Issue metadata
Sign in to add a comment
|
Null-dereference READ in v8::internal::OptimizedFrame::receiver |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5229764796481536 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::OptimizedFrame::receiver v8::internal::JavaScriptFrame::Print PrintFrames Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49094:49095 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5229764796481536 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 4 2017
,
Nov 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba commit fd150c79884f4ae522dd5c80350e90f4d8a7a2ba Author: Benedikt Meurer <bmeurer@chromium.org> Date: Sat Nov 04 12:06:31 2017 [turbofan] Generate the correct bounds when the array protector isn't valid. The condition for bounds check generation was not in sync with the condition that was used for the actual access, which lead to invalid memory accesses when the array protector was invalid. Tbr: tebbi@chromium.org Bug: chromium:781506 , chromium:781494 , chromium:781457 , chromium:781285 , chromium:781381 , chromium:781380 , v8:6936, v8:7014 , v8:7027 Change-Id: Ia5b2ad02940292572ed9b37abd3f9ffaa6d7a26b Reviewed-on: https://chromium-review.googlesource.com/753590 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#49124} [modify] https://crrev.com/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba/src/compiler/js-native-context-specialization.cc [add] https://crrev.com/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba/test/mjsunit/regress/regress-crbug-781506-1.js [add] https://crrev.com/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba/test/mjsunit/regress/regress-crbug-781506-2.js [add] https://crrev.com/fd150c79884f4ae522dd5c80350e90f4d8a7a2ba/test/mjsunit/regress/regress-crbug-781506-3.js
,
Nov 5 2017
ClusterFuzz has detected this issue as fixed in range 49123:49124. Detailed report: https://clusterfuzz.com/testcase?key=5229764796481536 Fuzzer: mbarbella_js_mutation Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: v8::internal::OptimizedFrame::receiver v8::internal::JavaScriptFrame::Print PrintFrames Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49094:49095 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49123:49124 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5229764796481536 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 7 2017
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Nov 3 2017Owner: bmeu...@chromium.org
Status: Assigned (was: Untriaged)