Issue metadata
Sign in to add a comment
|
Use-after-poison in parameter_count |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5827211323244544 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: Use-after-poison READ 8 Crash Address: 0x6250000ac958 Crash State: parameter_count v8::internal::compiler::WasmGraphBuilder::WasmGraphBuilder v8::internal::compiler::CompileCWasmEntry Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49507:49508 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5827211323244544 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 22 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/3380e9a4d92a67881c4ff9d83e6d7d5b85a79750 (Reland "[wasm] Unify deoptimization data"). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Nov 22 2017
,
Nov 23 2017
,
Nov 23 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/0bc1b967f2b91779abf1f5b209ac1b4114dfe4c6 commit 0bc1b967f2b91779abf1f5b209ac1b4114dfe4c6 Author: Clemens Hammacher <clemensh@chromium.org> Date: Thu Nov 23 12:33:51 2017 [wasm] [interpreter] Fix cross-instance indirect calls The existing access to the signatures is plain wrong. This CL fixes this. Note that cross-instance indirect calls are only enabled since a few days (https://crrev.com/c/778159), which is why this bug was not detected before. R=titzer@chromium.org Bug: chromium:787910 Change-Id: Iaac4d1d85840c921eb8554c5094933ec8d987802 Reviewed-on: https://chromium-review.googlesource.com/787312 Reviewed-by: Ben Titzer <titzer@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#49607} [modify] https://crrev.com/0bc1b967f2b91779abf1f5b209ac1b4114dfe4c6/src/wasm/wasm-interpreter.cc [modify] https://crrev.com/0bc1b967f2b91779abf1f5b209ac1b4114dfe4c6/test/mjsunit/wasm/interpreter.js
,
Nov 23 2017
,
Nov 23 2017
,
Nov 24 2017
ClusterFuzz has detected this issue as fixed in range 49606:49607. Detailed report: https://clusterfuzz.com/testcase?key=5827211323244544 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: Use-after-poison READ 8 Crash Address: 0x6250000ac958 Crash State: parameter_count v8::internal::compiler::WasmGraphBuilder::WasmGraphBuilder v8::internal::compiler::CompileCWasmEntry Sanitizer: address (ASAN) Recommended Security Severity: High Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49507:49508 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49606:49607 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5827211323244544 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 24 2017
ClusterFuzz testcase 5827211323244544 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 1 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Nov 22 2017Labels: Test-Predator-Auto-Components