New issue
Advanced search Search tips

Issue 783595 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Nov 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Abrt in _int_malloc

Project Member Reported by ClusterFuzz, Nov 10 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5373443263692800

Fuzzer: ochang_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: Abrt
Crash Address: 0x03e900004dc5
Crash State:
  _int_malloc
  void v8::internal::wasm::AsyncCompileJob::NextStep<v8::internal::wasm::AsyncComp
  DoSync<v8::internal::wasm::AsyncCompileJob::FinishCompile>
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=48565:48566

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5373443263692800

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Nov 10 2017

Components: Blink>JavaScript>WebAssembly
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Cc: clemensh@chromium.org
Owner: ahaas@chromium.org
Status: Assigned (was: Untriaged)
The "second stack trace" reveals a debug check failure in the streaming decoder:
#
# Fatal error in ../../src/wasm/streaming-decoder.cc, line 68
# Debug check failed: cursor - bytes.get() + buffer->length() <= total_size_ (36 vs. 22).
#

Assigning to Andreas.
Project Member

Comment 3 by bugdroid1@chromium.org, Nov 15 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/0ef8da266474ab7ddc610d6531be22c0dc35c077

commit 0ef8da266474ab7ddc610d6531be22c0dc35c077
Author: Andreas Haas <ahaas@chromium.org>
Date: Wed Nov 15 12:42:54 2017

[wasm] Check code section bytes in the streaming decoder

The streaming decoder allocates the whole section buffer of the code
section when it reads the section length of the code section. Therefore
we have to check that the different parts of the code section actually
use all the bytes, and that the different parts of the code section do
not need more bytes than available. The check that all bytes are used
was missing in the case where the code section contained zero functions.

In addition, this CL adds some tracing to the streaming decoder which
may be useful in future debugging.

R=clemensh@chromium.org

Bug:  chromium:783595 
Change-Id: Icf056c25a3000b4a08a791939dab0ccde9fc3f80
Reviewed-on: https://chromium-review.googlesource.com/768788
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49380}
[modify] https://crrev.com/0ef8da266474ab7ddc610d6531be22c0dc35c077/src/wasm/streaming-decoder.cc
[modify] https://crrev.com/0ef8da266474ab7ddc610d6531be22c0dc35c077/test/unittests/wasm/streaming-decoder-unittest.cc

Project Member

Comment 4 by ClusterFuzz, Nov 16 2017

ClusterFuzz has detected this issue as fixed in range 49379:49380.

Detailed report: https://clusterfuzz.com/testcase?key=5373443263692800

Fuzzer: ochang_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: Abrt
Crash Address: 0x03e900004dc5
Crash State:
  _int_malloc
  void v8::internal::wasm::AsyncCompileJob::NextStep<v8::internal::wasm::AsyncComp
  DoSync<v8::internal::wasm::AsyncCompileJob::FinishCompile>
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=48565:48566
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=49379:49380

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5373443263692800

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Nov 16 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5373443263692800 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment