Null-dereference READ in v8::internal::Signature<v8::internal::MachineRepresentation>::return_count |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6089218026897408 Fuzzer: libFuzzer_v8_wasm_types_section_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::Signature<v8::internal::MachineRepresentation>::return_count v8::internal::wasm::SignatureMap::CompareFunctionSigs::operator v8::internal::wasm::SignatureMap::FindOrInsert Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=509183:509189 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6089218026897408 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.
,
Oct 17 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/829670e16ab9761dc03d613e07d3e27385b7ab46 ([wasm] Canonicalize signatures per module at module decode time.). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Oct 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b2199faf52fe4b9e5f969e7d920f4fabf4887b43 commit b2199faf52fe4b9e5f969e7d920f4fabf4887b43 Author: Ben L. Titzer <titzer@chromium.org> Date: Fri Oct 20 14:00:34 2017 g# Enter a description of the change. [wasm] Fix signature canonicalization for error case. The decoder should not attempt to insert null signatures into the SignatureMap. R=ahaas@chromium.org Bug: chromium:775366 Change-Id: I0fbc0547dbf00fd25d37271a03b6756481a4c6a1 Reviewed-on: https://chromium-review.googlesource.com/730752 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#48793} [modify] https://crrev.com/b2199faf52fe4b9e5f969e7d920f4fabf4887b43/src/wasm/module-decoder.cc [add] https://crrev.com/b2199faf52fe4b9e5f969e7d920f4fabf4887b43/test/mjsunit/regress/wasm/regress-775366.js
,
Oct 21 2017
ClusterFuzz has detected this issue as fixed in range 510629:510646. Detailed report: https://clusterfuzz.com/testcase?key=6089218026897408 Fuzzer: libFuzzer_v8_wasm_types_section_fuzzer Job Type: libfuzzer_chrome_asan Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::Signature<v8::internal::MachineRepresentation>::return_count v8::internal::wasm::SignatureMap::CompareFunctionSigs::operator v8::internal::wasm::SignatureMap::FindOrInsert Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=509183:509189 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan&range=510629:510646 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6089218026897408 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 21 2017
ClusterFuzz testcase 6089218026897408 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 7 2017
,
Nov 7 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Oct 17 2017Labels: Test-Predator-AutoComponents