Null-dereference WRITE in v8::internal::Invoke |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5182174386192384 Fuzzer: ochang_js_fuzzer_win Job Type: windows_asan_d8 Platform Id: windows Crash Type: Null-dereference WRITE Crash Address: 0x00000004 Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::internal::wasm::ThreadImpl::CallCodeObject Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5182174386192384 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 15 2017
,
Nov 16 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/22e4c4613b0dfbce98324cb6720b3f90c0e8cde0 commit 22e4c4613b0dfbce98324cb6720b3f90c0e8cde0 Author: Clemens Hammacher <clemensh@chromium.org> Date: Thu Nov 16 11:13:43 2017 [wasm] [interpreter] Fix interpreter-to-wasm calls When calling the CWasmEntry in order to call from the interpreter to a wasm function, the given buffer must hold the arguments, and must also have enough space to hold the return values. We were missing the second part, hence we failed when there are no parameters, but a return. R=ahaas@chromium.org Bug: chromium:784125 Change-Id: I08d417cae60eea64fda8a72e898dbed9f3e88148 Reviewed-on: https://chromium-review.googlesource.com/771633 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#49402} [modify] https://crrev.com/22e4c4613b0dfbce98324cb6720b3f90c0e8cde0/src/wasm/wasm-interpreter.cc [modify] https://crrev.com/22e4c4613b0dfbce98324cb6720b3f90c0e8cde0/test/mjsunit/wasm/interpreter.js
,
Nov 16 2017
,
Nov 17 2017
ClusterFuzz has detected this issue as fixed in range 49401:49402. Detailed report: https://clusterfuzz.com/testcase?key=5182174386192384 Fuzzer: ochang_js_fuzzer_win Job Type: windows_asan_d8 Platform Id: windows Crash Type: Null-dereference WRITE Crash Address: 0x00000004 Crash State: v8::internal::Invoke v8::internal::Execution::Call v8::internal::wasm::ThreadImpl::CallCodeObject Sanitizer: address (ASAN) Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=49401:49402 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5182174386192384 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 17 2017
ClusterFuzz testcase 5182174386192384 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by mstarzinger@chromium.org
, Nov 13 2017Labels: -Pri-1 Pri-2
Owner: clemensh@chromium.org
Status: Assigned (was: Untriaged)