Null-dereference READ in Clear |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5773498781007872 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: Clear v8::internal::wasm::AsyncStreamingProcessor::FinishAsyncCompileJobWithError v8::internal::wasm::AsyncStreamingProcessor::OnError Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50114:50115 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5773498781007872 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 24 2018
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/3ca114725fba6984501b71630b0f27a5aedaa2d3 ([wasm] Do not start background tasks after compilation is finished). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Jan 24 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/3121ffeb55f21d1f0d7afa8143e3acd02c999386 commit 3121ffeb55f21d1f0d7afa8143e3acd02c999386 Author: Andreas Haas <ahaas@chromium.org> Date: Wed Jan 24 17:03:03 2018 [wasm][streaming] Only clear the compilation_unit_builder_ if it exists The CompilationUnitBuilder of the StreamingProcessor is cleared when an error occurs in the streaming decoder. The clearing of the CompilationUnitBuilder was guarded by the existence of the ModuleCompiler, because this ModuleCompiler and the CompilationUnitBuilder are created together. However, the CompilationUnitBuilder is reset when the next section after the code section is processed, whereas the ModuleCompiler exists until the end of the AsyncCompileJob. With this CL the clearing of the CompilationUnitBuilder is also guarded by its own existence. R=clemensh@chromium.org Bug: chromium:805346 Change-Id: I0e9e9eaff9239fadb21c0f17990da61cbfaa6856 Reviewed-on: https://chromium-review.googlesource.com/883527 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#50844} [modify] https://crrev.com/3121ffeb55f21d1f0d7afa8143e3acd02c999386/src/wasm/module-compiler.cc [modify] https://crrev.com/3121ffeb55f21d1f0d7afa8143e3acd02c999386/test/cctest/wasm/test-streaming-compilation.cc
,
Jan 25 2018
ClusterFuzz has detected this issue as fixed in range 50843:50844. Detailed report: https://clusterfuzz.com/testcase?key=5773498781007872 Fuzzer: ochang_js_fuzzer Job Type: linux_asan_d8_dbg Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: Clear v8::internal::wasm::AsyncStreamingProcessor::FinishAsyncCompileJobWithError v8::internal::wasm::AsyncStreamingProcessor::OnError Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50114:50115 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50843:50844 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5773498781007872 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 25 2018
ClusterFuzz testcase 5773498781007872 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jan 29 2018
,
Jan 30 2018
Your change meets the bar and is auto-approved for M65. Please go ahead and merge the CL to branch 3325 manually. Please contact milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 30 2018
Pls merge your change to M65 branch 3325 ASAP so we can pick it up for next M65 dev release. Thank you.
,
Jan 31 2018
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/0f2a23207379fb09ab694b29e731459fb6fc2c4c commit 0f2a23207379fb09ab694b29e731459fb6fc2c4c Author: Andreas Haas <ahaas@chromium.org> Date: Wed Jan 31 09:19:23 2018 Merged: [wasm][streaming] Only clear the compilation_unit_builder_ if it exists Revision: 3121ffeb55f21d1f0d7afa8143e3acd02c999386 BUG= chromium:805346 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=clemensh@chromium.org Change-Id: I45db1efbb28877a8b93d92e96d19d8681e2a563c Reviewed-on: https://chromium-review.googlesource.com/894525 Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/branch-heads/6.5@{#15} Cr-Branched-From: 73c55f57fe8506011ff854b15026ca765b669700-refs/heads/6.5.254@{#1} Cr-Branched-From: 594a1a0b6e551397cfdf50870f6230da34db2dc8-refs/heads/master@{#50664} [modify] https://crrev.com/0f2a23207379fb09ab694b29e731459fb6fc2c4c/src/wasm/module-compiler.cc [modify] https://crrev.com/0f2a23207379fb09ab694b29e731459fb6fc2c4c/test/cctest/wasm/test-streaming-compilation.cc
,
Jan 31 2018
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Jan 24 2018Labels: Test-Predator-Auto-Components