Null-dereference READ in v8::internal::ProducedPreParsedScopeData::parent |
|||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5847011181199360 Fuzzer: libFuzzer_v8_script_parser_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::ProducedPreParsedScopeData::parent v8::internal::PreParser::BuildParameterInitializationBlock v8::internal::ParserBase<v8::internal::PreParser>::ParseFunctionBody Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=499528:499539 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5847011181199360 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 6 2017
Reproduces in d8: # # Fatal error in ../../src/parsing/preparser.cc, line 379 # Debug check failed: (produced_preparsed_scope_data_) != nullptr. # Bisects to 36d703778ccd0d2777e0d4b69ed6e65e39a9f521 ([parser] Tentatively enable FLAG_preparser_scope_analysis).
,
Sep 7 2017
Issue 762158 has been merged into this issue.
,
Sep 7 2017
,
Sep 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/566e972395978dd365c54e6a5f2e4d652f7ef802 commit 566e972395978dd365c54e6a5f2e4d652f7ef802 Author: Marja Hölttä <marja@chromium.org> Date: Thu Sep 07 21:18:12 2017 [parser] Skipping inner funcs: Fix bailout. When the bailout triggered, we assumed we're generating data (i.e., we're inside a non-arrow function). This is not true; it's possible that we're already inside an arrow function and not generating data anyway. BUG= v8:5516 , chromium:761980 Change-Id: Iad9c8dde283031630953ef9a46c1e68bc0cee048 Reviewed-on: https://chromium-review.googlesource.com/655081 Reviewed-by: Adam Klein <adamk@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/master@{#47905} [modify] https://crrev.com/566e972395978dd365c54e6a5f2e4d652f7ef802/src/parsing/preparser.cc [modify] https://crrev.com/566e972395978dd365c54e6a5f2e4d652f7ef802/test/mjsunit/skipping-inner-functions-bailout.js
,
Sep 9 2017
ClusterFuzz has detected this issue as fixed in range 500577:500599. Detailed report: https://clusterfuzz.com/testcase?key=5847011181199360 Fuzzer: libFuzzer_v8_script_parser_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::ProducedPreParsedScopeData::parent v8::internal::PreParser::BuildParameterInitializationBlock v8::internal::ParserBase<v8::internal::PreParser>::ParseFunctionBody Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=499528:499539 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=500577:500599 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5847011181199360 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 10 2017
ClusterFuzz testcase 4653823351324672 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by msrchandra@chromium.org
, Sep 5 2017Labels: Test-Predator-Wrong-CLs M-63