Crash in v8::internal::SafepointTable::PrintEntry |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5517362349735936 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7f591cca5b0d Crash State: v8::internal::SafepointTable::PrintEntry v8::internal::Code::Disassemble v8::internal::compiler::WasmCompilationUnit::FinishLiftoffCompilation Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49974:49975 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5517362349735936 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 11 2017
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/f3897c7e9e643f639a8772c31087b9f4d98eaeb3 ([wasm] cleanup after https://crrev.com/c/802322). If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
,
Dec 11 2017
,
Dec 12 2017
CCing Clemens since Liftoff is in the stack trace.
,
Dec 12 2017
Unfortunately, I haven't yet been able to get a repro. The reproducer isn't working and I haven't found the right build configuration and runtime arguments to get this to fail. I'll keep trying though.
,
Dec 12 2017
Taking this one, it's a liftoff bug.
,
Dec 12 2017
Thanks!
,
Dec 13 2017
Liftoff is not shipped. No security implications.
,
Dec 13 2017
,
Dec 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/5760d76ef701dfd9fc97e92ad2eb4a88a38361fa commit 5760d76ef701dfd9fc97e92ad2eb4a88a38361fa Author: Clemens Hammacher <clemensh@chromium.org> Date: Wed Dec 13 14:10:10 2017 [Liftoff] Attach source positions and safepoint info So far we generated source positions and safepoint information, but we never actually attached it to the generated code objects. This CL adds that. R=titzer@chromium.org Bug: v8:6600, chromium:793694 Change-Id: I8f4c6d8752f4c31a1df51c4893c262ea5925f3b5 Reviewed-on: https://chromium-review.googlesource.com/824266 Reviewed-by: Ben Titzer <titzer@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#50077} [modify] https://crrev.com/5760d76ef701dfd9fc97e92ad2eb4a88a38361fa/src/compiler/wasm-compiler.cc [modify] https://crrev.com/5760d76ef701dfd9fc97e92ad2eb4a88a38361fa/src/compiler/wasm-compiler.h [modify] https://crrev.com/5760d76ef701dfd9fc97e92ad2eb4a88a38361fa/src/wasm/baseline/liftoff-compiler.cc
,
Dec 13 2017
,
Dec 14 2017
ClusterFuzz has detected this issue as fixed in range 50076:50077. Detailed report: https://clusterfuzz.com/testcase?key=5517362349735936 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x7f591cca5b0d Crash State: v8::internal::SafepointTable::PrintEntry v8::internal::Code::Disassemble v8::internal::compiler::WasmCompilationUnit::FinishLiftoffCompilation Sanitizer: address (ASAN) Recommended Security Severity: Medium Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49974:49975 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50076:50077 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5517362349735936 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Dec 14 2017
ClusterFuzz testcase 5517362349735936 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ClusterFuzz
, Dec 11 2017Labels: Test-Predator-Auto-Components