DCHECK failure in dst == src in liftoff-assembler.cc |
|||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6165942894854144 Fuzzer: libFuzzer_v8_wasm_code_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: dst == src in liftoff-assembler.cc v8::internal::wasm::StackTransferRecipe::TransferStackSlot v8::internal::wasm::LiftoffAssembler::MergeStackWith Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=529156:529160 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6165942894854144 Issue filed automatically. See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.
,
Jan 16 2018
Automatically adding ccs based on suspected regression changelists: [Liftoff] Implement i32.rol and i32.ror by clemensh@chromium.org - https://chromium.googlesource.com/v8/v8/+/6ce09628d65cc9a59bf506a7b30b97276c1dcd56 [Liftoff] Also disassemble code on the native heap by clemensh@chromium.org - https://chromium.googlesource.com/v8/v8/+/8cf7223fb15d41bb40de3acdb6fb358ca469cb41 If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
,
Jan 16 2018
,
Jan 16 2018
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it. If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 16 2018
,
Jan 16 2018
Problem identified, CL on it's way: https://crrev.com/c/868022
,
Jan 16 2018
Liftoff is off by default, so no security implications.
,
Jan 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/cb903d803eba1c539e180037ecb642a650ebc219 commit cb903d803eba1c539e180037ecb642a650ebc219 Author: Clemens Hammacher <clemensh@chromium.org> Date: Wed Jan 17 09:41:04 2018 [Liftoff] Fix registers spilling The method {SpillAllRegisters} should really just spill registers, and not also constants. Also, since more code is inlined into that method now, we can optimize it to update register use counters only once in the end, since no used register should be left after executing this method. R=titzer@chromium.org Bug: v8:6600, chromium:802244 Change-Id: I737a1a87f8e912151062224952c4f5dffd43f802 Reviewed-on: https://chromium-review.googlesource.com/868022 Reviewed-by: Ben Titzer <titzer@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#50644} [modify] https://crrev.com/cb903d803eba1c539e180037ecb642a650ebc219/src/wasm/baseline/liftoff-assembler.cc [modify] https://crrev.com/cb903d803eba1c539e180037ecb642a650ebc219/src/wasm/baseline/liftoff-assembler.h [add] https://crrev.com/cb903d803eba1c539e180037ecb642a650ebc219/test/mjsunit/regress/wasm/regress-802244.js
,
Jan 17 2018
,
Jan 18 2018
ClusterFuzz has detected this issue as fixed in range 529739:529747. Detailed report: https://clusterfuzz.com/testcase?key=6165942894854144 Fuzzer: libFuzzer_v8_wasm_code_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: DCHECK failure Crash Address: Crash State: dst == src in liftoff-assembler.cc v8::internal::wasm::StackTransferRecipe::TransferStackSlot v8::internal::wasm::LiftoffAssembler::MergeStackWith Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=529156:529160 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=529739:529747 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6165942894854144 See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 18 2018
ClusterFuzz testcase 6165942894854144 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by ClusterFuzz
, Jan 16 2018Labels: Test-Predator-Auto-Components