Ill in v8::internal::wasm::ThreadImpl::InitLocals |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4849377117208576 Fuzzer: libFuzzer_v8_wasm_async_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Ill Crash Address: 0x0000019bf328 Crash State: v8::internal::wasm::ThreadImpl::InitLocals v8::internal::wasm::ThreadImpl::PushFrame v8::internal::wasm::ThreadImpl::DoCall Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=500374:500444 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4849377117208576 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Sep 11 2017
Looks like a wasm interpreter issue. Will have a look.
,
Sep 11 2017
,
Sep 11 2017
,
Sep 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/07f93affa712fa31cf815d7583ec9194adb4164f commit 07f93affa712fa31cf815d7583ec9194adb4164f Author: Andreas Haas <ahaas@chromium.org> Date: Mon Sep 11 13:09:30 2017 [wasm] Simd locals are not allowed without --experimental-wasm-simd The wasm valiation incorrectly allowed simd locals, even without the experimental flag turned on. This was not noted in the generated code because simd opcodes were forbidden, but the interpreter could not handle these locals. R=clemensh@chromium.org Bug: chromium:763697 Change-Id: I11d924ac21e50bce81d0504c2c7b252105a89f80 Reviewed-on: https://chromium-review.googlesource.com/660117 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#47946} [modify] https://crrev.com/07f93affa712fa31cf815d7583ec9194adb4164f/src/wasm/function-body-decoder-impl.h [modify] https://crrev.com/07f93affa712fa31cf815d7583ec9194adb4164f/test/mjsunit/regress/wasm/regression-648079.js [modify] https://crrev.com/07f93affa712fa31cf815d7583ec9194adb4164f/test/mjsunit/regress/wasm/regression-702460.js [add] https://crrev.com/07f93affa712fa31cf815d7583ec9194adb4164f/test/mjsunit/regress/wasm/regression-763697.js [modify] https://crrev.com/07f93affa712fa31cf815d7583ec9194adb4164f/test/mjsunit/wasm/wasm-constants.js [modify] https://crrev.com/07f93affa712fa31cf815d7583ec9194adb4164f/test/mjsunit/wasm/wasm-module-builder.js
,
Sep 12 2017
ClusterFuzz has detected this issue as fixed in range 500940:500995. Detailed report: https://clusterfuzz.com/testcase?key=4849377117208576 Fuzzer: libFuzzer_v8_wasm_async_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Ill Crash Address: 0x0000019bf328 Crash State: v8::internal::wasm::ThreadImpl::InitLocals v8::internal::wasm::ThreadImpl::PushFrame v8::internal::wasm::ThreadImpl::DoCall Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=500374:500444 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=500940:500995 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4849377117208576 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Sep 12 2017
ClusterFuzz testcase 4849377117208576 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by msrchandra@chromium.org
, Sep 11 2017Labels: Test-Predator-Wrong-CLs M-63