Issue metadata
Sign in to add a comment
|
Crash in v8::internal::WasmExportedFunction::GetWasmCode |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6548966954237952 Fuzzer: ochang_js_fuzzer_win Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x2850e219 Crash State: v8::internal::WasmExportedFunction::GetWasmCode v8::internal::wasm::MakeWasmToWasmWrapper v8::internal::wasm::InstanceBuilder::ProcessImports Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=509045:509081 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6548966954237952 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 7 2017
Thanks for the analysis! Looks like a duplicate of 775003.
,
Nov 17 2017
ClusterFuzz has detected this issue as fixed in range 49425:49426. Detailed report: https://clusterfuzz.com/testcase?key=6548966954237952 Fuzzer: ochang_js_fuzzer_win Job Type: windows_asan_d8 Platform Id: windows Crash Type: UNKNOWN READ Crash Address: 0x1f10e219 Crash State: v8::internal::WasmExportedFunction::GetWasmCode v8::internal::wasm::MakeWasmToWasmWrapper v8::internal::wasm::InstanceBuilder::ProcessImports Sanitizer: address (ASAN) Recommended Security Severity: Medium Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=49425:49426 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6548966954237952 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 13 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mstarzinger@chromium.org
, Nov 7 2017Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
Regression range is inconclusive, requires --wasm-lazy-compilation, not sure if this is even actionable, feel free to close as WontFix. Reproduces as follows ... $ ~/Development/v8.git/out/x64.debug/d8 --wasm-lazy-compilation clusterfuzz-testcase-minimized-6548966954237952.js # # Fatal error in ../../src/wasm/wasm-objects.cc, line 682 # Debug check failed: !it.done(). # ==== C stack trace =============================== /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(v8::base::debug::StackTrace::StackTrace()+0x1e) [0x55af67f03e3e] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(+0x2141157) [0x55af67eff157] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(V8_Fatal(char const*, int, char const*, ...)+0x1bd) [0x55af67eedbad] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(+0x212f62f) [0x55af67eed62f] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(V8_Dcheck(char const*, int, char const*)+0x32) [0x55af67eedc02] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(v8::internal::WasmExportedFunction::GetWasmCode()+0x214) [0x55af67b06354] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(+0x1cbd884) [0x55af67a7b884] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(+0x1cbd793) [0x55af67a7b793] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(v8::internal::wasm::InstanceBuilder::ProcessImports(v8::internal::Handle<v8::internal::FixedArray>, v8::internal::Handle<v8::internal::WasmInstanceObject>)+0x59d) [0x55af67a75fbd] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(v8::internal::wasm::InstanceBuilder::Build()+0x11e0) [0x55af67a68e50] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(v8::internal::wasm::SyncInstantiate(v8::internal::Isolate*, v8::internal::wasm::ErrorThrower*, v8::internal::Handle<v8::internal::WasmModuleObject>, v8::internal::MaybeHandle<v8::internal::JSReceiver>, v8::internal::MaybeHandle<v8::internal::JSArrayBuffer>)+0xa2) [0x55af67a677a2] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(+0x1d39d98) [0x55af67af7d98] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(+0x1d36f59) [0x55af67af4f59] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&))+0xeb) [0x55af66bfa90b] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(+0xfa27ed) [0x55af66d607ed] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(+0xfa16fe) [0x55af66d5f6fe] /usr/local/google/home/mstarzinger/Development/v8.git/out/x64.debug/d8(v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*)+0xdd) [0x55af66d5f42d] [0x266111a85204] Received signal 4 ILL_ILLOPN 55af67ef6da1 Illegal instruction (core dumped)