New issue
Advanced search Search tips

Issue 784125 link

Starred by 1 user
Status: Verified
Owner:
clemensh@chromium.org
Closed: Nov 2017
Cc:
adamk@chromium.org
titzer@chromium.org
dschuff@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Null-dereference WRITE in v8::internal::Invoke

Project Member Reported by ClusterFuzz, Nov 11 2017 
Detailed report: https://clusterfuzz.com/testcase?key=5182174386192384

Fuzzer: ochang_js_fuzzer_win
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Null-dereference WRITE
Crash Address: 0x00000004
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::internal::wasm::ThreadImpl::CallCodeObject
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5182174386192384

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by mstarzinger@chromium.org, Nov 13 2017

Components: -Blink>JavaScript Blink>JavaScript>WebAssembly
Labels: -Pri-1 Pri-2
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)
Requires --wasm-interpret-all to reproduce.

Comment 2 by clemensh@chromium.org, Nov 15 2017

Status: Started (was: Assigned)
Project Member

Comment 3 by bugdroid1@chromium.org, Nov 16 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/22e4c4613b0dfbce98324cb6720b3f90c0e8cde0

commit 22e4c4613b0dfbce98324cb6720b3f90c0e8cde0
Author: Clemens Hammacher <clemensh@chromium.org>
Date: Thu Nov 16 11:13:43 2017

[wasm] [interpreter] Fix interpreter-to-wasm calls

When calling the CWasmEntry in order to call from the interpreter to a
wasm function, the given buffer must hold the arguments, and must also
have enough space to hold the return values. We were missing the second
part, hence we failed when there are no parameters, but a return.

R=ahaas@chromium.org

Bug:  chromium:784125 
Change-Id: I08d417cae60eea64fda8a72e898dbed9f3e88148
Reviewed-on: https://chromium-review.googlesource.com/771633
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49402}
[modify] https://crrev.com/22e4c4613b0dfbce98324cb6720b3f90c0e8cde0/src/wasm/wasm-interpreter.cc
[modify] https://crrev.com/22e4c4613b0dfbce98324cb6720b3f90c0e8cde0/test/mjsunit/wasm/interpreter.js

Comment 4 by clemensh@chromium.org, Nov 16 2017

Status: Fixed (was: Started)
Project Member

Comment 5 by ClusterFuzz, Nov 17 2017 

ClusterFuzz has detected this issue as fixed in range 49401:49402.

Detailed report: https://clusterfuzz.com/testcase?key=5182174386192384

Fuzzer: ochang_js_fuzzer_win
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Null-dereference WRITE
Crash Address: 0x00000004
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::internal::wasm::ThreadImpl::CallCodeObject
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=49401:49402

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5182174386192384

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Nov 17 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Fixed)
ClusterFuzz testcase 5182174386192384 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment