Issue metadata
Sign in to add a comment
|
CHECK failure: dest_data + dest_byte_length <= source_data || source_data + source_byte_length |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5716860493627392 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8_dbg Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: dest_data + dest_byte_length <= source_data || source_data + source_byte_length v8::platform::PrintStackTrace v8::internal::TypedElementsAccessor<v8::internal::ElementsKind::UINT8_ELEMENTS,u Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=49642:49643 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5716860493627392 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 7 2017
Working around broken clusterfuzz credential / switch account system..
,
Dec 7 2017
,
Dec 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/b3009ccbc9b1ebafe395b84ff34c3b1d35f27538 commit b3009ccbc9b1ebafe395b84ff34c3b1d35f27538 Author: jgruber <jgruber@chromium.org> Date: Thu Dec 07 15:53:12 2017 [typedarray] Fix signed-ness of pointer comparisons While the affect values must be valid addresses & thus will not overflow the IntPtr type, they need to be interpreted as unsigned in comparisons. Bug: chromium:792549 , v8:7123 , v8:3590 Change-Id: I864b50c8dbdc297d70bf83c74a83cc466c5f3eb0 Reviewed-on: https://chromium-review.googlesource.com/814395 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Cr-Commit-Position: refs/heads/master@{#49937} [modify] https://crrev.com/b3009ccbc9b1ebafe395b84ff34c3b1d35f27538/src/builtins/builtins-typedarray-gen.cc
,
Dec 8 2017
ClusterFuzz has detected this issue as fixed in range 49936:49937. Detailed report: https://clusterfuzz.com/testcase?key=5716860493627392 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8_dbg Platform Id: windows Crash Type: CHECK failure Crash Address: Crash State: dest_data + dest_byte_length <= source_data || source_data + source_byte_length v8::platform::PrintStackTrace v8::internal::TypedElementsAccessor<v8::internal::ElementsKind::UINT8_ELEMENTS,u Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=49642:49643 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=49936:49937 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5716860493627392 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 8 2017
ClusterFuzz testcase 5716860493627392 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 8 2017
Thanks Peter for the quick review. hablich@ FYI, this affects 63 and 64. The bug results in a CHECK crash when incorrectly dispatching to to a signed integer overflow. We should probably merge to 64, not so sure about 63 since the outcome is a controlled CHECK crash. Wdyt?
,
Dec 8 2017
This bug requires manual review: Request affecting a post-stable build Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 8 2017
,
Dec 8 2017
+awhalley@ (Security TPM)
,
Dec 9 2017
Your change meets the bar and is auto-approved for M64. Please go ahead and merge the CL to branch 3282 manually. Please contact milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Dec 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/ede86021cecc75081885d8f0b7aaadbbcce3ae02 commit ede86021cecc75081885d8f0b7aaadbbcce3ae02 Author: jgruber <jgruber@chromium.org> Date: Mon Dec 11 11:37:46 2017 Merged: [typedarray] Fix signed-ness of pointer comparisons While the affect values must be valid addresses & thus will not overflow the IntPtr type, they need to be interpreted as unsigned in comparisons. NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true TBR=petermarshall@chromium.org Bug: chromium:792549 , v8:7123 , v8:3590 Change-Id: I864b50c8dbdc297d70bf83c74a83cc466c5f3eb0 Reviewed-on: https://chromium-review.googlesource.com/814395 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#49937}(cherry picked from commit b3009ccbc9b1ebafe395b84ff34c3b1d35f27538) Reviewed-on: https://chromium-review.googlesource.com/818345 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/branch-heads/6.4@{#7} Cr-Branched-From: 0407506af3d9d7e2718be1d8759296165b218fcf-refs/heads/6.4.388@{#1} Cr-Branched-From: a5fc4e085ee543cb608eb11034bc8f147ba388e1-refs/heads/master@{#49724} [modify] https://crrev.com/ede86021cecc75081885d8f0b7aaadbbcce3ae02/src/builtins/builtins-typedarray-gen.cc
,
Dec 11 2017
,
Dec 11 2017
Re #7: Low risk merge, so let's go with 6.3 too.
,
Dec 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/f010f332b2808eee60949fa9b628a3cf0b29cbb7 commit f010f332b2808eee60949fa9b628a3cf0b29cbb7 Author: jgruber <jgruber@chromium.org> Date: Mon Dec 11 15:46:46 2017 Merged: [typedarray] Fix signed-ness of pointer comparisons While the affected values must be valid addresses & thus will not overflow the IntPtr type, they need to be interpreted as unsigned int comparisons. NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true TBR=petermarshall@chromium.org Bug: chromium:792549 , v8:7123 , v8:3590 Change-Id: I864b50c8dbdc297d70bf83c74a83cc466c5f3eb0 Reviewed-on: https://chromium-review.googlesource.com/814395 Commit-Queue: Peter Marshall <petermarshall@chromium.org> Reviewed-by: Peter Marshall <petermarshall@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#49937}(cherry picked from commit b3009ccbc9b1ebafe395b84ff34c3b1d35f27538) Reviewed-on: https://chromium-review.googlesource.com/819690 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/branch-heads/6.3@{#101} Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1} Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432} [modify] https://crrev.com/f010f332b2808eee60949fa9b628a3cf0b29cbb7/src/builtins/builtins-typedarray-gen.cc
,
Dec 11 2017
,
Mar 16 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 1 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Dec 6 2017Owner: jgruber@chromium.org
Status: Assigned (was: Untriaged)