Issue metadata
Sign in to add a comment
|
DCHECK failure in total_offset == offset_table->get_int(kOTESize * left) in wasm-objects.cc |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5976562116853760 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8_dbg Platform Id: windows Crash Type: DCHECK failure Crash Address: Crash State: total_offset == offset_table->get_int(kOTESize * left) in wasm-objects.cc v8::platform::PrintStackTrace v8::internal::WasmSharedModuleData::GetSourcePosition Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=49375:49376 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5976562116853760 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 6 2018
,
Jan 6 2018
This is a lookup error in the asm.js source position table. Will take a look.
,
Jan 8 2018
,
Jan 9 2018
This also reproduces on linux, for different stack sizes. The minimized test case fails e.g. for --stack-size=40. The problem is that the stack check in a loop header fires, in a function without function-entry stack check. The loop header stack check does not have a source position associated though. Working on a fix.
,
Jan 9 2018
,
Jan 9 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/54cb64ac94e86472d581728906681b6f1ea9bb00 commit 54cb64ac94e86472d581728906681b6f1ea9bb00 Author: Clemens Hammacher <clemensh@chromium.org> Date: Tue Jan 09 13:56:28 2018 [asm] Store source position for all loops Loop headers contain a stack check in wasm, hence an exception can be thrown at the position of the loop instruction. This means that for asm.js, we need to store a source position for each loop instruction. R=mstarzinger@chromium.org Bug: chromium:799690 Change-Id: I129abef11461992e2f10af8e6afc28ce1cf83341 Reviewed-on: https://chromium-review.googlesource.com/856338 Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#50443} [modify] https://crrev.com/54cb64ac94e86472d581728906681b6f1ea9bb00/src/asmjs/asm-parser.cc [add] https://crrev.com/54cb64ac94e86472d581728906681b6f1ea9bb00/test/mjsunit/regress/regress-799690.js
,
Jan 9 2018
,
Jan 9 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 9 2018
As this can result in an out-of-bounds read from a FixedArray, I suggest backmerging this to 64.
,
Jan 9 2018
This bug requires manual review: We are only 13 days from stable. Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 9 2018
,
Jan 9 2018
This will hit Canary tonight. Let's wait until tomorrow to verify the change in Canary, and then we can decide on merge.
,
Jan 10 2018
ClusterFuzz has detected this issue as fixed in range 50442:50444. Detailed report: https://clusterfuzz.com/testcase?key=5976562116853760 Fuzzer: mbarbella_js_mutation Job Type: windows_asan_d8_dbg Platform Id: windows Crash Type: DCHECK failure Crash Address: Crash State: total_offset == offset_table->get_int(kOTESize * left) in wasm-objects.cc v8::platform::PrintStackTrace v8::internal::WasmSharedModuleData::GetSourcePosition Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=49375:49376 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=50442:50444 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5976562116853760 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 10 2018
ClusterFuzz testcase 5976562116853760 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 11 2018
,
Jan 11 2018
abdulsyed@ - good for 64
,
Jan 12 2018
Approving merge for M64. Branch:3282
,
Jan 16 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/a9dee2e298a0869d3db1e9075f53c4ba4867ab0c commit a9dee2e298a0869d3db1e9075f53c4ba4867ab0c Author: Clemens Hammacher <clemensh@chromium.org> Date: Tue Jan 16 09:41:54 2018 Merged: [asm] Store source position for all loops Loop headers contain a stack check in wasm, hence an exception can be thrown at the position of the loop instruction. This means that for asm.js, we need to store a source position for each loop instruction. R=mstarzinger@chromium.org Bug: chromium:799690 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true Change-Id: I4b095d81becae9cd218f068cbeeb8a5d24f8e341 Reviewed-on: https://chromium-review.googlesource.com/867850 Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/branch-heads/6.4@{#59} Cr-Branched-From: 0407506af3d9d7e2718be1d8759296165b218fcf-refs/heads/6.4.388@{#1} Cr-Branched-From: a5fc4e085ee543cb608eb11034bc8f147ba388e1-refs/heads/master@{#49724} [modify] https://crrev.com/a9dee2e298a0869d3db1e9075f53c4ba4867ab0c/src/asmjs/asm-parser.cc [add] https://crrev.com/a9dee2e298a0869d3db1e9075f53c4ba4867ab0c/test/mjsunit/regress/regress-799690.js
,
Jan 16 2018
,
Mar 27 2018
,
Mar 31 2018
,
Apr 17 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ClusterFuzz
, Jan 6 2018Owner: rmcilroy@chromium.org
Status: Assigned (was: Untriaged)