Issue metadata
Sign in to add a comment
|
CHECK failure: len->ToUint32(&int_l) in builtins-typedarray.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4807813510725632 Fuzzer: v8_builtins_generator Job Type: linux_msan_d8 Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: len->ToUint32(&int_l) in builtins-typedarray.cc Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=499264:499268 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4807813510725632 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Sep 3 2017
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 3 2017
,
Sep 3 2017
This looks like it came in with https://chromium.googlesource.com/v8/v8/+/7d60f78ac7fac85857edad9f0a1a58717a0f0410 ?
,
Sep 4 2017
Bisects to 71ac9e0eee8c8ef53a058d853f63662d9346c7fa, still Franzi :)
,
Sep 4 2017
,
Sep 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f31af9746ee1481837f31a8d02150917b501c9d7 commit f31af9746ee1481837f31a8d02150917b501c9d7 Author: Franziska Hinkelmann <franzih@chromium.org> Date: Mon Sep 04 13:11:42 2017 [builtins] Throw when setting typed arrays from large sources When setting a typed array from an array like object, the length of the source can only be converted to a unit32 if it is not too large. Bug: v8:6704 , chromium:761654 Change-Id: I8f89aa348093d8bd4d54aa16d6b5f255d3cb7adc Reviewed-on: https://chromium-review.googlesource.com/648976 Commit-Queue: Franziska Hinkelmann <franzih@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#47798} [modify] https://crrev.com/f31af9746ee1481837f31a8d02150917b501c9d7/src/builtins/builtins-typedarray.cc [modify] https://crrev.com/f31af9746ee1481837f31a8d02150917b501c9d7/test/mjsunit/es6/typedarray.js
,
Sep 5 2017
,
Sep 5 2017
CF can't verify since we just moved to standalone builds, yay to not building inside chromium src for these job types. previously it used to be only asan, not includes everything, thanks to Michael.
,
Sep 5 2017
@inferno: I didn't rewire the jobs yet, or did you? + I thought you said we'd migrate the old test cases in a way that fixed verification + regression detection works? Otherwise, I had the suggestion of having a separate job type in parallel for a while. And keeping the old around just for fixed-testing...
,
Sep 5 2017
I rewrote the jobs, also for these non-asan job types, it was only 1-2 testcases, migrated them all. most of them don't reproduce on trunk since you guys fix bugs too fast. but i verified that job works with hello world upload e.g. https://clusterfuzz.com/v2/testcase-detail/6190225239048192?noredirect=1 https://clusterfuzz.com/v2/testcase-detail/5987181733871616?noredirect=1
,
Sep 5 2017
,
Sep 6 2017
ClusterFuzz testcase 5473829379112960 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 6 2017
,
Oct 5 2017
,
Nov 3 2017
,
Dec 13 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Sep 3 2017