New issue
Advanced search Search tips

Issue 763532 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 2
Type: Bug



Sign in to add a comment

CHECK failure: deopt_data->get(1)->ToInt32(&index) in wasm-interpreter.cc

Project Member Reported by ClusterFuzz, Sep 8 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6411325311025152

Fuzzer: inferno_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  deopt_data->get(1)->ToInt32(&index) in wasm-interpreter.cc
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=47909:47910

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6411325311025152

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by sheriffbot@chromium.org, Sep 9 2017

Labels: M-62
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 9 2017

Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 3 by sheriffbot@chromium.org, Sep 9 2017

Labels: Pri-1
Project Member

Comment 4 by sheriffbot@chromium.org, Sep 10 2017

Labels: -Security_Impact-Head Security_Impact-Beta
Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam -Security_Severity-High -ReleaseBlock-Stable Type-Bug
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
Requires --wasm-interpret-all, will lower priority. Also, no security implications.
Project Member

Comment 6 by ClusterFuzz, Sep 13 2017

Labels: OS-Windows
Project Member

Comment 7 by ClusterFuzz, Sep 19 2017

Labels: Stability-Memory-AddressSanitizer
Detailed report: https://clusterfuzz.com/testcase?key=4913975304388608

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  deopt_data->get(1)->ToInt32(&index) in wasm-interpreter.cc
  v8::internal::wasm::UnwrapWasmToJSWrapper
  v8::internal::wasm::ThreadImpl::CallExternalJSFunction
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=47909:47910

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4913975304388608

See https://github.com/google/clusterfuzz-tools for more information.
Labels: -Pri-1 Pri-2
Project Member

Comment 9 by ClusterFuzz, Oct 1 2017

Components: Blink>JavaScript>Runtime
Labels: Test-Predator-AutoComponents
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
Components: -Blink>JavaScript>Runtime
Labels: -Test-Predator-AutoComponents Test-Predator-Wrong
Project Member

Comment 11 by ClusterFuzz, Oct 17 2017

ClusterFuzz has detected this issue as fixed in range 48580:48581.

Detailed report: https://clusterfuzz.com/testcase?key=4913975304388608

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  deopt_data->get(1)->ToInt32(&index) in wasm-interpreter.cc
  v8::internal::wasm::UnwrapWasmToJSWrapper
  v8::internal::wasm::ThreadImpl::CallExternalJSFunction
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=47909:47910
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=48580:48581

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4913975304388608

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 12 by ClusterFuzz, Oct 17 2017

ClusterFuzz has detected this issue as fixed in range 48580:48581.

Detailed report: https://clusterfuzz.com/testcase?key=6411325311025152

Fuzzer: inferno_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  deopt_data->get(1)->ToInt32(&index) in wasm-interpreter.cc
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=47909:47910
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=48580:48581

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6411325311025152

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 13 by ClusterFuzz, Oct 17 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 4913975304388608 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment