_exception} (https://cs.chromium.org/chromium/src/v8/test/fuzzer/regexp.cc?q=regexp.cc&sq=package:chromium&dr&l=69), but maybe this is not the only location where that is required?
,
Aug 24 2017
Doesn't repro in v8_simple_regexp_fuzzer, tentative fix in flight: https://chromium-review.googlesource.com/c/v8/v8/+/632176
,
Aug 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/2d8a3c823ad66b34302c7c1390e9dab6f0572874 commit 2d8a3c823ad66b34302c7c1390e9dab6f0572874 Author: jgruber <jgruber@chromium.org> Date: Fri Aug 25 07:09:23 2017 [regexp] In fuzzer, clear exception after failed string creation Tentative fix for the CF crashes in https://crbug.com/754422 . Bug: chromium:754422 Change-Id: I0dcb6b8860cb0bf20b3566ffba08e6772398ee65 Reviewed-on: https://chromium-review.googlesource.com/632176 Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47591} [modify] https://crrev.com/2d8a3c823ad66b34302c7c1390e9dab6f0572874/test/fuzzer/regexp.cc
,
Aug 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/3dbc04f72fe0895d8b3e51f4767c0e9b89054399 commit 3dbc04f72fe0895d8b3e51f4767c0e9b89054399 Author: jgruber <jgruber@chromium.org> Date: Mon Aug 28 08:15:07 2017 [regexp] Propagate exception to TryCatch in fuzzer TryCatch only clears the pending exception if it has been propagated through OptionalRescheduleException. This is another tentative fix for https://crbug.com/754422 . Bug: chromium:754422 Change-Id: Ifbbeed8ef44131a0a010ac6bde3adbbf9fb4c4af Reviewed-on: https://chromium-review.googlesource.com/637305 Reviewed-by: Yang Guo <yangguo@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47634} [modify] https://crrev.com/3dbc04f72fe0895d8b3e51f4767c0e9b89054399/test/fuzzer/regexp.cc
,
Aug 29 2017
The crashes are still happening, and still no local repro unfortunately. I'm landing a CL that will hopefully help flush this out.
,
Aug 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/7770b1d119f922a1648e2fbdb07cb205acb5ab83 commit 7770b1d119f922a1648e2fbdb07cb205acb5ab83 Author: jgruber <jgruber@chromium.org> Date: Tue Aug 29 15:10:30 2017 [regexp] Additional checks to flush out fuzzer crash Crashes are still happening despite tentative fixes, but unfortunately without a local repro. This adds a couple of additional checks to help flush out the root cause. TBR=yangguo@chromium.org Bug: chromium:754422 Change-Id: Ib3c8a2e0271fc724a4351ce6aec8298cf520a20a Reviewed-on: https://chromium-review.googlesource.com/640691 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#47684} [modify] https://crrev.com/7770b1d119f922a1648e2fbdb07cb205acb5ab83/src/regexp/jsregexp.cc [modify] https://crrev.com/7770b1d119f922a1648e2fbdb07cb205acb5ab83/test/fuzzer/regexp.cc
,
Sep 4 2017
CF sheriffs FYI: the additional checks have probably changed the crash signature. I'll close this one for now (WontFix since nothing has actually been fixed, but this is still something we want to fix once the new crashes come in.).
,
Dec 11 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by tsepez@chromium.org
, Aug 10 2017Owner: clemensh@chromium.org